SELinux Learning Activity

30 minutes
  • 3 Learning Objectives

About this Hands-on Lab

In this lab we’ll use SELinux to resolve a scenario that is common in the real world. Doing this will help to understand the tools available and where to look when troubleshooting SELinux issues.

*This course is not approved or sponsored by Red Hat.*

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Fix the Selinux Permissions on `/opt/website` so That They’ll Survive a Relabel
  • First we’ll check to see what the label needs to be. Websites are normally stored in /var/www/html so we can look there to see what it should be.
  • We can see that the context should be set to httpd_sys_content_t.
  • The command we need to run is:
    semanage fcontext -a -t httpd_sys_content_t ‘/opt/website(/.*)?’
  • This makes a change in the SELinux database.
  • We then need to run restorecon /opt/website to actually make the change on the filesystem.
  • This will set the directory to the correct context and protect that change from a relabel in the future.
Deploy the Website as Instructed and Test It
  • We’ve been instructed to deploy the website by running mv /root/index.html /opt/website/.
  • We can then try a curl localhost/index.html to test our deploy.
  • If we get a 403 Forbidden error, test if SELinux is the problem by running setenforce 0 and then running curl again.
  • If the curl works with SELinux in permissive mode, we can set it back to enforcing with setenforce 1 and then investigate why.
Resolve the Error When Trying to Access `/opt/website/index.html`
  • ls -lZ /opt/website will show that index.html has a content type of admin_home_t which isn’t what we need when serving webpages.
  • We can run restorecon /opt/website/index.html to fix this error and the curl will work.

Additional Resources

We've been tasked with setting up a new web server, and are required to have SELinux in enforcing mode.

The website must exist in /opt/website. Once the SELinux contexts are set correctly for that directory, deploy the website by running mv /root/index.html /opt/website/.

Make sure /opt/website/index.html has the correct SELinux permissions so it can be served.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?