Understanding how to fix potential SELinux issues is important. This lab will present an SELinux problem and allow us to work through the solution, getting us familiar with where to look and how to fix problems.
Successfully complete this lab by achieving the following learning objectives:
- Identify and Fix the Problem on Startup
Trying to run
systemctl start httpdwill error. Running
journalctl -xewill show lines similar to this:
Jan 09 20:32:46 Server1 httpd: (13)Permission denied: AH00091: httpd: could not open error log file /etc/httpd/l> Jan 09 20:32:46 Server1 httpd: AH00015: Unable to open logs
It looks like a problem with the error log file, which is
ls -lZ /var/log/httpd/error_logshows:
-rw-r--r--. 1 root root unconfined_u:object_r:admin_home_t:s0 0 Jan 9 20:17 /var/log/httpd/error_log
So let’s use restorecon.
restorecon /var/log/httpd/error_log systemctl start httpd
The service starts!
- Fix the Problem with Home Directories
/etc/httpd/conf.d/userdir.confwe should have a
public_htmldirectory in the developer’s home directory. Since we don’t, let’s create it, set the permissions to 755, set the home directory permissions to 711, and see what happens with a test file:
mkdir /home/developer/public_html chmod 0755 /home/developer/public_html chmod 0711 /home/developer touch /home/developer/public_html/file curl localhost/~developer/file
We’re still getting an error. Looking at
/var/log/audit/audit.log, we see an AVC denial for the file we’re trying to load, so it’s SELinux related.
The contexts are correct, but the
enable homedirboolean defaults to
setsebool httpd_enable_homedirs on
curlshould work correctly.
- Make Sure the index.html in the Developer’s Home Directory public_html is Able to be Displayed
The instructions say to move the index page, so let’s do it:
mv /home/developer/index.html /home/developer/public_html/index.html curl localhost/~developer/index.html
That failed. Let’s look at SELinux contexts.