Understanding how to fix potential SELinux issues is important. This lab will present an SELinux problem and allow us to work through the solution, getting us familiar with where to look and how to fix problems.
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Identify and Fix the Problem on Startup
Trying to run
systemctl start httpdwill error. Runningjournalctl -xewill show lines similar to this:Jan 09 20:32:46 Server1 httpd[7107]: (13)Permission denied: AH00091: httpd: could not open error log file /etc/httpd/l> Jan 09 20:32:46 Server1 httpd[7107]: AH00015: Unable to open logsIt looks like a problem with the error log file, which is
/var/log/httpd/error_log.ls -lZ /var/log/httpd/error_logshows:-rw-r--r--. 1 root root unconfined_u:object_r:admin_home_t:s0 0 Jan 9 20:17 /var/log/httpd/error_logSo let’s use restorecon.
restorecon /var/log/httpd/error_log systemctl start httpdThe service starts!
- Fix the Problem with Home Directories
Based on
/etc/httpd/conf.d/userdir.confwe should have apublic_htmldirectory in the developer’s home directory. Since we don’t, let’s create it, set the permissions to 755, set the home directory permissions to 711, and see what happens with a test file:mkdir /home/developer/public_html chmod 0755 /home/developer/public_html chmod 0711 /home/developer touch /home/developer/public_html/file curl localhost/~developer/fileWe’re still getting an error. Looking at
/var/log/audit/audit.log, we see an AVC denial for the file we’re trying to load, so it’s SELinux related.The contexts are correct, but the
enable homedirboolean defaults tooff.setsebool httpd_enable_homedirs onNow the
curlshould work correctly.- Make Sure the index.html in the Developer’s Home Directory public_html is Able to be Displayed
The instructions say to move the index page, so let’s do it:
mv /home/developer/index.html /home/developer/public_html/index.html curl localhost/~developer/index.htmlThat failed. Let’s look at SELinux contexts.
