- A Cloud Guru
Finding a Problem Caused by a Misconfiguration of SELinux and Troubleshooting the Issue
In this lab, you will be presented with inadequate SELinux configurations that are causing problems. Your job is to perform the correct reconfigurations so everything works properly for the given cases. The first problem involves a web server running that needs to be accessed through an atypical port not usually used by the web servers. SELinux, however, is not allowing you to do this. You need to figure out why, how it is doing this, and effect changes that will persist after reboots. There's also another problem: The web server is not able to serve the proper files to the end user due to improper configuration. The idea is to be able to grant or revoke access with SELinux depending on the needs and problems you encounter. In order to troubleshoot problems with SELinux, you will need to access and analyze the log files, locate the problems, and then implement an adequate solution. You should not use the global SELinux permissive state for verification.
Table of Contents
Install Troubleshooting Tools
Install the troubleshooting tools:
sudo yum install -y setroubleshoot setools
Attempt to Start Apache Web Server on Port 9100
After failed attempts to start the Apache web werver on port 9100, find the line in the log files to confirm SELinux is the core issue.
grep httpd /var/log/audit/audit.log
tail -n 100 /var/log/audit/audit.log | grep -i httpd
tail -f /var/log/audit/audit.log
Watch the Log in Real Time, in Another Terminal
sudo systemctl start httpd
sudo ausearch -p <process id>
Look at the Auditor
sudo grep httpd /var/log/audit/audit.log | audit2why
Locate Port Label for Apache Web Server and Add the Needed Port
Locate the port label for Apache web server and add the needed port. Afterward, restart the Apache web server.
List all the possible port labels and search the list for
semanage port -l | grep -i http
Add port 9100 to the
semanage port -m -t http_port_t -p tcp 9100
Locate the SELinux Context for `index.html`
Create a file:
sudo touch /var/www/html/test
View the context:
ls -Z /var/www/html/
Change the context of the file:
semanage fcontext -a -t httpd_sys_content_t /var/www/html/index.html
Reset the security context:
restorecon -v /var/www/html/index.html
What's a lab?
Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.