Open luto opened 5 years ago
FWIW I just opened a (small) PR explaining the permission "pitfall" for web server content, since I was confused by this: #180
FWIW I just opened a (small) PR explaining the permission "pitfall" for web server content, since I was confused by this: #180
@The-Compiler, your PR reads "For the webserver user to be able to access the files, they need to have a SELinux role of httpd_sys_rw_content_t
."
Wouldn't httpd_sys_content_t
be a better value to put as default in the docs, i.e. allow read-only access from DocumentRoot only by default?!
@Sgt-Nukem that's in fact what the documented restorecon -R
command does when you execute it: it sets httpd_sys_content_t
according to the SELinux policy:
[root@stardust ~]# semanage fcontext --list |grep /var/www
/var/www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
I updated the text to match reality in a15e8cfaf921b14fa5d83861c866d1153e182670.
Whoops, sorry and thanks!
Since SELinux is now active (and enforced), we should mention it here. A good place might be in the article for the web document root or maybe a standalone article?
Some things I think we should mention are:
Basics
Files not only are subject to the traditional discretionary access controls (DAC) — aka file system permissions (ugo/rwxst) — but with SELinux also to mandatory access control (MAC).
This means that besides
drwxr-xr-x.
there is also a label, you can notice this by the.
suffix. You can view the label for a file withls -Z
orstat
(for example):BTW: the
-Z
switch works with a lot of commands (e.g.id -Z
,mv -Z
,ps -Z
).The Label
The label is the representation of a context and everything in the SELinux world has one; it decides what can be done by, with and to it.
The label has 4 fields, divided by
:
(the last field can have colons in it, but still, only 4 fields). These are user, role type and sensitifity. Right now we only care about the type.So the
unconfined_u:object_r:user_home_t:s0
from above has a type ofuser_home_t
.Files and Labels
Files you create — in your home — generally have the
user_home_t
label (because they inherit the label from their parent folder). The same goes for downloaded or checked-out files, etc.Notice
~/bin
changes the type tohome_bin_t
:Gotchas
If you create a new file, it immediately inherit the context of it's parent. This works for
cp
too, cause it creates new files. But not formv
, since the existing content is carried allong with the file.But:
An easy way to cope with this is to make it a habbit to restore the parent to it's default with
restorecon
:NOTICE: This is important, since Apache will throw a
403
if the content in~/html
is not labled withhttpd_sys_content_t
(or similar, see below for more).Changing Labels
To set a file's context, you can use the
chcon
command:This change will survive a reboot. However, this does not update the SELinux user space definition list. So after a
restorecon
the directory will be reset to the original context.Conclusion
Well, this is just the basics and the whole
semange
thing is probably not needed for users. Instead, we should mentionman httpd_selinux
— make sure this works on our hosts https://git.uberspace.is/uberspace/uberspace7/issues/611 — and some neccesarry types for daily operation like:httpd_sys_content_t
: read-only directories and fileshttpd_sys_content_ra_t
append onlyhttpd_sys_content_rw_t
: readable and writable directories and fileshttpd_sys_script_exec_t
: executable scriptshttpd_log_t
logshttpd_cache_t
_modcache