Tam, very much appreciated for all the helps.
On 4/11/12, Tam Nguyen <[email protected]> wrote: > We're glad to be able to help you. > > The package setools-console is very handy when it comes to setting the > SELinux's user, role, and type for a specific file to allow specific access > to a specific services. > > After installing setools-console, you can find out the list of SELinux > context "type": > seinfo -t > > Or a list of SELinux context "user": > seinfo -u > > Or "role" > seinfo -r > > > You will get a long list of context types. An example I've gave you > earlier was httpd_sys_content_t. Try this command: > > seinfo -t | grep httpd_sys > > Output: > httpd_sys_content_t <==== recognize that? :) > httpd_sys_htaccess_t > httpd_sys_ra_content_t > httpd_sys_rw_content_t > httpd_sys_script_t > httpd_sys_script_exec_t > > Another example, find the SELinux context type for Samba share file. > seinfo -t | grep samba > > Output: > samba_secrets_t > samba_unconfined_script_exec_t > samba_net_t > samba_var_t > samba_net_exec_t > samba_net_tmp_t > samba_unconfined_net_t > samba_unconfined_script_t > sambagui_exec_t > samba_share_t <========= general samba share privilege > samba_initrc_exec_t > sambagui_t > samba_etc_t > samba_log_t > > Lastly, to make sure your hard-work SELinux survives reboot, run: > semanage fcontext -a -t context_type_goes_here_t file_name_goes_here > > If you assigned context "user", then run: > semanage fcontext -a -s context_user_goes_here_t -t > context_type_goes_here_t file_name > > Actual example: > semanage fcontext -a -s system_u -t samba_share_t /samba/sharedir > > > And of course, you can always have the option to turn off SELinux but I > would not recommend it. The only time I turned off SELinux was when I > tested a service that kept spitting out permission denied or service not > accessible... > > On Apr 3, zxq9 provided an excellent intro to SELinux. Take a look at his > post. > > Wish you the best. > -Tam > > > > On Wed, Apr 11, 2012 at 11:32 AM, Terry Northren <[email protected]>wrote: > >> Tam and Alan, >> thanks for the package. That solved it. >> >> Tam, what do I do with setools-console package? >> >> Our Linux Admin was working on a test Apache server. Most of the >> configuration was done by him, but he left the company. I am picking >> up the left behind. Coming from the Windows side, I am new to many >> aspects of Linux. Still learning my rope. The Scientific Linux >> community has been extremely helpful and resourceful :D. >> >> >> On 4/11/12, Tam Nguyen <[email protected]> wrote: >> > That error means you do not have the prerequisite package installs. >> > Install the package: >> > >> > yum -y install policycoreutils-python >> > >> > Since we are on the SELinux topic, I would recommend you also install: >> > >> > yum -y install setools-console >> > >> > Btw, looking back at your first post about Apache authentication and >> access >> > deny and allow, how did you manage to get your Apache to work in the >> first >> > place, especially configuring SELinux settings? >> > >> > >> > On Wed, Apr 11, 2012 at 10:53 AM, Terry Northren <[email protected] >> >wrote: >> > >> >> Tam, >> >> I followed your directions. I ran into an error when I executed the >> >> semanage command: >> >> >> >> semanage fcontext -a -t httpd_sys_content_t public_html >> >> >> >> Here is my output error: >> >> -bash: /usr/sbin/semanage: No such file or directory >> >> >> >> I went ahead and followed the rest of your tutorial. It worked!! >> >> Does this mean I will have to re-configure SELinux after every reboot? >> >> >> >> >> >> On 4/11/12, Tam Nguyen <[email protected]> wrote: >> >> > Not knowing the configuration of your httpd.conf file and the >> >> configuration >> >> > of the local users' home directory, there is no direct answer. >> >> Therefore, >> >> > my approach to your question is to give you a very basic setup, which >> >> would >> >> > allow users to access files in their home's directory. You can base >> off >> >> of >> >> > this to make it works on your machine. >> >> > Before you do anything, backup your httpd.conf file. >> >> > Even better, do this on a test VM. >> >> > >> >> > In the file httpd.conf, change these 2 directives to look like this: >> >> > >> >> > #UserDir disabled >> >> > >> >> > UserDir *public_html* >> >> > >> >> > this enables local users to access html files inside the the >> >> *public_html * >> >> > directory. >> >> > >> >> > Let's say we want UserX to have access to his/her home directory: >> >> > mkdir /home/UserX*/public_html* >> >> > >> >> > Then create an html file in the *public_html *directory, >> >> > >> >> > Now comes the fun part, permission and SELinux :). >> >> > Permission: Make sure UserX is the owner of the *public_html* >> directory >> >> > and all files within it (hence, recursively). >> >> > chown userx:userx *public_html* >> >> > >> >> > Directory and files need read and execute permission >> >> > chmod 755 >> >> > >> >> > Selinux: public_html and all files within must have one of these >> >> > context >> >> > types: >> >> > httpd_sys_content_t >> >> > or >> >> > public_content_rw_t >> >> > >> >> > sample command: >> >> > chcon -R -t httpd_sys_content_t *public_html >> >> > >> >> > *then make sure SELinux setting survives reboot, run command: >> >> > semanage fcontext -a -t httpd_sys_content_t *public_html* >> >> > >> >> > verify the directory and do the same to all files inside >> *public_html*: >> >> > ll -Z >> >> > >> >> > Finally, enable SELinux boolean: >> >> > setsebool -P httpd_enable_homedirs on >> >> > >> >> > Restart Apache without interrupting the users: >> >> > apachectl graceful >> >> > >> >> > Now access UserX' home directory: >> >> > http://servername_or_ip_address/~userx/ >> >> > >> >> > This is just a basic configuration to give you a general idea. You >> will >> >> > have to customize the settings and permissions according to your >> >> > server's >> >> > needs. >> >> > >> >> > good luck >> >> > -Tam >> >> > >> >> > >> >> > On Mon, Apr 9, 2012 at 8:33 PM, Terry Northren <[email protected]> >> >> wrote: >> >> > >> >> >> Hi again, >> >> >> on Apache server, how do I allow users to access files in their home >> >> >> folders? >> >> >> >> >> >> >> >> >> >> >> > >> >> >> > >> >
