[NTLUG:Discuss] Earlier SELinux question solved
Shoufeng Yang
shfyang5 at gmail.com
Tue Sep 23 14:48:40 CDT 2014
Now I understand it, answer is no longer needed!
From: discuss-request at ntlug.org
Sent: Tuesday, September 23, 2014 12:00 PM
To: discuss at ntlug.org
Subject: Discuss Digest, Vol 141, Issue 7
Send Discuss mailing list submissions to
discuss at ntlug.org
To subscribe or unsubscribe via the World Wide Web, visit
http://www.ntlug.org/mailman/listinfo/discuss
or, via email, send a message with subject or body 'help' to
discuss-request at ntlug.org
You can reach the person managing the list at
discuss-owner at ntlug.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Discuss digest..."
Today's Topics:
1. How to enforce SELinux type context (httpd_sys_content_t)
(Norman Y)
----------------------------------------------------------------------
Message: 1
Date: Tue, 23 Sep 2014 02:04:48 -0400
From: Norman Y <shfyang5 at gmail.com>
To: discuss at ntlug.org
Subject: [NTLUG:Discuss] How to enforce SELinux type context
(httpd_sys_content_t)
Message-ID:
<CAG7V+B_J6sUYz=5sCr3=gM-iDjUAzaJeht9NtEZBS36rtqFfVQ at mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Hi, all:
I just installed Centos 6.5 on my laptop and created a simple web
server (internal IP is 192.168.5.60, every setup in default, setenforce is
in enforce mode), I created two files, index.html and error.html in
/var/www/html/ and / directories, respectively, the 2nd file is "moved"
to /var/www/html/ to preserve its original SELinux context type.
[root at hp html]# ls -lZ
-rw-r--r--. root root unconfined_u:object_r:etc_runtime_t:s0 error.html
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 index.html
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 pub
[root at hp html]#
Now if I visit this web server from another PC within the same subnet,
I can still see http://192.168.5.60/error.html, what I want is SELinux
policy is strictly enforced to prevent error.html from being viewed because
its SELinux contect type is wrong (it should be httpd_sys_content_t, not
etc_runtime_t).
What change would strictly enforce SELinux context type? change one of
the following boolean switch or shall I change config file such as
/etc/selinux/config? or ???
[root at hp html]# getsebool -a | grep http
allow_httpd_anon_write --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_manage_ipa --> off
httpd_read_user_content --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_verify_dns --> off
named_bind_http_port --> off
Thanks a lot!
Norman
------------------------------
Subject: Digest Footer
_______________________________________________
Discuss mailing list
Discuss at ntlug.org
http://www.ntlug.org/mailman/listinfo/discuss
------------------------------
End of Discuss Digest, Vol 141, Issue 7
***************************************
More information about the Discuss
mailing list