SELinux
Apache httpd
You may not want to have your web distribution under /var/www but if you don't then you'll be caught out by the files being the in the wrong context.
Your files need to be in the right context. Which is?
# ls -Z /var/www drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 cgi-bin drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html
Notice there are two key types here: httpd_sys_content_t for files and httpd_sys_script_exec_t for scripts.
If we have everything (NFS?) mounted under /www then we will need to do:
Firstly
chcon -Rv --type=httpd_sys_content_t /www
now and
secondly
semanage fcontext -a -t httpd_sys_content_t "/www(/.*)?"
to protect against (ir)regular relabelling of the modified portion of the filesystem. Whenever that happens.
An alternative mechanism is to define the security context for future files then restore it onto the existing ones. Log files need a similar treatment:
semanage fcontext -a -t httpd_log_t "/www/logs(/.*)?" restorecon -Fr /www/logs
But that's not all.
CGI Scripts
If you want a CGI script, an error handler, say, to be able to write into your /www tree then you need to modify the permissions of part of your tree to a read-write http content type:
chcon -t httpd_sys_rw_content_t /www/logs/errors
Other Daemons
If you want https to be able to communicate with other daemons, e.g. Plone, then you must enable one of the multi-various boolean flags:
# getsebool -a | grep http | grep network httpd_can_network_connect --> on httpd_can_network_connect_cobbler --> off httpd_can_network_connect_db --> off httpd_can_network_memcache --> off httpd_can_network_relay --> off
There is a corresponding setsebool command. In this instance we set httpd_can_network_connect to enable back-end comms.
setsebool -P
to make the change permanent.
Document Actions