RHCSA Rapid Track

The Apache web server should already be installed and running on serverX.example.com.

You should have completed the steps of the “Changing SELinux Contexts” practice exercise.

1. Log in as root on serverX. Remove the file context rule created earlier and restore the /custom directory structure back to its original SELinux context.

   1. Remove the file context rule you added in the earlier lab.

      [root@serverX ~]# semanage fcontext -d -t httpd_sys_content_t '/custom(/.*)?'
      

   2. Change the file contexts to their original values.

      [root@serverX ~]# restorecon -Rv /custom
      restorecon reset /custom context unconfined_u:object_r:httpd_sys_content_t:s0
        ->unconfined_u:object_r:default_t:s0
      restorecon reset /custom/index.html context unconfined_u:object_r:httpd_sys_
        content_t:s0->unconfined_u:object_r:default_t:s0
      

2. Open a web browser on serverX and try to view the following URL: http://localhost/index.html. You will get an error message that says you do not have permission to access the file.

3. View the contents of /var/log/messages. You should see some output similar to the following:

   [root@serverX ~]# less /var/log/messages
   [... Output omitted ...]
   Feb 19 12:00:35 serverX setroubleshoot: SELinux is preventing /usr/sbin/httpd
   from getattr access on the file . For complete SELinux messages. run
     sealert -l 82ead554-c3cb-4664-85ff-e6f256437c6c
   [... Output omitted ...]
   

4. Run the suggested sealert command and see if you can identify the issue and a possible resolution.

   [root@serverX ~]# sealert -l 82ead554-c3cb-4664-85ff-e6f256437c6c
   SELinux is preventing /usr/sbin/httpd from getattr access on the file .
   
   *****  Plugin catchall_labels (83.8 confidence) suggests   *******************
   
   If you want to allow httpd to have getattr access on the  file
   Then you need to change the label on $FIX_TARGET_PATH
   Do
   # semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH'
   where FILE_TYPE is one of the following: NetworkManager_log_t, ...,
   httpd_sys_content_t, httpd_sys_htaccess_t, httpd_sys_ra_content_t,
   httpd_sys_rw_content_t, httpd_sys_script_exec_t, httpd_tmp_t, ...
   Then execute: 
   restorecon -v '$FIX_TARGET_PATH'
   
   *****  Plugin catchall (17.1 confidence) suggests   **************************
   
   If you believe that httpd should be allowed getattr access on the  file by
     default.
   Then you should report this as a bug.
   You can generate a local policy module to allow this access.
   Do
   allow this access for now by executing:
   # grep httpd /var/log/audit/audit.log | audit2allow -M mypol
   # semodule -i mypol.pp
   
   Additional Information:
   Source Context                system_u:system_r:httpd_t:s0
   Target Context                unconfined_u:object_r:default_t:s0
   Target Objects                 [ file ]
   Source                        httpd
   Source Path                   /usr/sbin/httpd
   Port                          <Unknown>
   Host                          serverX.example.com
   Source RPM Packages           httpd-2.4.6-14.el7.x86_64
   Target RPM Packages           
   Policy RPM                    selinux-policy-3.12.1-124.el7.noarch
   Selinux Enabled               True
   Policy Type                   targeted
   Enforcing Mode                Enforcing
   Host Name                     serverX.example.com
   Platform                      Linux serverX.example.com 3.10.0-84.el7.x86_64 #1
                                 SMP Tue Feb 4 16:28:19 EST 2014 x86_64 x86_64
   Alert Count                   9
   First Seen                    2014-02-19 10:33:06 EST
   Last Seen                     2014-02-19 12:00:32 EST
   Local ID                      82ead554-c3cb-4664-85ff-e6f256437c6c
   
   Raw Audit Messages
   type=AVC msg=audit(1392829232.3:1782): avc:  denied  { getattr } for
     pid=11870 comm="httpd" path="/custom/index.html" dev="vda1" ino=11520682
     scontext=system_u:system_r:httpd_t:s0
     tcontext=unconfined_u:object_r:default_t:s0 tclass=file
   
   type=SYSCALL msg=audit(1392829232.3:1782): arch=x86_64 syscall=lstat success=no
     exit=EACCES a0=7f1854a3b068 a1=7fff493f2ff0 a2=7fff493f2ff0
     a3=ffffffffffffffff items=0 ppid=11866 pid=11870 auid=4294967295 uid=48
     gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
     ses=4294967295 comm=httpd exe=/usr/sbin/httpd
     subj=system_u:system_r:httpd_t:s0 key=(null)
   
   Hash: httpd,httpd_t,default_t,file,getattr

5. Read the output from the sealert command. Identify which file the Apache web server is having trouble with and look for a possible remedy.

   1. At the top of the output, a solution is recommended.

      # semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH'
      where FILE_TYPE is one of the following: NetworkManager_log_t, ...,
        httpd_sys_content_t, httpd_sys_htaccess_t, httpd_sys_ra_content_t,
        httpd_sys_rw_content_t, httpd_sys_script_exec_t, httpd_tmp_t, ...
      Then execute: 
      restorecon -v '$FIX_TARGET_PATH'
      

   2. Look at the raw AVC message to identify the relevant process and file that is causing the alert.

      Raw Audit Messages
      type=AVC msg=audit(1392829232.3:1782): avc:  denied  { getattr } for
        pid=11870 comm="httpd" path="/custom/index.html" dev="vda1" ino=11520682
        scontext=system_u:system_r:httpd_t:s0
        tcontext=unconfined_u:object_r:default_t:s0 tclass=file
      

   3. The process involved in the security denial is the httpd Apache web server and the file is /custom/index.html.

6. Earlier, we resolved this issue using semanage and restorecon. You must decide if this SELinux violation is a security breach or if it is a legitimate access that requires SELinux to be adjusted to handle a non-standard directory structure.