{"id":585,"date":"2022-03-21T03:07:14","date_gmt":"2022-03-21T10:07:14","guid":{"rendered":"https:\/\/cloudinsidr.com\/content\/?p=585"},"modified":"2022-03-21T09:11:24","modified_gmt":"2022-03-21T16:11:24","slug":"tip-of-the-day-how-to-find-the-correct-selinux-security-contexts-and-adjust-selinux-labels-on-your-linux-system","status":"publish","type":"post","link":"https:\/\/www.cloudinsidr.com\/content\/tip-of-the-day-how-to-find-the-correct-selinux-security-contexts-and-adjust-selinux-labels-on-your-linux-system\/","title":{"rendered":"SELinux security contexts: correcting SELinux labels on a file system"},"content":{"rendered":"

SELinux can be such a nuisance. In particular, if you have a newly created file system, you will need to add labels to it, also known as SELinux security contexts.<\/p>\n

<\/p>\n

Inappropriate SELinux security labels can result in errors such as NGINX 403 Forbidden. The fact that SELinux could be the culprit of a 403 error is usually less than obvious.<\/p>\n

Diagnose the problem<\/h2>\n

SELinux logs denials to:<\/p>\n

\/var\/log\/audit\/audit.log<\/pre>\n
One of the simplest ways to poke around SELinux involves using the grep utility with audit2why, for example like this:<\/p>\n
grep 1657864453.071:1986 \/var\/log\/audit\/audit.log | audit2why<\/pre>\n
But for more comprehensive diagnostics, sealert from setroubleshoot comes in handy:<\/p>\n
sealert -a \/var\/log\/audit\/audit.log<\/pre>\n
Relabel your file system<\/h2>\n
In its default configuration, SELinux already has a firm idea on what security contexts to apply when restoring security labels on your system. Restoring those default labels is also pretty much straightforward:<\/p>\n
\/sbin\/restorecon -R -v \/var\/www\/html\/index.html<\/pre>\n
If you think you have a badly mislabeled machine, you can fully relabel it using:<\/p>\n
touch \/.autorelabel; reboot<\/pre>\n
If no label changes<\/strong> or Booleans<\/strong> allow access (getsebool -a), you can use audit2allow to create a local policy module. Use this ability as a measure of last resort, though.<\/p>\n
WARNING:<\/strong> Modules created with audit2allow may grant SELinux more leeway than may be healthy for your system. For this reason, Red Hat recommends that any policy created with audit2allow be posted to an SELinux list (such as fedora-selinux-list) for review.<\/p>\n
If you still need help, keep reading.<\/p>\n
Restore the default SELinux labels<\/h2>\n
The command restorecon restores the security context to the system’s default based on the default SELinux labels for each location.<\/p>\n
Find\u00a0out the default SELinux labels for NGINX<\/h3>\n
To find out the default SELinux labels for various elements of an NGINX installation, use this command:<\/p>\n
[root@host]$ grep nginx \/etc\/selinux\/targeted\/contexts\/files\/file_contexts\r\n<\/pre>\n
\"grep<\/a>
Showing all SELinux labels (click to enlarge)<\/figcaption><\/figure>\n
The output of this command shows default SELinux labels for NGINX installation directories:<\/p>\n
\/etc\/nginx(\/.*)? system_u:object_r:httpd_config_t:s0\r\n\/var\/run\/nginx.* system_u:object_r:httpd_var_run_t:s0\r\n\/var\/lib\/nginx(\/.*)? system_u:object_r:httpd_var_lib_t:s0\r\n\/var\/log\/nginx(\/.*)? system_u:object_r:httpd_log_t:s0\r\n\/var\/opt\/rh\/rh-nginx18\/log(\/.*)? system_u:object_r:httpd_log_t:s0\r\n\/etc\/opt\/rh\/rh-nginx18\/nginx(\/.*)? system_u:object_r:httpd_config_t:s0\r\n\/usr\/lib\/systemd\/system\/nginx.* -- system_u:object_r:httpd_unit_file_t:s0\r\n\/var\/opt\/rh\/rh-nginx18\/lib\/nginx(\/.*)? system_u:object_r:httpd_var_lib_t:s0\r\n\/var\/opt\/rh\/rh-nginx18\/run\/nginx(\/.*)? system_u:object_r:httpd_var_run_t:s0\r\n\/usr\/sbin\/nginx -- system_u:object_r:httpd_exec_t:s0<\/pre>\n
The default web directory (\/etc\/nginx\/html), by default,\u00a0is unconfined:<\/p>\n
[root@ip-10-0-0-63 fedora]# ls -laZ \/etc\/nginx\/html\/\r\ntotal 16\r\ndrwxr-xr-x. 2 root root unconfined_u:object_r:etc_t:s0 4096 Jun 13 00:48 .\r\ndrwxr-xr-x. 7 root root unconfined_u:object_r:etc_t:s0 4096 Jun 18 12:28 ..\r\n-rw-r--r--. 1 root root unconfined_u:object_r:etc_t:s0 537 Jun 13 00:48 50x.html\r\n-rw-r--r--. 1 root root unconfined_u:object_r:etc_t:s0 612 Jun 13 00:48 index.html<\/pre>\n
Find\u00a0out the default SELinux labels for a CMS such as WordPress<\/h3>\n
You can easily find out the default SELinux security contexts for WordPress on your system using the command:<\/p>\n
[root@host]$ grep wordpress \/etc\/selinux\/targeted\/contexts\/files\/file_contexts\r\n\r\n\/usr\/share\/wordpress\/.*\\.php -- system_u:object_r:httpd_sys_script_exec_t:s0\r\n\/usr\/share\/wordpress\/wp-includes\/.*\\.php -- system_u:object_r:httpd_sys_script_exec_t:s0\r\n\/usr\/share\/wordpress-mu\/wp-content(\/.*)? system_u:object_r:httpd_sys_rw_content_t:s0\r\n\/usr\/share\/wordpress\/wp-content\/uploads(\/.*)? system_u:object_r:httpd_sys_rw_content_t:s0\r\n\/usr\/share\/wordpress\/wp-content\/upgrade(\/.*)? system_u:object_r:httpd_sys_rw_content_t:s0\r\n\/usr\/share\/wordpress-mu\/wp-config\\.php -- system_u:object_r:httpd_sys_script_exec_t:s0<\/pre>\n
\"Listing<\/a>
Listing current SELinux security contexts for WordPress<\/figcaption><\/figure>\n
The output may reveal some very useful information, for example:<\/p>\n
\/usr\/share\/wordpress-mu\/wp-config\\.php -- system_u:object_r:httpd_sys_script_exec_t:s0<\/pre>\n
The above line indicates that the main configuration file of WordPress named wp-config.php should receive the following SELinux security context label:<\/p>\n
system_u:object_r:httpd_sys_script_exec_t:s0<\/pre>\n
This SELinux label will only be applied, however, if the file is located in\u00a0\/usr\/share\/wordpress-mu\/, which is almost certainly not the case on your system.<\/p>\n
Adjust SELinux security contexts<\/h3>\n
Before implementing permanent changes, it is advisable to try adjusting SELinux security labels\u00a0on the affected directory\u00a0tree and its contents temporarily. By doing so you can verify that your assumptions work and if not, restore the defaults (with restorecon) easily.<\/p>\n
List current SELinux security contexts on files and directories<\/h4>\n
Listing current SELinux security contexts involves the command:<\/p>\n
ls -laZ\r\n<\/pre>\n
The resulting output for an installation of WordPress in the web server document directory www.website1.tld may\u00a0look something like this:<\/p>\n
drwxr-x---. owner1 \u00a0nginx unconfined_u:object_r:httpd_sys_content_t:s0 www.website1.tld<\/pre>\n
Adjust the SELinux security contexts without changing defaults<\/h4>\n
To (temporarily) adjust the SELinux security contexts for WordPress so that it can run:<\/p>\n
chcon -vR system_u:object_r:httpd_sys_content_t:s0 www.website1.tld<\/pre>\n
For all .php scripts inside the WordPress installation directory and its subdirectories:<\/p>\n
chcon -R -v system_u:object_r:httpd_sys_script_exec_t:s0 *\/*\/*\/*.php<\/pre>\n
WordPress will run with these settings, but it will fail to write updates, install themes, and plugins. (It almost makes you wonder why these settings are the defaults.)<\/strong><\/p>\n
In order to allow NGINX to write to the WordPress installation, adjust the security context on the entire WordPress installation\u00a0and its subdirectories using this command:<\/strong><\/p>\n
chcon -R -v system_u:object_r:httpd_sys_rw_content_t:s0 www.website1.tld\/<\/pre>\n
Save new default SELinux contexts<\/h4>\n
Make the desired changes permanent:<\/p>\n
semanage fcontext -a -t httpd_sys_rw_content_t -s system_u \"\/var\/www\/www.website1.tld(\/.*)?\"<\/pre>\n
Verify that your local contexts are correct:<\/p>\n
cat \/etc\/selinux\/targeted\/contexts\/files\/file_contexts.local<\/pre>\n
You can add or\u00a0remove default SELinux contexts as you see fit. To remove a context that is faulty or no longer needed:<\/p>\n
semanage fcontext -d\u00a0\"\/var\/www\/www.domainname.tld(\/.*)?\"<\/pre>\n
Restore SELinux default labels<\/h4>\n
Finally, to restore SELinux labels from the defaults, run:<\/p>\n
restorecon -RFv \/var\/www\/<\/pre>\n
on the webserver document directory (adjust the path as needed).<\/p>\n
—<\/p>\n
Here is a primer on how to set up NGINX on EC2 from scratch<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"
SELinux can be such a nuisance. In particular, if you have a newly created file system, you will need to add labels to it, also known as SELinux security contexts.<\/p>\n","protected":false},"author":101012,"featured_media":592,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[143,109,154,1],"tags":[140,70],"yoast_head":"\nSELinux security contexts: correcting SELinux labels on a file system - CloudInsidr<\/title>\n<meta name=\"robots\" content=\"index, follow\" \/>\n<meta name=\"googlebot\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta name=\"bingbot\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.cloudinsidr.com\/content\/tip-of-the-day-how-to-find-the-correct-selinux-security-contexts-and-adjust-selinux-labels-on-your-linux-system\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SELinux security contexts: correcting SELinux labels on a file system - CloudInsidr\" \/>\n<meta property=\"og:description\" content=\"SELinux can be such a nuisance. In particular, if you have a newly created file system, you will need to add labels to it, also known as SELinux security contexts.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.cloudinsidr.com\/content\/tip-of-the-day-how-to-find-the-correct-selinux-security-contexts-and-adjust-selinux-labels-on-your-linux-system\/\" \/>\n<meta property=\"og:site_name\" content=\"CloudInsidr\" \/>\n<meta property=\"article:published_time\" content=\"2022-03-21T10:07:14+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-03-21T16:11:24+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/01\/SELinux_contexts_forWordPress.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1023\" \/>\n\t<meta property=\"og:image:height\" content=\"146\" \/>\n<meta name=\"twitter:card\" content=\"summary\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#website\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/\",\"name\":\"CloudInsidr\",\"description\":\"Cyber security, infotech\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":\"https:\/\/www.cloudinsidr.com\/content\/?s={search_term_string}\",\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/tip-of-the-day-how-to-find-the-correct-selinux-security-contexts-and-adjust-selinux-labels-on-your-linux-system\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/01\/SELinux_contexts_forWordPress.png\",\"width\":1023,\"height\":146,\"caption\":\"Listing current SELinux security contexts for WordPress\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/tip-of-the-day-how-to-find-the-correct-selinux-security-contexts-and-adjust-selinux-labels-on-your-linux-system\/#webpage\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/tip-of-the-day-how-to-find-the-correct-selinux-security-contexts-and-adjust-selinux-labels-on-your-linux-system\/\",\"name\":\"SELinux security contexts: correcting SELinux labels on a file system - CloudInsidr\",\"isPartOf\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/tip-of-the-day-how-to-find-the-correct-selinux-security-contexts-and-adjust-selinux-labels-on-your-linux-system\/#primaryimage\"},\"datePublished\":\"2022-03-21T10:07:14+00:00\",\"dateModified\":\"2022-03-21T16:11:24+00:00\",\"author\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#\/schema\/person\/73723b2da71b6d515d17ca593ea5dc68\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.cloudinsidr.com\/content\/tip-of-the-day-how-to-find-the-correct-selinux-security-contexts-and-adjust-selinux-labels-on-your-linux-system\/\"]}]},{\"@type\":[\"Person\"],\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#\/schema\/person\/73723b2da71b6d515d17ca593ea5dc68\",\"name\":\"Filipe Martins\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/dbac033b4d26da8ca1fbde233e49c8dc?s=96&d=mm&r=g\",\"caption\":\"Filipe Martins\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","_links":{"self":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/585"}],"collection":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/users\/101012"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/comments?post=585"}],"version-history":[{"count":55,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/585\/revisions"}],"predecessor-version":[{"id":2842,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/585\/revisions\/2842"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/media\/592"}],"wp:attachment":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/media?parent=585"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/categories?post=585"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/tags?post=585"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}