Check if SeLinux is enabled or not using command getenforce.
[root@hostname /]# getenforce
Disabled
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
reboot the machine.
[root@hostname ~]# getenforce
Enforcing
For custom module which is present in any custom directory say /test/seenabled directory.
For apache httpd to load custom library present in custom module, selinux would block the request, this can be seen using command:
journalctl -xe
this would show module failed to load.
Execute permission for custom module:
Background to execute permission :
ls -Z /usr/sbin/httpd
-rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd
shows the permission for selinux are httpd_exec_t.
ls -Z custommodule.so
-rwxrwxr-x. root root system_u:object_r:default_t:s0
hence selinux block the access
chcon --reference=/usr/sbin/httpd <destinationfolder>
example
chcon --reference=/usr/sbin/httpd /test/seenabled/*
this will inherit all the properties that httpd contains to others custom modules directory.
same can be applied if other modules are present in different directory.
Log Writing or other write permission to custom module.
If the custom module contains code to write log to different file apart for error_log, then
write permissions needs to provided to directory
chcon -t httpd_sys_rw_content_t /<destinationfolder>
example:
chcon -t httpd_sys_rw_content_t /test/seenabled/logggin/*
Reading custom files with custom modules
chcon -t httpd_sys_ra_content_t /<destinationfolder>
example:
chcon -t httpd_sys_rw_content_t /test/seenabled/configuration/*
