Making custom module to execute for httpd in selinux enforcing mode


Check if SeLinux is enabled or not using command getenforce.

[root@hostname /]# getenforce
Disabled



Navigate to Make sure /etc/selinux/config and set SELINUX to enforcing mode.


# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

reboot the machine.

[root@hostname  ~]# getenforce
Enforcing




For custom module which is present in any custom directory say /test/seenabled directory.

For apache httpd to load custom library present in custom module, selinux would block the request, this can be seen using command:
journalctl -xe

this would show module failed to load.

Execute permission for custom module:


 Background to execute permission :
 ls -Z /usr/sbin/httpd
-rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd

  shows the permission for selinux are httpd_exec_t.
ls -Z custommodule.so
-rwxrwxr-x. root root system_u:object_r:default_t:s0

hence selinux block the access


chcon --reference=/usr/sbin/httpd  <destinationfolder>
example
chcon --reference=/usr/sbin/httpd /test/seenabled/*

this will inherit all the properties that httpd contains to others custom modules directory.
same can be applied if other modules are present in different directory.
   




Log Writing or other write permission to custom module.

If the custom module contains code to write log to different file apart for error_log, then 
write permissions needs to provided to directory
chcon -t httpd_sys_rw_content_t /<destinationfolder>
example:
chcon -t httpd_sys_rw_content_t /test/seenabled/logggin/*


Reading custom files with custom modules

chcon -t httpd_sys_ra_content_t  /<destinationfolder>

example:
chcon -t httpd_sys_rw_content_t /test/seenabled/configuration/*






16 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. Thanks for posting your comments!! It is encouraging!!

    ReplyDelete

  3. Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging. Thanks a lot

    Java training in Chennai

    Java training in Bangalore

    Java training in Hyderabad

    Java Training in Coimbatore

    Java Online Training

    ReplyDelete
  4. Great Info, Thanks For Sharing , keep it up we are here to learn more

    Great! I like to share it with all my friends and hope they will also like this information.
    Tableau Training In Hyderabad
    Tableau Online Training
    Tableau Training
    Tableau Training In Ameerpet
    Tableau Training Online

    ReplyDelete