Home / server / Questions / 284493
In Process
Denis R.
Asked: 2011-06-28 05:55:17 +0800 CST

Disable SELinux file read protection for httpd

  • 772

I am using RHEL 6.1 and I would like to configure SELinux to authorize httpd to read all files in some folders (My goal is to make log files available via web access).

  • Is this possible without listing explicitely all files ?
  • Is this possible without disabling SELinux for httpd ?

I need solution which could be made persistent.

Thanks by advance.

redhat apache-2.2 httpd selinux

1 Answers

  1. You can set up a rule to allow httpd_t to read the type of file your logfiles are labeled with.

    For example, if I want httpd_t to be able to read your_log_file_type_t, you create a policy module like this (out of the back of my head). Call it apache_read_logs.te and put it in an empty directory:

    policy_module(apache_read_logs, 1.0)

type httpd_t;
type your_log_file_type_t;
type your_log_dir_type_t;

allow httpd_t your_log_dir_type_t:dir list_dir_perms;
read_files_pattern(httpd_t, your_log_dir_type, your_log_file_type)
read_lnk_files_pattern(httpd_t, your_log_dir_type, your_log_file_type)

    This allows httpd_t to read files labeled your_log_file_type_t and search through directories labeled your_log_dir_type_t. It uses macros for brevity. You can see how the macros look by downloading and examining the reference policy tarball.

    Then, from the directory you created the file in, you run, as root:

    # make -f /usr/share/selinux/devel/Makefile
# /usr/sbin/semodule -i apache_read_logs.pp

    This assumes you have selinux-policy-devel and policycoreutils installed. Test this on a non-crucial machine first! I wrote this blind and haven't tested it myself!

    • 1