Skip to content

Instantly share code, notes, and snippets.

@werty1st

werty1st/Fedora SE linux

Created August 15, 2013 10:02
Show Gist options
  • Save werty1st/6239746 to your computer and use it in GitHub Desktop.
Save werty1st/6239746 to your computer and use it in GitHub Desktop.
Download ZIP
Fedora SE linux
Raw
Fedora SE linux
setsebool -P httpd_enable_homedirs true
chcon -R -t httpd_sys_content_t /home/testuser/public_html
setsebool -P httpd_can_network_connect 1
$ sudo setsebool -P httpd_read_user_content on
$ sudo setsebool -P httpd_sys_script_anon_write on
$ sudo chcon -R -t public_content_rw_t cache/
$ sudo chcon -R -t public_content_rw_t logfile.log
$ sudo chcon -R -h -t httpd_sys_script_rw_t cache/
$ sudo chcon -R -h -t httpd_sys_script_rw_t logfile.log
@NanoDano
Copy link

NanoDano commented Aug 3, 2020
edited

Nice summary. In Fedora I needed to run the following in order to allow Nginx to act as a reverse-proxy and connect to a local TCP server:

# Allow http server to reverse-proxy and connect to local server
setsebool -P httpd_can_network_connect on

Then to allow Nginx to read from the webroot:

# This will allow reading everything in /srv.
chcon -R -t httpd_sys_content_t /srv

To check the type of something you can use ls -lZ. For web server root it should say httpd_sys_content_t not unconfined.

# Check SE Linux type
ls -lZ /srv/

To check audit logs for blocks and how to unblock you can use ausearch and audit2allow:

# See denies
ausearch -m avc -ts today
# See how to allow
ausearch -m avc -ts today | audit2allow

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment