Hi, I'm currently fiddling with Nginx on CentOS 7. Eventually I want to use it instead of Apache on some servers. Apache works more or less out of the box with SELinux. My websites are all stored under /var/www, and ls -Z shows me that all files created under /var/www are correctly labeled httpd_sys_content_t. On my sandbox server I don't have Apache (httpd) installed, only Nginx (the nginx package from EPEL). I manually created the /var/www directory and put a handful of static websites in there to play around with. Curiously enough, I got a SELinux alert. I took a peek in /var/www, and here's what the SELinux context looks like: unconfined_u:object_r:var_t:s0 Now I'm a bit puzzled. Is the correct httpd_sys_content_t context only applied if the httpd package is installed? How else can I explain this strange behavior? Any suggestions? Niki -- Microlinux - Solutions informatiques durables 7, place de l'?glise - 30730 Montpezat Site : https://www.microlinux.fr Mail : info at microlinux.fr T?l. : 04 66 63 10 32 Mob. : 06 51 80 12 12
On 1/1/20 2:00 PM, Nicolas Kovacs wrote:> Hi, > > I'm currently fiddling with Nginx on CentOS 7. Eventually I want to > use it instead of Apache on some servers. > > Apache works more or less out of the box with SELinux. My websites are > all stored under /var/www, and ls -Z shows me that all files created > under /var/www are correctly labeled httpd_sys_content_t. > > On my sandbox server I don't have Apache (httpd) installed, only Nginx > (the nginx package from EPEL). > > I manually created the /var/www directory and put a handful of static > websites in there to play around with. Curiously enough, I got a > SELinux alert. > > I took a peek in /var/www, and here's what the SELinux context looks > like: > > ? unconfined_u:object_r:var_t:s0 > > Now I'm a bit puzzled. Is the correct httpd_sys_content_t context only > applied if the httpd package is installed? How else can I explain this > strange behavior? > > Any suggestions?Have used Nginx on Fedora with SELinux. Perhaps first try putting your sites in the default document root, /usr/share/nginx/html> Niki
Le 01/01/2020 ? 13:54, Benson Muite a ?crit?:> Have used Nginx on Fedora with SELinux. Perhaps first try putting your sites in > the default document root, /usr/share/nginx/htmlAfter some experimenting, I found the answer. When I create /var/www manually, ls -Z shows me that it's labled var_t. But /var/www default context is httpd_sys_content_t, according to matchpathcon. So a simple restorecon on that directory did the trick: $ sudo mkdir -v /var/www mkdir: created directory ?/var/www? $ ls -dZ /var/www/ drwxr-xr-x. root root unconfined_u:object_r:var_t:s0 /var/www/ $ matchpathcon /var/www /var/www system_u:object_r:httpd_sys_content_t:s0 $ sudo restorecon -R -v /var/www/ restorecon reset /var/www context unconfined_u:object_r:var_t:s0 ->unconfined_u:object_r:httpd_sys_content_t:s0 Cheers, Niki -- Microlinux - Solutions informatiques durables 7, place de l'?glise - 30730 Montpezat Site : https://www.microlinux.fr Mail : info at microlinux.fr T?l. : 04 66 63 10 32 Mob. : 06 51 80 12 12