selinux security alerts - change file context

[Ray.Holme]

I receive messages such as the below:
----

SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files
jk-runtime-status.

SELinux has denied the httpd access to potentially mislabeled files
jk-runtime-status. This means that SELinux will not allow httpd to use these
files. If httpd should be allowed this access to these files you should change
the file context to one of the following types, httpd_tmp_t,

----

I know how to change the owner of a file and the permissions but what does it mean to change the file context??????

[rodnower]

SELinux means "Secure Enhanced Linux". This is a mechanism built in to the Linux kernel that gives him some additionly security functionality.
This mechanism works around concept of "context". Context is lable.
SELinux adds "contexts" to several types of objects of the system like users, files, processes or network ports.
Additionaly, SELinux has a policy (usualy builtin policy, that comes with installation) that defines wich contexts has access to which contexts.
For example process of Apache (httpd) has context A when deirectory /var/www/html and files with in it has context B. The policy defines that processes with context A may access only to files with context B.

So I has no context httpd_tmp_t, but I will show you example with other contexts of apache

For see what context has some directory use ls -Z:
[root@andreys-comp www]# pwd
/var/www
[root@andreys-comp www]# ls -Z
drwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t cgi-bin
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t error
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t html
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t icons
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t manual

Now if I want other place be internet public directory, for example /www.
Here is it's status by view of context:
[root@andreys-comp /]# ls -Zd www
drwxr-xr-x root root user_u:object_r:default_t www
[root@andreys-comp /]# ls -ZR www
www:
-rw-r--r-- root root user_u:object_r:default_t index.html

Context user_u:object_r:default_t is not system_u:object_r:httpd_sys_content_t, so if httpd will access this I will get similar error.

All I need is to copy context from good place with chcon:
[root@andreys-comp /]# chcon -R --reference /var/www/html/ /www/
[root@andreys-comp network-scripts]# ls -Zd /www/
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t /www/
[root@andreys-comp /]# ls -ZR www/
www/:
-rw-r--r-- root root system_u:object_r:httpd_sys_content_t index.html

-R is recourcive (so also index get good context) --reference say from where I need the context.
Now you need only type:
service httpd restart.

If you don't know which directory hold your context, so you may to install policycoreutils-gui:
yum install policycoreutils-gui
(or use something like apt-get, if you don't use RedHat related distributions)
run:
system-config-selinux -> File labeling -> enter in filter: httpd_tmp_t -> enter
so you may see where you have this context.
If you not find anything, you may assume that your context's prefix is like all other's, and try:
chcon system_u:object_r:httpd_tmp_t jk-runtime-status
(you need stay in derectory of appropriate file, or get the full path)

If all this not work, and you don't want use selinux at all (not good idea, because very much places now uses it, so you MUST to know working with this), you may disable this by typing
setenforce 0
for disable it till new boot and, change line:
SELINUX=enabled to disabled
in:
/ets/selinux/config
for persistently disable selinux.

Read man selinux for more information.

[Ray.Holme]

Thanks for the lesson. Well done and clear now.

[rodnower]

Thanks for the lesson. Well done and clear now.

You are welcome