[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fedora-selinux-list
Subject:    RE: Question
From:       Jonathan Aquilina <jaquilina () eagleeyet ! net>
Date:       2020-04-13 3:46:00
Message-ID: AM6PR08MB39273E94CA4A40D42584E9BBA0DD0 () AM6PR08MB3927 ! eurprd08 ! prod ! outlook ! com
[Download RAW message or body]

Hi Lukas,

I am you could say brand new to SEL in all fairness and given how security paranoid I \
am about my systems I am glad I am starting to work with it.

I am using a very stock and out of the box policy with nothing change.

A friend of mine who works with SEL himself gave me the two commands mentioned.

Another question that stems off this should I just give the necessary rw access to \
the folders that will need to be updated?

Regards,
Jonathan


-----Original Message-----
From: Lukas Vrabec <lvrabec@redhat.com> 
Sent: Sunday, 12 April 2020 22:07
To: selinux@lists.fedoraproject.org
Subject: Re: Question

On 4/12/20 9:15 PM, Jonathan Aquilina wrote:
> Hi guys i have a question regarding SEL.
> 
> I have a VM that is on centos 7 and before I had an issue with 
> wordpress where it was in read only mode and i ran
> 
> chcon -R unconfined_u:object_r:httpd_sys_rw_content_t:s0
> /var/www/html/wordpress
> 
> 
> 
> to put it in read write mode for me to update the site
> 
> 
> 
> I then ran
> 
> 
> 
> restorecon -rv /var/www/html to restore things to the way they are.
> 
> 
> 
> since then i have not had to run the commands again to update the site 
> with any other updates
> 
> 
> 
> what exactly is happening
> 
> 
> 
> Regards,
> 
> Jonathan
> 
> 
> _______________________________________________
> selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe 
> send an email to selinux-leave@lists.fedoraproject.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: 
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproj
> ect.org
> 

Hi Jonathan,

Can you please share the reproducer ? Also, can you please share SELinux denials you \
saw in past (maybe they're still in audit.log) ?

From your e-mail it's hard to decide what really happened on the system.
 Btw. Did you changed value of any httpd_* boolean?
Please attach output of:
# semanage boolean -l | grep httpd

Thanks,
Lukas.






--
Lukas Vrabec
SELinux Evangelist,
Senior Software Engineer, Security Technologies Red Hat, Inc.

_______________________________________________
selinux mailing list -- selinux@lists.fedoraproject.org
To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.org



[prev in list] [next in list] [prev in thread] [next in thread]