0

I'm enabling SELinux on a server, and the httpd server (nginx and phusion passenger) is unable to read the app's dir (/home/app), with the following message:

#============= httpd_t ==============

#!!!! WARNING: 'home_root_t' is a base type.
#!!!! The file '/home/app/config.ru' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /home/app/config.ru
allow httpd_t home_root_t:file { getattr open read };

I'd like to keep SELinux on, but enable this.

  1. What command do I use to relabel /home/app so that httpd can read it?
  2. Will this survive reboots?
  3. I'd like this to be sticky, so that if I rm /home/app and put other content there (e.g. an app upgrade), I don't need to relabel it.
  4. And of course it should apply to subdirs as well (/home/app/sub), both existing and future.
  5. Finally, there are log files in /home/app/log, and I'll need rw access to it. I'd be willing to allow rw access to the entire /home/app if necessary.

How can I configure SELinux to work with my custom app?

SRobertJames
  • 221
  • 4
  • 8
  • Don't try to use this policy. Instead run `restorecon` as the message advised you. Of course, you shouldn't have web sites in user home directories anyway; you're going to run into [further trouble](https://serverfault.com/a/779855/126632) after this. – Michael Hampton Jan 02 '19 at 17:17
  • Thank you Michael. I'm studying the post you linked and its references, and will circle back. I don't think `restorecon` alone, as advised by the message, will help, because it will hit similar errors with other files, no? – SRobertJames Jan 03 '19 at 21:07

0 Answers0