Newly created virtual server is not accessible (SELinux)

I sloved this problem with restorecon:

[root@testserver123 nginx]# restorecon -R -v /home/
restorecon reset /home/user123 context system_u:object_r:home_root_t:s0->system_u:object_r:user_home_dir_t:s0
restorecon reset /home/user123/.bash_logout context system_u:object_r:home_root_t:s0->system_u:object_r:user_home_t:s0
restorecon reset /home/user123/.bash_profile context system_u:object_r:home_root_t:s0->system_u:object_r:user_home_t:s0
restorecon reset /home/user123/.bashrc context system_u:object_r:home_root_t:s0->system_u:object_r:user_home_t:s0
restorecon reset /home/user123/public_html context system_u:object_r:home_root_t:s0->system_u:object_r:httpd_user_content_t:s0
restorecon reset /home/user123/public_html/index.html context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_user_content_t:s0
restorecon reset /home/user123/cgi-bin context system_u:object_r:home_root_t:s0->system_u:object_r:user_home_t:s0
restorecon reset /home/user123/logs context system_u:object_r:home_root_t:s0->system_u:object_r:user_home_t:s0
restorecon reset /home/user123/logs/access_log context system_u:object_r:home_root_t:s0->system_u:object_r:user_home_t:s0
restorecon reset /home/user123/logs/error_log context system_u:object_r:home_root_t:s0->system_u:object_r:user_home_t:s0
restorecon reset /home/user123/logs/php.log context system_u:object_r:home_root_t:s0->system_u:object_r:user_home_t:s0
restorecon reset /home/user123/homes context system_u:object_r:home_root_t:s0->system_u:object_r:user_home_t:s0
restorecon reset /home/user123/Maildir context system_u:object_r:home_root_t:s0->system_u:object_r:mail_home_rw_t:s0
restorecon reset /home/user123/Maildir/cur context system_u:object_r:home_root_t:s0->system_u:object_r:mail_home_rw_t:s0
restorecon reset /home/user123/Maildir/tmp context system_u:object_r:home_root_t:s0->system_u:object_r:mail_home_rw_t:s0
restorecon reset /home/user123/Maildir/new context system_u:object_r:home_root_t:s0->system_u:object_r:mail_home_rw_t:s0
restorecon reset /home/user123/Maildir/.Trash context system_u:object_r:home_root_t:s0->system_u:object_r:mail_home_rw_t:s0
restorecon reset /home/user123/Maildir/.Trash/cur context system_u:object_r:home_root_t:s0->system_u:object_r:mail_home_rw_t:s0
restorecon reset /home/user123/Maildir/.Trash/tmp context system_u:object_r:home_root_t:s0->system_u:object_r:mail_home_rw_t:s0
restorecon reset /home/user123/Maildir/.Trash/new context system_u:object_r:home_root_t:s0->system_u:object_r:mail_home_rw_t:s0
restorecon reset /home/user123/Maildir/.Drafts context system_u:object_r:home_root_t:s0->system_u:object_r:mail_home_rw_t:s0
restorecon reset /home/user123/Maildir/.Drafts/cur context system_u:object_r:home_root_t:s0->system_u:object_r:mail_home_rw_t:s0
restorecon reset /home/user123/Maildir/.Drafts/tmp context system_u:object_r:home_root_t:s0->system_u:object_r:mail_home_rw_t:s0
restorecon reset /home/user123/Maildir/.Drafts/new context system_u:object_r:home_root_t:s0->system_u:object_r:mail_home_rw_t:s0
restorecon reset /home/user123/Maildir/.Sent context system_u:object_r:home_root_t:s0->system_u:object_r:mail_home_rw_t:s0
restorecon reset /home/user123/Maildir/.Sent/cur context system_u:object_r:home_root_t:s0->system_u:object_r:mail_home_rw_t:s0
restorecon reset /home/user123/Maildir/.Sent/tmp context system_u:object_r:home_root_t:s0->system_u:object_r:mail_home_rw_t:s0
restorecon reset /home/user123/Maildir/.Sent/new context system_u:object_r:home_root_t:s0->system_u:object_r:mail_home_rw_t:s0
restorecon reset /home/user123/Maildir/subscriptions context system_u:object_r:home_root_t:s0->system_u:object_r:mail_home_rw_t:s0
restorecon reset /home/user123/mail context system_u:object_r:home_root_t:s0->system_u:object_r:user_home_t:s0
restorecon reset /home/user123/etc context system_u:object_r:home_root_t:s0->system_u:object_r:user_home_t:s0
restorecon reset /home/user123/etc/php5 context system_u:object_r:home_root_t:s0->system_u:object_r:user_home_t:s0
restorecon reset /home/user123/etc/php5/php.ini context system_u:object_r:home_root_t:s0->system_u:object_r:user_home_t:s0
restorecon reset /home/user123/tmp context system_u:object_r:home_root_t:s0->system_u:object_r:user_tmp_t:s0
restorecon reset /home/user123/ssl.cert context system_u:object_r:httpd_config_t:s0->system_u:object_r:user_home_t:s0
restorecon reset /home/user123/ssl.key context system_u:object_r:httpd_config_t:s0->system_u:object_r:user_home_t:s0
restorecon reset /home/user123/.config context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:config_home_t:s0
restorecon reset /home/user123/.config/mc context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:config_home_t:s0
restorecon reset /home/user123/.config/mc/mcedit context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:config_home_t:s0
restorecon reset /home/user123/.config/mc/ini context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:config_home_t:s0
restorecon reset /home/user123/.config/mc/panels.ini context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:config_home_t:s0
restorecon reset /home/user123/.cache context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/user123/.cache/mc context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/user123/.cache/mc/mcedit context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/user123/.cache/mc/Tree context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/user123/.local context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:gconf_home_t:s0
restorecon reset /home/user123/.local/share context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:data_home_t:s0
restorecon reset /home/user123/.local/share/mc context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:data_home_t:s0
restorecon reset /home/user123/.local/share/mc/mcedit context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:data_home_t:s0
restorecon reset /home/user123/.local/share/mc/history context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:data_home_t:s0
restorecon reset /home/user123/.local/share/mc/filepos context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:data_home_t:s0
restorecon reset /home/user123/.bash_history context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:user_home_t:s0
[root@testserver123 nginx]#

Also restorecon -R -v /home/ will fix many issues in /etc/ and /var/.

I suggest to make restorecon run every time after virtual server is added. This will prevent many SELinux-related issues. Or write somewhere in documentation that users should run this manually if they want to use SELinux.

Status: 
Active

Comments

Alternately, just turn off SElinux unless you really really need it.

Joe's picture
Submitted by Joe on Sun, 02/19/2017 - 19:56 Pro Licensee

Have you run into any other issues with SELinux? Did you set the web home directory boolean (I don't remember the specific name of it, but it's one of the things I needed to do to make Virtualmin play nice with SELinux). I'd like to add better support, but it's such a complicated subject, even now. Still takes a bunch of troubleshooting just to get through to a basically functional thing, though web service was pretty quick and easy...mail was complicated.

Joe's picture
Submitted by Joe on Sun, 02/19/2017 - 19:56 Pro Licensee

Have you run into any other issues with SELinux? Did you set the web home directory boolean (I don't remember the specific name of it, but it's one of the things I needed to do to make Virtualmin play nice with SELinux). I'd like to add better support, but it's such a complicated subject, even now. Still takes a bunch of troubleshooting just to get through to a basically functional thing, though web service was pretty quick and easy...mail was complicated.

I enabled httpd_read_user_content, however I did not enabled httpd_enable_homedirs.

I enabled socket files and symlinks with this module:

# echo "module nginxfix 2.0;

require {
type httpd_t;
type var_t;
type initrc_t;
class sock_file write;
class unix_stream_socket connectto;
type user_home_t;
class lnk_file read;
}



#============= httpd_t ==============

allow httpd_t initrc_t:unix_stream_socket connectto;
allow httpd_t var_t:sock_file write;
allow httpd_t user_home_t:lnk_file read;"  > /tmp/nginxfix.te


# checkmodule -M -m -o  /tmp/nginxfix.mod  /tmp/nginxfix.te
# semodule_package -o  /tmp/nginxfix.pp -m  /tmp/nginxfix.mod
# semodule -i  /tmp/nginxfix.pp

Also I have these SELinux settings:

Allowing logs in /var/log/virtualmin(/.*)?:

# semanage fcontext -a -t httpd_log_t "/var/log/virtualmin(/.*)?"
# restorecon -R -v /var/log/virtualmin

Allowing Nginx to access content on /home/* directories:

# setsebool -P httpd_read_user_content on

Allowing proxy_pass http://io_nodes;:

# setsebool -P httpd_can_network_connect on

I did not tested the e-mail features (sending e-mail by my application is working, other stuff - I don't know).