Article directory
1. selinux policy
#open 80/tcp
, 443/tcp
port
firewall-cmd --permanent --add-service=http --add-service=https
firewall-cmd --reload
File system permissions: any DocumentRoot
must be read by the apache user or user group, in most cases, the apache user or group is not allowed to write.
selinux: The default selinux policy will limit the httpd read context, the default context of the web server ishttpd_sys_content_t
semanage fcontext -a -t httpd_sys_content_t '/new/location(/.*)?'
selinux-policy-devel
Detailed httpd_selinux man page
explanation
allow documentRoot to write
setfacl -R -m g:webmasters:rwX /var/www/html
setfacl -R -m d:g:webmasters:rwx /var/www/html
The uppercase "X" bit is only performed for directory settings
Create webmasters group
mkdir -p -m 2775 /new/docroot
chgrp webmasters /new/docroot
I configured the serverx system to forward an incoming request to port, 443/tcp from desktopX to port 22/tcp, my desktopx has an ip address of 172.25.x.10
serverx add permanent rules
firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=172.25.x.10/32 forward-port port=443 protocol=tcp to-port=22'
firewall-cmd --reload
2. selinux label protocol
selinux: file, process, network traffic tags (ports)
Install
yum -y install selinux-policy-devel
mandb
man -k _selinux
listening network port label
View local
semanage port -l
Manage Port Labels
Add port syntax to existing port labels:
semanage port -a -t port_label -p tcp|udp PORTNUMBER
For example: allow the gopher service to listen on port 71/tcp
semanage port -a -t gopher_port -p tcp 71
delete
semanage port -d -t gopher_port -p tcp 71
Revise
semanage port -m -t gopher_port -p tcp 71
✈ Recommended reading: