SELinux Policies For FileCloud Installation

SELinux is a Linux kernel security module that defines the access and transition rights of every user, application, process, and file on the system.

  • It then governs the interactions of these entities using security policies that specifies how strict or lenient a given Linux installation should be.
  • It is available as part of distros like Red Hat Enterprise Linux.

In order to use Filecloud on a selinux enforcing OS, the following steps need to be followed.

1) If SELinux is disabled, it needs to be enabled. For that, use the below command

setenforce 1

2) To allow writable access to folders used by FileCloud, use the following commands. These commands label the mentioned folder and it's contents with required context.

For a managed storage path "/opt/fileclouddata" :

semanage fcontext -a -t httpd_sys_rw_content_t /opt/fileclouddata.*

restorecon -Rv /opt/fileclouddata

For default FileCloud install folder path "/var/www/html"

semanage fcontext -a -t httpd_sys_rw_content_t /var/www/html.*

restorecon -Rv /var/www/html

semanage fcontext -a -t httpd_sys_script_exec_t /var/www/html/thirdparty/prop/p23l

restorecon -Rv /var/www/html/thirdparty/prop/p23l

Add all additionally required folders (such Network folders) using semanage and restorecon commands

3) To allow FileCloud access to services like MongoDB and Solr, use the following commands

setsebool -P httpd_can_network_connect_db 1

setsebool -P httpd_can_network_connect 1

setsebool -P httpd_builtin_scripting 1  # Enabled by default

Optional

Apart from the above steps, you can do SELinux filesystem auto labeling, or if firewall or iptables is running on the system, then the below commands need to be executed.

Selinux

-for SELinux to do auto labeling of the whole filesystem after a reboot we do this command, this command is used generally with a new system:

touch /.autorelabel; reboot

Iptables

To allow FileCloud public access, use the below commands.

iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT  # Use only if HTTPS not enabled : This enables access on unsecure HTTP port 80

iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

Firewalld

To allow FileCloud public access, use the below commands.

firewall-cmd --add-service=http --zone=public --permanent  # Use only if HTTPS not enabled : This enables access on unsecure HTTP port 80

firewall-cmd --add-service=https --zone=public --permanent

firewall-cmd --reload

Troubleshooting

In Some cases, Selinux may cause problems with services running Filecloud, the proper troubleshooting need to be done in order to identify the missing policies to make different services work properly.

On Redhat based Linux systems the first place to look for SELinux warnings is /var/log/messages, where you will find different warnings with their explanation and the command to execute in order to add the related policy.

another place to look for SElinux logging messages and it depends on the Linux distribution is /var/log/audit/audit.log, you will find a detailed audit log file and its very verbose which will help you investigate your problem.

once you identified the missing policy you can add it with "setsebool -P", knowing that -P will make all pending values written to the policy file on disk. So they will be persistent across reboots.

some of the SElinux command that can be added to make Filecloud work properly depending on the use case and architecture are :

setsebool -P httpd_can_network_connect_db 1

setsebool -P httpd_can_network_connect 1

setsebool -P httpd_builtin_scripting 1 # Enabled by default

setsebool -P httpd_execmem 1

setsebool -P httpd_use_nfs 1