SELinux Configuration
- Introduction
- Preparation
- Enable updates via the web interface
- Disallow write access to the whole web directory
- Allow access to a remote database
- Allow access to LDAP server
- Allow access to remote network
- Allow access to network memcache
- Allow access to SMTP/sendmail
- Allow access to CIFS/SMB
- Allow access to FuseFS
- Allow access to GPG for Rainloop
- Troubleshooting
Introduction
Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC).
Preparation
When you have SELinux enabled on your Linux distribution, you may run
into permissions problems after a new ownCloud installation, and see
permission denied errors in your ownCloud logs.
The following settings should work for most SELinux systems that use the default distro profiles. Run these commands as root, and remember to adjust the filepaths in these examples for your installation
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/owncloud/data(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/owncloud/config(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/owncloud/apps(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/owncloud/apps-external(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/owncloud/.htaccess'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/owncloud/.user.ini'
restorecon -Rv '/var/www/html/owncloud/'If you uninstall ownCloud you need to remove the ownCloud directory labels. To do this execute the following commands as root after uninstalling ownCloud
semanage fcontext -d '/var/www/html/owncloud/data(/.*)?'
semanage fcontext -d '/var/www/html/owncloud/config(/.*)?'
semanage fcontext -d '/var/www/html/owncloud/apps(/.*)?'
semanage fcontext -d '/var/www/html/owncloud/apps-external(/.*)?'
semanage fcontext -d '/var/www/html/owncloud/.htaccess'
semanage fcontext -d '/var/www/html/owncloud/.user.ini'
restorecon -Rv '/var/www/html/owncloud/'If you have customized SELinux policies and these examples do not work, you must give the HTTP server write access to these directories:
/var/www/html/owncloud/data
/var/www/html/owncloud/config
/var/www/html/owncloud/apps
/var/www/html/owncloud/apps-externalEnable updates via the web interface
To enable updates via the ownCloud web interface, you may need this to enable writing to the ownCloud directories:
setsebool httpd_unified onWhen the update is completed, disable write access:
setsebool -P httpd_unified offDisallow write access to the whole web directory
For security reasons it’s suggested to disable write access to all folders in /var/www/ (default):
setsebool -P httpd_unified offAllow access to a remote database
An additional setting is needed if your installation is connecting to a remote database:
setsebool -P httpd_can_network_connect_db onAllow access to LDAP server
Use this setting to allow LDAP connections:
setsebool -P httpd_can_connect_ldap onAllow access to remote network
ownCloud requires access to remote networks for functions such as Server-to-Server sharing, external storages or the ownCloud Marketplace. To allow this access use the following setting:
setsebool -P httpd_can_network_connect onAllow access to network memcache
This setting is not required if httpd_can_network_connect is already
on:
setsebool -P httpd_can_network_memcache onAllow access to SMTP/sendmail
If you want to allow ownCloud to send out e-mail notifications via sendmail you need to use the following setting:
setsebool -P httpd_can_sendmail onAllow access to CIFS/SMB
If you have placed your datadir on a CIFS/SMB share use the following setting:
setsebool -P httpd_use_cifs onAllow access to FuseFS
If your owncloud data folder resides on a Fuse Filesystem (e.g. EncFS etc.), this setting is required as well:
setsebool -P httpd_use_fusefs onAllow access to GPG for Rainloop
If you use the rainloop webmail client app which supports GPG/PGP, you might need this:
setsebool -P httpd_use_gpg onTroubleshooting
General Troubleshooting
For general Troubleshooting of SELinux and its profiles try to install
the package setroubleshoot and run:
sealert -a /var/log/audit/audit.log > /path/to/mylogfile.txtto get a report which helps you to configure your SELinux profiles.
Another tool for troubleshooting is to enable a single ruleset for your ownCloud directory:
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/owncloud(/.*)?'
restorecon -RF /var/www/html/owncloudIt is much stronger security to have a more fine-grained ruleset as in the examples at the beginning, so use this only for testing and troubleshooting. It has a similar effect to disabling SELinux, so don’t use it on production systems.
See this discussion on GitHub to learn more about configuring SELinux correctly for ownCloud.
Redis on RHEL 7 & Derivatives
On RHEL 7 and its derivatives, if you are using Redis for both local server cache and file locking and Redis is configured to listen on a Unix socket instead of a TCP/IP port (which is recommended if Redis is running on the same system as ownCloud) you must instruct SELinux to allow daemons to enable cluster mode. You can do this using the following command:
setsebool -P daemons_enable_cluster_mode 1