KNZLABS :: lab04-selinux

Lab 04 — SELinux Contexts and Booleans

Target: rhcsa-node1 or rhcsa-node2 · Time: 25 minutes · Reboot required: yes

Scenario

Apache needs to serve content from a non-default location AND connect to a database on a non-default port. SELinux is staying in enforcing mode.

Tasks

1. Confirm SELinux is in **enforcing** mode. If not, change the runtime AND the persistent config so it stays enforcing across reboots.
2. Install httpd. Move its document root: create `/data/web` and put a file `/data/web/index.html` containing "RHCSA Lab" in it.
3. Configure httpd (drop-in or edit `/etc/httpd/conf.d/`) so its DocumentRoot is `/data/web`.
4. Set the correct SELinux file context on `/data/web` so httpd can read it — and make the context **persistent** (so a relabel doesn't undo your work).
5. Set the SELinux boolean `httpd_can_network_connect_db` to ON, persistently.
6. Allow httpd to listen on **port 8443/tcp** (in addition to 80/443) by adding the port to the `http_port_t` context.
7. Start httpd and verify it serves the new content on port 80 (and that port 8443 is now a valid http_port_t).
8. Open port 80 in firewalld permanently.

Reboot. Re-run grader.

Grading

~/labs/lab04-selinux/grader.sh