Security-Enhanced Linux (SELinux) defines the access and transition rights of every user, application, process, and file on the system. SELinux governs the interactions of these entities using a security policy that specifies how strict or lenient a given Red Hat Enterprise/CentOS Linux installation should be.

The default installation of WebSpellChecker is not intended for such a secured environment. It requires the additional configuration steps from your side. Once the default installation has been performed, you can proceed with the SELinux configuration as follows.

6.1. Define Security Context for WebSpellChecker. Set the appropriate security context for all the files inside the WebSpellChecker installation directory using the next command:

sudo /sbin/restorecon -R -v /<WebSpellChecker_Installation_Dir>/WSC

restorecon command sets files security context. Read more about SELinux/restorecon.

-R option changes files and directories files labels recursively.

-v option defines where the changes will take place, e.g. all the files under /<WebSpellChecker_Installation_Dir>/WSC will be changed.

6.2. Allow Network Connection. Allow Apache HTTP Server scripts and modules to connect to the network by setting a SELinux boolean to a given value.

sudo /usr/sbin/setsebool -P httpd_can_network_connect=1

setsebool command allows setting a SELinux boolean value. Read more about SELinux/setsebool.

httpd_can_network_connect allows HTTPD scripts and modules to connect to the network.

-P option saves all pending values on the disk. Without -P option, only the current boolean value will be affected, after reboot it will be reverted back.

6.3. Define Security Context for SSRV Script. Separately you need to set the appropriate security context for the SSRV.FGCI script. By default, SSRV.FGCI script has the default_t context type. This is incorrect security context for SELinux. If you try to view page, SELinux will deny access and log the error.

Run the next command to set a proper security context type of httpd_sys_content_t for SSRV.FGCI.

sudo chcon -t httpd_sys_content_t  /opt/WSC/WebComponents/WebInterface/script/ssrv.fcgi

  • No labels