From a0a5ec8daf3888b3e317f002fdd0281299a64cf4 Mon Sep 17 00:00:00 2001 From: Henry Date: Sun, 18 Mar 2018 10:06:02 +0100 Subject: Selinux FAQ Command to run on SELinux system enabled --- docs/en/users/07_Frequently_Asked_Questions.md | 22 +++++++++++++++++++++- docs/fr/users/07_Frequently_Asked_Questions.md | 18 ++++++++++++++++++ 2 files changed, 39 insertions(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/en/users/07_Frequently_Asked_Questions.md b/docs/en/users/07_Frequently_Asked_Questions.md index 132b2e7ec..08148ef98 100644 --- a/docs/en/users/07_Frequently_Asked_Questions.md +++ b/docs/en/users/07_Frequently_Asked_Questions.md @@ -43,4 +43,24 @@ Since [1.8.0](https://github.com/FreshRSS/FreshRSS/releases/tag/1.8.0) release, ```sh ./cli/update_user.php --user --password ``` -For more information on that matter, there is a [dedicated documentation](../../cli/README.md). \ No newline at end of file +For more information on that matter, there is a [dedicated documentation](../../cli/README.md). + +## Permissions under SELinux + +Some Linux distribution like Fedora or RedHat Enterprise Linux have SELinux system enabled. This acts like a firewall application, so all applications cannot write/modify files under certain conditions. While installing FreshRSS, step 2 can fail if the httpd process cannot write to the following directories : + + - FreshRSS/data + - FreshRSS/data/cache + - FreshRSS/data/favicons + - FreshRSS/data/users + +The following commands should be executed as root : + +```sh +semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data +semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data/cache' +semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data/users' +semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data/favicons' + +restorecon -Rv /usr/share/FreshRSS/data +``` \ No newline at end of file diff --git a/docs/fr/users/07_Frequently_Asked_Questions.md b/docs/fr/users/07_Frequently_Asked_Questions.md index f27c92579..b86d01e4f 100644 --- a/docs/fr/users/07_Frequently_Asked_Questions.md +++ b/docs/fr/users/07_Frequently_Asked_Questions.md @@ -44,3 +44,21 @@ Depuis la version [1.8.0](https://github.com/FreshRSS/FreshRSS/releases/tag/1.8. ./cli/update_user.php --user --password ``` Pour plus d'information à ce sujet, il existe la [documentation dédiée](../../cli/README.md). + +## Gérer les permissions sous SELinux + +Certaines distributions Linux comme Fedora ou RedHat Enterprise Linux (RHEL) activent par défaut le système SELinux. Celui-ci permet de gérer des permissions au niveau des processus. Lors de l'installation de FreshRSS, l'étape 2 procède à la vérification des droits sur certains répertoires: + + - FreshRSS/data + - FreshRSS/data/cache + - FreshRSS/data/favicons + - FreshRSS/data/users + +Il faut donc exécuter les commandes suivantes en tant que root : +```sh +semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data +semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data/cache' +semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data/users' +semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data/favicons' + +restorecon -Rv /usr/share/FreshRSS/data -- cgit v1.2.3 From 6bac71b2e8c2bc73659189ba752cbf7d158e89b3 Mon Sep 17 00:00:00 2001 From: Henry Date: Sun, 18 Mar 2018 11:24:50 +0100 Subject: Fix typo Missing quotes at the end of file --- docs/fr/users/07_Frequently_Asked_Questions.md | 1 + 1 file changed, 1 insertion(+) (limited to 'docs') diff --git a/docs/fr/users/07_Frequently_Asked_Questions.md b/docs/fr/users/07_Frequently_Asked_Questions.md index b86d01e4f..dd0a64998 100644 --- a/docs/fr/users/07_Frequently_Asked_Questions.md +++ b/docs/fr/users/07_Frequently_Asked_Questions.md @@ -62,3 +62,4 @@ semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data/users' semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data/favicons' restorecon -Rv /usr/share/FreshRSS/data +``` \ No newline at end of file -- cgit v1.2.3 From 67c608d44f92b426dc100db87e4052a22585d691 Mon Sep 17 00:00:00 2001 From: Henry Date: Sun, 18 Mar 2018 12:46:55 +0100 Subject: Typo fix typo + apply command to sub dir --- docs/en/users/07_Frequently_Asked_Questions.md | 9 ++++++++- docs/fr/users/07_Frequently_Asked_Questions.md | 8 +++++++- 2 files changed, 15 insertions(+), 2 deletions(-) (limited to 'docs') diff --git a/docs/en/users/07_Frequently_Asked_Questions.md b/docs/en/users/07_Frequently_Asked_Questions.md index 08148ef98..252e9c461 100644 --- a/docs/en/users/07_Frequently_Asked_Questions.md +++ b/docs/en/users/07_Frequently_Asked_Questions.md @@ -57,10 +57,17 @@ Some Linux distribution like Fedora or RedHat Enterprise Linux have SELinux syst The following commands should be executed as root : ```sh -semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data +semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data' semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data/cache' semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data/users' semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data/favicons' +restorecon -Rv /usr/share/FreshRSS/data +``` + +If for some reasons right should be granted to the whole data directory (itself and sub-directories), execute the following commands: + +```sh +semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data(/.*)?' restorecon -Rv /usr/share/FreshRSS/data ``` \ No newline at end of file diff --git a/docs/fr/users/07_Frequently_Asked_Questions.md b/docs/fr/users/07_Frequently_Asked_Questions.md index dd0a64998..94992b154 100644 --- a/docs/fr/users/07_Frequently_Asked_Questions.md +++ b/docs/fr/users/07_Frequently_Asked_Questions.md @@ -56,10 +56,16 @@ Certaines distributions Linux comme Fedora ou RedHat Enterprise Linux (RHEL) act Il faut donc exécuter les commandes suivantes en tant que root : ```sh -semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data +semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data' semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data/cache' semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data/users' semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data/favicons' +restorecon -Rv /usr/share/FreshRSS/data +``` + +Si les droits doivent s'appliquer à tous les sous-répertoires de data et data lui-même, exécuter les commandes suivantes: +```sh +semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data(/.*)?' restorecon -Rv /usr/share/FreshRSS/data ``` \ No newline at end of file -- cgit v1.2.3 From f62d69e1f4133c9bd8832c617fe5677f499d8a95 Mon Sep 17 00:00:00 2001 From: Henry Date: Thu, 26 Apr 2018 07:46:15 +0200 Subject: Selinux FAQ Add PubSubHubbub sub directory --- docs/en/users/07_Frequently_Asked_Questions.md | 1 + docs/fr/users/07_Frequently_Asked_Questions.md | 1 + 2 files changed, 2 insertions(+) (limited to 'docs') diff --git a/docs/en/users/07_Frequently_Asked_Questions.md b/docs/en/users/07_Frequently_Asked_Questions.md index 252e9c461..8187b8b6a 100644 --- a/docs/en/users/07_Frequently_Asked_Questions.md +++ b/docs/en/users/07_Frequently_Asked_Questions.md @@ -61,6 +61,7 @@ semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data' semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data/cache' semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data/users' semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data/favicons' +semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data/PubSubHubbub' restorecon -Rv /usr/share/FreshRSS/data ``` diff --git a/docs/fr/users/07_Frequently_Asked_Questions.md b/docs/fr/users/07_Frequently_Asked_Questions.md index 94992b154..b1906147a 100644 --- a/docs/fr/users/07_Frequently_Asked_Questions.md +++ b/docs/fr/users/07_Frequently_Asked_Questions.md @@ -60,6 +60,7 @@ semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data' semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data/cache' semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data/users' semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data/favicons' +semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data/PubSubHubbub' restorecon -Rv /usr/share/FreshRSS/data ``` -- cgit v1.2.3 From 28403cd6aac6e6245ea7d189e34219b0af879603 Mon Sep 17 00:00:00 2001 From: Henry Date: Thu, 26 Apr 2018 08:32:07 +0200 Subject: SeLinux context Prefer apply rights to the whole data instead of individual subdir --- docs/en/users/07_Frequently_Asked_Questions.md | 24 ++---------------------- docs/fr/users/07_Frequently_Asked_Questions.md | 22 ++-------------------- 2 files changed, 4 insertions(+), 42 deletions(-) (limited to 'docs') diff --git a/docs/en/users/07_Frequently_Asked_Questions.md b/docs/en/users/07_Frequently_Asked_Questions.md index 8187b8b6a..42156b1a9 100644 --- a/docs/en/users/07_Frequently_Asked_Questions.md +++ b/docs/en/users/07_Frequently_Asked_Questions.md @@ -47,28 +47,8 @@ For more information on that matter, there is a [dedicated documentation](../../ ## Permissions under SELinux -Some Linux distribution like Fedora or RedHat Enterprise Linux have SELinux system enabled. This acts like a firewall application, so all applications cannot write/modify files under certain conditions. While installing FreshRSS, step 2 can fail if the httpd process cannot write to the following directories : - - - FreshRSS/data - - FreshRSS/data/cache - - FreshRSS/data/favicons - - FreshRSS/data/users - -The following commands should be executed as root : - -```sh -semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data' -semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data/cache' -semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data/users' -semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data/favicons' -semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data/PubSubHubbub' - -restorecon -Rv /usr/share/FreshRSS/data -``` - -If for some reasons right should be granted to the whole data directory (itself and sub-directories), execute the following commands: - +Some Linux distribution like Fedora or RedHat Enterprise Linux have SELinux system enabled. This acts like a firewall application, so all applications cannot write/modify files under certain conditions. While installing FreshRSS, step 2 can fail if the httpd process cannot write to some data sub-directories, the following command should be executed as root : ```sh semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data(/.*)?' restorecon -Rv /usr/share/FreshRSS/data -``` \ No newline at end of file +``` diff --git a/docs/fr/users/07_Frequently_Asked_Questions.md b/docs/fr/users/07_Frequently_Asked_Questions.md index b1906147a..2dc2cae97 100644 --- a/docs/fr/users/07_Frequently_Asked_Questions.md +++ b/docs/fr/users/07_Frequently_Asked_Questions.md @@ -47,26 +47,8 @@ Pour plus d'information à ce sujet, il existe la [documentation dédiée](../.. ## Gérer les permissions sous SELinux -Certaines distributions Linux comme Fedora ou RedHat Enterprise Linux (RHEL) activent par défaut le système SELinux. Celui-ci permet de gérer des permissions au niveau des processus. Lors de l'installation de FreshRSS, l'étape 2 procède à la vérification des droits sur certains répertoires: - - - FreshRSS/data - - FreshRSS/data/cache - - FreshRSS/data/favicons - - FreshRSS/data/users - -Il faut donc exécuter les commandes suivantes en tant que root : -```sh -semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data' -semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data/cache' -semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data/users' -semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data/favicons' -semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data/PubSubHubbub' - -restorecon -Rv /usr/share/FreshRSS/data -``` - -Si les droits doivent s'appliquer à tous les sous-répertoires de data et data lui-même, exécuter les commandes suivantes: +Certaines distributions Linux comme Fedora ou RedHat Enterprise Linux (RHEL) activent par défaut le système SELinux. Celui-ci permet de gérer des permissions au niveau des processus. Lors de l'installation de FreshRSS, l'étape 2 procède à la vérification des droits sur certains répertoires, il faut donc exécuter la commande suivante en tant que root: ```sh semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/FreshRSS/data(/.*)?' restorecon -Rv /usr/share/FreshRSS/data -``` \ No newline at end of file +``` -- cgit v1.2.3