How do I set up SELinux access to non-standard web root?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
As a learning exercise, I set up a CentOS 7 Vagrant VirtualBox machine on my Fedora 29 development box. I am using Ansible to configure the vm. In my Vagrantfile I mount my host project file as follows:
config.vm.synced_folder "/home/roger/projects", "/var/www/projects",
owner: "vagrant",
group: "nginx",
mount_options: ["dmode=775,fmode=775"]
In my Nginx Ansible role I do the following (in addition to the install and start):
- name: set SELinux Nginx access to web root
command: semanage fcontext -a -t httpd_sys_content_t "/var/www/projects(/*)?"
- name: persist SELinux access
command: restorecon -Rv /var/www/projects
When accessing Nginx through a browser I get a 403 Forbidden error. If I set selinux to permissive on the vm via ssh, the files in my host projects directory are served correctly.
Entries to /etc/selinux/targeted/contexts/files/file_contexts.local look right:
/var/www/projects/* system_u:object_r:httpd_sys_content_t:s0
I have also attempted running the commands on the command line on the vm, to bypass anything Ansible related.
What am I missing?
nginx ansible vagrant selinux
asked Nov 23 '18 at 15:23
Roger CreasyRoger Creasy
628924
add a comment |
As a learning exercise, I set up a CentOS 7 Vagrant VirtualBox machine on my Fedora 29 development box. I am using Ansible to configure the vm. In my Vagrantfile I mount my host project file as follows:
config.vm.synced_folder "/home/roger/projects", "/var/www/projects",
owner: "vagrant",
group: "nginx",
mount_options: ["dmode=775,fmode=775"]
In my Nginx Ansible role I do the following (in addition to the install and start):
- name: set SELinux Nginx access to web root
command: semanage fcontext -a -t httpd_sys_content_t "/var/www/projects(/*)?"
- name: persist SELinux access
command: restorecon -Rv /var/www/projects
When accessing Nginx through a browser I get a 403 Forbidden error. If I set selinux to permissive on the vm via ssh, the files in my host projects directory are served correctly.
Entries to /etc/selinux/targeted/contexts/files/file_contexts.local look right:
/var/www/projects/* system_u:object_r:httpd_sys_content_t:s0
I have also attempted running the commands on the command line on the vm, to bypass anything Ansible related.
What am I missing?
nginx ansible vagrant selinux
asked Nov 23 '18 at 15:23
Roger CreasyRoger Creasy
628924
add a comment |
As a learning exercise, I set up a CentOS 7 Vagrant VirtualBox machine on my Fedora 29 development box. I am using Ansible to configure the vm. In my Vagrantfile I mount my host project file as follows:
config.vm.synced_folder "/home/roger/projects", "/var/www/projects",
owner: "vagrant",
group: "nginx",
mount_options: ["dmode=775,fmode=775"]
In my Nginx Ansible role I do the following (in addition to the install and start):
- name: set SELinux Nginx access to web root
command: semanage fcontext -a -t httpd_sys_content_t "/var/www/projects(/*)?"
- name: persist SELinux access
command: restorecon -Rv /var/www/projects
When accessing Nginx through a browser I get a 403 Forbidden error. If I set selinux to permissive on the vm via ssh, the files in my host projects directory are served correctly.
Entries to /etc/selinux/targeted/contexts/files/file_contexts.local look right:
/var/www/projects/* system_u:object_r:httpd_sys_content_t:s0
I have also attempted running the commands on the command line on the vm, to bypass anything Ansible related.
What am I missing?
nginx ansible vagrant selinux
asked Nov 23 '18 at 15:23
Roger CreasyRoger Creasy
628924
As a learning exercise, I set up a CentOS 7 Vagrant VirtualBox machine on my Fedora 29 development box. I am using Ansible to configure the vm. In my Vagrantfile I mount my host project file as follows:
config.vm.synced_folder "/home/roger/projects", "/var/www/projects",
owner: "vagrant",
group: "nginx",
mount_options: ["dmode=775,fmode=775"]
In my Nginx Ansible role I do the following (in addition to the install and start):
- name: set SELinux Nginx access to web root
command: semanage fcontext -a -t httpd_sys_content_t "/var/www/projects(/*)?"
- name: persist SELinux access
command: restorecon -Rv /var/www/projects
When accessing Nginx through a browser I get a 403 Forbidden error. If I set selinux to permissive on the vm via ssh, the files in my host projects directory are served correctly.
Entries to /etc/selinux/targeted/contexts/files/file_contexts.local look right:
/var/www/projects/* system_u:object_r:httpd_sys_content_t:s0
I have also attempted running the commands on the command line on the vm, to bypass anything Ansible related.
What am I missing?
nginx ansible vagrant selinux
nginx ansible vagrant selinux
asked Nov 23 '18 at 15:23
Roger CreasyRoger Creasy
628924
asked Nov 23 '18 at 15:23
Roger CreasyRoger Creasy
628924
asked Nov 23 '18 at 15:23
Roger CreasyRoger Creasy
628924
asked Nov 23 '18 at 15:23
Roger CreasyRoger Creasy
628924
asked Nov 23 '18 at 15:23
Roger CreasyRoger Creasy
628924
628924
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53449251%2fhow-do-i-set-up-selinux-access-to-non-standard-web-root%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53449251%2fhow-do-i-set-up-selinux-access-to-non-standard-web-root%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
