Solved SnipeIT - Connection Refused
-
@dustinb3403 said in SnipeIT - Connection Refused:
@travisdh1 said in SnipeIT - Connection Refused:
@dustinb3403 said in SnipeIT - Connection Refused:
Setenforce 0
(AKA I can access the system) . . . so now how to configure it so this system isn't wide open. . .
Oh, that's in @JaredBusch's guides to setting up NextCloud... I bet you get it looked up before I find it
Found the guide. It was never updated with setenforce info.
Your problem is because somewhere along the way the old guides for Snipe said to setenforce 0 during install.
But Snipe's installer actually checks for SELinux to be enforcing and then sets the required contexts. So because the guide said to install with it off, the installer never set the contexts.
I found this when I figured out how to change the installer to use git. Lemme go dig that out.
-
@DustinB3403
https://mangolassi.it/post/323040This is where we talked about this.
Let me go hit my github and pull out the command without variables.
-
@jaredbusch "setenforce 0" always the lazy way out.
-
@travisdh1 said in SnipeIT - Connection Refused:
@jaredbusch "setenforce 0" always the lazy way out.
That is what I did for the moment, just to test. But I would like to allow only the services that are required of the system.
Is there no way to specify httpd as being allowed through setenforce?
-
Straight from the install script.
By default this should be what was done.#Sets SELinux context type so that scripts running in the web server process are allowed read/write access chcon -R -h -t httpd_sys_script_rw_t /var/www/html/snipeit
Turn SELinux back on
setenforce 1
The restart Apache
systemctl restart httpd
-
@jaredbusch said in SnipeIT - Connection Refused:
Straight from the install script.
By default this should be what was done.#Sets SELinux context type so that scripts running in the web server process are allowed read/write access chcon -R -h -t httpd_sys_script_rw_t /var/www/html/snipeit
Turn SELinux back on
setenforce 1
The restart Apache
systemctl restart httpd
That didn't work.
-
@dustinb3403 said in SnipeIT - Connection Refused:
@jaredbusch said in SnipeIT - Connection Refused:
Straight from the install script.
By default this should be what was done.#Sets SELinux context type so that scripts running in the web server process are allowed read/write access chcon -R -h -t httpd_sys_script_rw_t /var/www/html/snipeit
Turn SELinux back on
setenforce 1
The restart Apache
systemctl restart httpd
That didn't work.
Was wondering, because that is not how I learned to change that in ownCloud. Sec.
-
@JaredBusch one sec, it may have just needed to be stopped completely.
-
We're up and running.
OKAY @JaredBusch go bitch slap the SnipeIT team. . .
-
@dustinb3403 said in SnipeIT - Connection Refused:
@JaredBusch one sec, it may have just needed to be stopped completely.
Well check your context with
ls -laZ /var/www/html
should look like this:
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 snipeit
-
@dustinb3403 said in SnipeIT - Connection Refused:
We're up and running.
OKAY @JaredBusch go bitch slap the SnipeIT team. . .
The pertinent question is, was the
setenforce 0
in their guide or the script on here? -
@jaredbusch said in SnipeIT - Connection Refused:
ls -laZ /var/www/html
It does, I think we're in good shape.
-
@jaredbusch said in SnipeIT - Connection Refused:
@dustinb3403 said in SnipeIT - Connection Refused:
We're up and running.
OKAY @JaredBusch go bitch slap the SnipeIT team. . .
The pertinent question is, was the
setenforce 0
in their guide or the script on here?It looks like @scottalanmiller's original post has the
setenforce 0
in it. So the question is where did he get it from?https://mangolassi.it/topic/6967/installing-snipe-it-on-centos-7-and-mariadb/1
-
@jaredbusch said in SnipeIT - Connection Refused:
@dustinb3403 said in SnipeIT - Connection Refused:
We're up and running.
OKAY @JaredBusch go bitch slap the SnipeIT team. . .
The pertinent question is, was the
setenforce 0
in their guide or the script on here?That I honestly don't recall. I probably used an installation guide here on ML, as the information from their site is pretty bad.
-
For a little necormancy
This issue came back again, thought I had resolved it after the last time.
Well this time I've got it set.
setsebool -P httpd_can_connect_ldap on
chcon -R -h -t httpd_sys_script_rw_t /var/www/html/snipeit/
sealert (which I had to install) showed I needed this as well
ausearch -c 'httpd' --raw | audit2allow -M my-httpd
semodule -i my-httpd.pp
Once done, reboot and check is httpd (apache) is running. For me it was.
-
The installer doesn't
setenforce 0
. Depending on the distro being installed it even checks if selinux is enforcing and runs
setsebool -P httpd_can_connect_ldap on
chcon -R -h -t httpd_sys_script_rw_t /var/www/html/snipeit/
-
@tiagom said in SnipeIT - Connection Refused:
The installer doesn't
setenforce 0
. Depending on the distro being installed it even checks if selinux is enforcing and runs
setsebool -P httpd_can_connect_ldap on
chcon -R -h -t httpd_sys_script_rw_t /var/www/html/snipeit/
Did it before, the original installer? Or was that a more recent change? I had to set that in order to get setenforce to allow apache.
-
Original snipeit installer had it added on Sep 26, 2016.
-
@tiagom hrm. . .
-
@dustinb3403 said in SnipeIT - Connection Refused:
@tiagom hrm. . .
But the guide that is posted here instructed you to
setenforce 0
before executing the script so that means that code never ran. I mentioned that in the posts a few months ago when I changed the thing to use git for CentOS 7.