Solved SnipeIT - Connection Refused

JaredBusch

@DustinB3403
https://mangolassi.it/post/323040

This is where we talked about this.

Let me go hit my github and pull out the command without variables.

travisdh1

@jaredbusch "setenforce 0" always the lazy way out.

DustinB3403

@travisdh1 said in SnipeIT - Connection Refused:

@jaredbusch "setenforce 0" always the lazy way out.

That is what I did for the moment, just to test. But I would like to allow only the services that are required of the system.

Is there no way to specify httpd as being allowed through setenforce?

JaredBusch

Straight from the install script.
By default this should be what was done.

#Sets SELinux context type so that scripts running in the web server process are allowed read/write access
chcon -R -h -t httpd_sys_script_rw_t /var/www/html/snipeit

Turn SELinux back on

setenforce 1

The restart Apache

systemctl restart httpd

DustinB3403

@jaredbusch said in SnipeIT - Connection Refused:

Straight from the install script.
By default this should be what was done.

#Sets SELinux context type so that scripts running in the web server process are allowed read/write access
chcon -R -h -t httpd_sys_script_rw_t /var/www/html/snipeit

Turn SELinux back on

setenforce 1

The restart Apache

systemctl restart httpd

That didn't work.

JaredBusch

@dustinb3403 said in SnipeIT - Connection Refused:

@jaredbusch said in SnipeIT - Connection Refused:

Straight from the install script.
By default this should be what was done.

#Sets SELinux context type so that scripts running in the web server process are allowed read/write access
chcon -R -h -t httpd_sys_script_rw_t /var/www/html/snipeit

Turn SELinux back on

setenforce 1

The restart Apache

systemctl restart httpd

That didn't work.

Was wondering, because that is not how I learned to change that in ownCloud. Sec.

DustinB3403

@JaredBusch one sec, it may have just needed to be stopped completely.

DustinB3403

We're up and running.

OKAY @JaredBusch go bitch slap the SnipeIT team. . .

JaredBusch

@dustinb3403 said in SnipeIT - Connection Refused:

@JaredBusch one sec, it may have just needed to be stopped completely.

Well check your context with

ls -laZ /var/www/html

should look like this:

drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 snipeit

JaredBusch

@dustinb3403 said in SnipeIT - Connection Refused:

We're up and running.

OKAY @JaredBusch go bitch slap the SnipeIT team. . .

The pertinent question is, was the setenforce 0 in their guide or the script on here?

DustinB3403

@jaredbusch said in SnipeIT - Connection Refused:

ls -laZ /var/www/html

It does, I think we're in good shape.

JaredBusch

@jaredbusch said in SnipeIT - Connection Refused:

@dustinb3403 said in SnipeIT - Connection Refused:

We're up and running.

OKAY @JaredBusch go bitch slap the SnipeIT team. . .

The pertinent question is, was the setenforce 0 in their guide or the script on here?

It looks like @scottalanmiller's original post has the setenforce 0 in it. So the question is where did he get it from?

https://mangolassi.it/topic/6967/installing-snipe-it-on-centos-7-and-mariadb/1

DustinB3403

@jaredbusch said in SnipeIT - Connection Refused:

@dustinb3403 said in SnipeIT - Connection Refused:

We're up and running.

OKAY @JaredBusch go bitch slap the SnipeIT team. . .

The pertinent question is, was the setenforce 0 in their guide or the script on here?

That I honestly don't recall. I probably used an installation guide here on ML, as the information from their site is pretty bad.

DustinB3403

For a little necormancy

This issue came back again, thought I had resolved it after the last time.

Well this time I've got it set.

setsebool -P httpd_can_connect_ldap on
chcon -R -h -t httpd_sys_script_rw_t /var/www/html/snipeit/

sealert (which I had to install) showed I needed this as well

ausearch -c 'httpd' --raw | audit2allow -M my-httpd
semodule -i my-httpd.pp

Once done, reboot and check is httpd (apache) is running. For me it was.

tiagom

The installer doesn't setenforce 0. Depending on the distro being installed it even checks if selinux is enforcing and runs
setsebool -P httpd_can_connect_ldap on
chcon -R -h -t httpd_sys_script_rw_t /var/www/html/snipeit/

DustinB3403

@tiagom said in SnipeIT - Connection Refused:

The installer doesn't setenforce 0. Depending on the distro being installed it even checks if selinux is enforcing and runs
setsebool -P httpd_can_connect_ldap on
chcon -R -h -t httpd_sys_script_rw_t /var/www/html/snipeit/

Did it before, the original installer? Or was that a more recent change? I had to set that in order to get setenforce to allow apache.

tiagom

Original snipeit installer had it added on Sep 26, 2016.

DustinB3403

@tiagom hrm. . .

JaredBusch

@dustinb3403 said in SnipeIT - Connection Refused:

@tiagom hrm. . .

But the guide that is posted here instructed you to setenforce 0 before executing the script so that means that code never ran. I mentioned that in the posts a few months ago when I changed the thing to use git for CentOS 7.

JaredBusch

I ran out of test time the other day, for Fedora 26. But it seemed to have worked for that part.

I had other issues.