Difference between revisions of "Selinux"
Jump to navigation
Jump to search
(→Httpd) |
|||
| Line 14: | Line 14: | ||
=Allowing stuff to do stuff= | =Allowing stuff to do stuff= | ||
==Httpd== | ==Httpd== | ||
| + | ===Access & write to nfs mounts=== | ||
| + | setsebool -P httpd_use_nfs 1 | ||
===Blanket access to docroot=== | ===Blanket access to docroot=== | ||
chcon -Rv --type=httpd_sys_content_t /var/www/html | chcon -Rv --type=httpd_sys_content_t /var/www/html | ||
Revision as of 10:17, 8 November 2012
Create Custom Modules
Requires package selinux-policy-devel
grep http /var/log/audit/audit.log | audit2allow -m newrelicsock > /tmp/newrelic.te make -f /usr/share/selinux/devel/Makefile semodule -i newrelic
Alternative
grep httpd /var/log/audit/audit.log | audit2allow -M newrelic semodule -i newrelic.pp
Show why selinux is being an asshole
sealert -a /var/log/audit/audit.log
- sealert is provided by the package setroubleshoot
Allowing stuff to do stuff
Httpd
Access & write to nfs mounts
setsebool -P httpd_use_nfs 1
Blanket access to docroot
chcon -Rv --type=httpd_sys_content_t /var/www/html
Multiviews & permission to folders
- semanage fcontext -a -t httpd_sys_content_t '/www/files/admin/site'
- restorecon -v '/www/files/admin/site'
Bind
semanage fcontext -a -t named_log_t /var/named/chroot/var/log/named/querylog /sbin/restorecon -v /var/named/chroot/var/log/named/querylog semanage fcontext -a -t named_var_run_t /var/named/chroot/var/run/named/named-int.pid /sbin/restorecon -v /var/named/chroot/var/run/named/named-int.pid
Syslog-ng
semanage fcontext -a -t syslogd_var_run_t /syslog restorecon -v /syslog