Difference between revisions of "Selinux"
Jump to navigation
Jump to search
(→Httpd) |
|||
(2 intermediate revisions by the same user not shown) | |||
Line 14: | Line 14: | ||
=Allowing stuff to do stuff= | =Allowing stuff to do stuff= | ||
==Httpd== | ==Httpd== | ||
+ | ===Access & write to nfs mounts=== | ||
+ | setsebool -P httpd_use_nfs 1 | ||
===Blanket access to docroot=== | ===Blanket access to docroot=== | ||
− | chcon -Rv --type=httpd_sys_content_t | + | chcon -Rv --type=httpd_sys_content_t /var/www/html |
+ | |||
===Multiviews & permission to folders=== | ===Multiviews & permission to folders=== | ||
*''semanage fcontext -a -t httpd_sys_content_t '/www/files/admin/site' '' | *''semanage fcontext -a -t httpd_sys_content_t '/www/files/admin/site' '' | ||
Line 29: | Line 32: | ||
semanage fcontext -a -t syslogd_var_run_t /syslog | semanage fcontext -a -t syslogd_var_run_t /syslog | ||
restorecon -v /syslog | restorecon -v /syslog | ||
+ | |||
+ | ==sshd== | ||
+ | To allow a user to login without a password, make sure the fcontext of the .ssh/ and .ssh/authorized_keys files are correct. | ||
+ | Incorrect: | ||
+ | -rw-r--r--. webdev webdev unconfined_u:object_r:default_t:s0 authorized_keys | ||
+ | Correct: | ||
+ | -rw-r--r--. webdev webdev unconfined_u:object_r:ssh_home_t:s0 authorized_keys | ||
+ | Fix this by running this '''as the user''': '''restorecon -v /home/<user>/.ssh/''' | ||
+ | Might have to do that for the authorized_keys file too. |
Latest revision as of 07:09, 26 November 2012
Create Custom Modules
Requires package selinux-policy-devel
grep http /var/log/audit/audit.log | audit2allow -m newrelicsock > /tmp/newrelic.te make -f /usr/share/selinux/devel/Makefile semodule -i newrelic
Alternative
grep httpd /var/log/audit/audit.log | audit2allow -M newrelic semodule -i newrelic.pp
Show why selinux is being an asshole
sealert -a /var/log/audit/audit.log
- sealert is provided by the package setroubleshoot
Allowing stuff to do stuff
Httpd
Access & write to nfs mounts
setsebool -P httpd_use_nfs 1
Blanket access to docroot
chcon -Rv --type=httpd_sys_content_t /var/www/html
Multiviews & permission to folders
- semanage fcontext -a -t httpd_sys_content_t '/www/files/admin/site'
- restorecon -v '/www/files/admin/site'
Bind
semanage fcontext -a -t named_log_t /var/named/chroot/var/log/named/querylog /sbin/restorecon -v /var/named/chroot/var/log/named/querylog semanage fcontext -a -t named_var_run_t /var/named/chroot/var/run/named/named-int.pid /sbin/restorecon -v /var/named/chroot/var/run/named/named-int.pid
Syslog-ng
semanage fcontext -a -t syslogd_var_run_t /syslog restorecon -v /syslog
sshd
To allow a user to login without a password, make sure the fcontext of the .ssh/ and .ssh/authorized_keys files are correct. Incorrect:
-rw-r--r--. webdev webdev unconfined_u:object_r:default_t:s0 authorized_keys
Correct:
-rw-r--r--. webdev webdev unconfined_u:object_r:ssh_home_t:s0 authorized_keys
Fix this by running this as the user: restorecon -v /home/<user>/.ssh/ Might have to do that for the authorized_keys file too.