Difference between revisions of "Selinux"

From KeegansWiki
Jump to navigation Jump to search
 
(2 intermediate revisions by the same user not shown)
Line 14: Line 14:
 
=Allowing stuff to do stuff=
 
=Allowing stuff to do stuff=
 
==Httpd==
 
==Httpd==
 +
===Access & write to nfs mounts===
 +
setsebool -P httpd_use_nfs 1
 
===Blanket access to docroot===
 
===Blanket access to docroot===
  chcon -Rv --type=httpd_sys_content_t  
+
  chcon -Rv --type=httpd_sys_content_t /var/www/html
 +
 
 
===Multiviews & permission to folders===
 
===Multiviews & permission to folders===
 
*''semanage fcontext -a -t httpd_sys_content_t '/www/files/admin/site' ''
 
*''semanage fcontext -a -t httpd_sys_content_t '/www/files/admin/site' ''
Line 29: Line 32:
 
  semanage fcontext -a -t syslogd_var_run_t /syslog
 
  semanage fcontext -a -t syslogd_var_run_t /syslog
 
  restorecon -v /syslog
 
  restorecon -v /syslog
 +
 +
==sshd==
 +
To allow a user to login without a password, make sure the fcontext of the .ssh/ and .ssh/authorized_keys files are correct.
 +
Incorrect:
 +
-rw-r--r--. webdev webdev unconfined_u:object_r:default_t:s0 authorized_keys
 +
Correct:
 +
-rw-r--r--. webdev webdev unconfined_u:object_r:ssh_home_t:s0 authorized_keys
 +
Fix this by running this '''as the user''': '''restorecon -v /home/<user>/.ssh/'''
 +
Might have to do that for the authorized_keys file too.

Latest revision as of 07:09, 26 November 2012

Create Custom Modules

Requires package selinux-policy-devel

grep http /var/log/audit/audit.log | audit2allow -m newrelicsock > /tmp/newrelic.te
make -f /usr/share/selinux/devel/Makefile
semodule -i newrelic

Alternative

grep httpd /var/log/audit/audit.log | audit2allow -M newrelic
semodule -i newrelic.pp

Show why selinux is being an asshole

sealert -a /var/log/audit/audit.log
  • sealert is provided by the package setroubleshoot

Allowing stuff to do stuff

Httpd

Access & write to nfs mounts

setsebool -P httpd_use_nfs 1

Blanket access to docroot

chcon -Rv --type=httpd_sys_content_t /var/www/html

Multiviews & permission to folders

  • semanage fcontext -a -t httpd_sys_content_t '/www/files/admin/site'
  • restorecon -v '/www/files/admin/site'

Bind

semanage fcontext -a -t named_log_t /var/named/chroot/var/log/named/querylog
/sbin/restorecon -v /var/named/chroot/var/log/named/querylog
semanage fcontext -a -t named_var_run_t /var/named/chroot/var/run/named/named-int.pid
/sbin/restorecon -v /var/named/chroot/var/run/named/named-int.pid

Syslog-ng

semanage fcontext -a -t syslogd_var_run_t /syslog
restorecon -v /syslog

sshd

To allow a user to login without a password, make sure the fcontext of the .ssh/ and .ssh/authorized_keys files are correct. Incorrect:

-rw-r--r--. webdev webdev unconfined_u:object_r:default_t:s0 authorized_keys

Correct:

-rw-r--r--. webdev webdev unconfined_u:object_r:ssh_home_t:s0 authorized_keys

Fix this by running this as the user: restorecon -v /home/<user>/.ssh/ Might have to do that for the authorized_keys file too.