Difference between revisions of "Selinux"
Jump to navigation
Jump to search
(→Httpd) |
|||
| Line 14: | Line 14: | ||
=Allowing stuff to do stuff= | =Allowing stuff to do stuff= | ||
==Httpd== | ==Httpd== | ||
| + | ===Blanket access to docroot=== | ||
| + | chcon -Rv --type=httpd_sys_content_t | ||
===Multiviews & permission to folders=== | ===Multiviews & permission to folders=== | ||
*''semanage fcontext -a -t httpd_sys_content_t '/www/files/admin/site' '' | *''semanage fcontext -a -t httpd_sys_content_t '/www/files/admin/site' '' | ||
*''restorecon -v '/www/files/admin/site' '' | *''restorecon -v '/www/files/admin/site' '' | ||
| + | |||
==Bind== | ==Bind== | ||
semanage fcontext -a -t named_log_t /var/named/chroot/var/log/named/querylog | semanage fcontext -a -t named_log_t /var/named/chroot/var/log/named/querylog | ||
Revision as of 08:52, 8 November 2012
Create Custom Modules
Requires package selinux-policy-devel
grep http /var/log/audit/audit.log | audit2allow -m newrelicsock > /tmp/newrelic.te make -f /usr/share/selinux/devel/Makefile semodule -i newrelic
Alternative
grep httpd /var/log/audit/audit.log | audit2allow -M newrelic semodule -i newrelic.pp
Show why selinux is being an asshole
sealert -a /var/log/audit/audit.log
- sealert is provided by the package setroubleshoot
Allowing stuff to do stuff
Httpd
Blanket access to docroot
chcon -Rv --type=httpd_sys_content_t
Multiviews & permission to folders
- semanage fcontext -a -t httpd_sys_content_t '/www/files/admin/site'
- restorecon -v '/www/files/admin/site'
Bind
semanage fcontext -a -t named_log_t /var/named/chroot/var/log/named/querylog /sbin/restorecon -v /var/named/chroot/var/log/named/querylog semanage fcontext -a -t named_var_run_t /var/named/chroot/var/run/named/named-int.pid /sbin/restorecon -v /var/named/chroot/var/run/named/named-int.pid
Syslog-ng
semanage fcontext -a -t syslogd_var_run_t /syslog restorecon -v /syslog