Difference between revisions of "Selinux"
Jump to navigation
Jump to search
(→Httpd) |
|||
| Line 15: | Line 15: | ||
==Httpd== | ==Httpd== | ||
===Blanket access to docroot=== | ===Blanket access to docroot=== | ||
| − | chcon -Rv --type=httpd_sys_content_t | + | chcon -Rv --type=httpd_sys_content_t /var/www/html |
| + | |||
===Multiviews & permission to folders=== | ===Multiviews & permission to folders=== | ||
*''semanage fcontext -a -t httpd_sys_content_t '/www/files/admin/site' '' | *''semanage fcontext -a -t httpd_sys_content_t '/www/files/admin/site' '' | ||
Revision as of 08:52, 8 November 2012
Create Custom Modules
Requires package selinux-policy-devel
grep http /var/log/audit/audit.log | audit2allow -m newrelicsock > /tmp/newrelic.te make -f /usr/share/selinux/devel/Makefile semodule -i newrelic
Alternative
grep httpd /var/log/audit/audit.log | audit2allow -M newrelic semodule -i newrelic.pp
Show why selinux is being an asshole
sealert -a /var/log/audit/audit.log
- sealert is provided by the package setroubleshoot
Allowing stuff to do stuff
Httpd
Blanket access to docroot
chcon -Rv --type=httpd_sys_content_t /var/www/html
Multiviews & permission to folders
- semanage fcontext -a -t httpd_sys_content_t '/www/files/admin/site'
- restorecon -v '/www/files/admin/site'
Bind
semanage fcontext -a -t named_log_t /var/named/chroot/var/log/named/querylog /sbin/restorecon -v /var/named/chroot/var/log/named/querylog semanage fcontext -a -t named_var_run_t /var/named/chroot/var/run/named/named-int.pid /sbin/restorecon -v /var/named/chroot/var/run/named/named-int.pid
Syslog-ng
semanage fcontext -a -t syslogd_var_run_t /syslog restorecon -v /syslog