Difference between revisions of "Selinux"
Jump to navigation
Jump to search
| (5 intermediate revisions by the same user not shown) | |||
| Line 14: | Line 14: | ||
=Allowing stuff to do stuff= | =Allowing stuff to do stuff= | ||
==Httpd== | ==Httpd== | ||
| + | ===Access & write to nfs mounts=== | ||
| + | setsebool -P httpd_use_nfs 1 | ||
| + | ===Blanket access to docroot=== | ||
| + | chcon -Rv --type=httpd_sys_content_t /var/www/html | ||
| + | |||
===Multiviews & permission to folders=== | ===Multiviews & permission to folders=== | ||
*''semanage fcontext -a -t httpd_sys_content_t '/www/files/admin/site' '' | *''semanage fcontext -a -t httpd_sys_content_t '/www/files/admin/site' '' | ||
*''restorecon -v '/www/files/admin/site' '' | *''restorecon -v '/www/files/admin/site' '' | ||
| + | |||
| + | ==Bind== | ||
| + | semanage fcontext -a -t named_log_t /var/named/chroot/var/log/named/querylog | ||
| + | /sbin/restorecon -v /var/named/chroot/var/log/named/querylog | ||
| + | semanage fcontext -a -t named_var_run_t /var/named/chroot/var/run/named/named-int.pid | ||
| + | /sbin/restorecon -v /var/named/chroot/var/run/named/named-int.pid | ||
| + | |||
| + | ==Syslog-ng== | ||
| + | semanage fcontext -a -t syslogd_var_run_t /syslog | ||
| + | restorecon -v /syslog | ||
| + | |||
| + | ==sshd== | ||
| + | To allow a user to login without a password, make sure the fcontext of the .ssh/ and .ssh/authorized_keys files are correct. | ||
| + | Incorrect: | ||
| + | -rw-r--r--. webdev webdev unconfined_u:object_r:default_t:s0 authorized_keys | ||
| + | Correct: | ||
| + | -rw-r--r--. webdev webdev unconfined_u:object_r:ssh_home_t:s0 authorized_keys | ||
| + | Fix this by running this '''as the user''': '''restorecon -v /home/<user>/.ssh/''' | ||
| + | Might have to do that for the authorized_keys file too. | ||
Latest revision as of 08:09, 26 November 2012
Create Custom Modules
Requires package selinux-policy-devel
grep http /var/log/audit/audit.log | audit2allow -m newrelicsock > /tmp/newrelic.te make -f /usr/share/selinux/devel/Makefile semodule -i newrelic
Alternative
grep httpd /var/log/audit/audit.log | audit2allow -M newrelic semodule -i newrelic.pp
Show why selinux is being an asshole
sealert -a /var/log/audit/audit.log
- sealert is provided by the package setroubleshoot
Allowing stuff to do stuff
Httpd
Access & write to nfs mounts
setsebool -P httpd_use_nfs 1
Blanket access to docroot
chcon -Rv --type=httpd_sys_content_t /var/www/html
Multiviews & permission to folders
- semanage fcontext -a -t httpd_sys_content_t '/www/files/admin/site'
- restorecon -v '/www/files/admin/site'
Bind
semanage fcontext -a -t named_log_t /var/named/chroot/var/log/named/querylog /sbin/restorecon -v /var/named/chroot/var/log/named/querylog semanage fcontext -a -t named_var_run_t /var/named/chroot/var/run/named/named-int.pid /sbin/restorecon -v /var/named/chroot/var/run/named/named-int.pid
Syslog-ng
semanage fcontext -a -t syslogd_var_run_t /syslog restorecon -v /syslog
sshd
To allow a user to login without a password, make sure the fcontext of the .ssh/ and .ssh/authorized_keys files are correct. Incorrect:
-rw-r--r--. webdev webdev unconfined_u:object_r:default_t:s0 authorized_keys
Correct:
-rw-r--r--. webdev webdev unconfined_u:object_r:ssh_home_t:s0 authorized_keys
Fix this by running this as the user: restorecon -v /home/<user>/.ssh/ Might have to do that for the authorized_keys file too.