Difference between revisions of "Selinux"
Jump to navigation
Jump to search
| Line 17: | Line 17: | ||
*''semanage fcontext -a -t httpd_sys_content_t '/www/files/admin/site' '' | *''semanage fcontext -a -t httpd_sys_content_t '/www/files/admin/site' '' | ||
*''restorecon -v '/www/files/admin/site' '' | *''restorecon -v '/www/files/admin/site' '' | ||
| + | ==Bind== | ||
| + | semanage fcontext -a -t named_log_t /var/named/chroot/var/log/named/querylog | ||
| + | /sbin/restorecon -v /var/named/chroot/var/log/named/querylog | ||
| + | semanage fcontext -a -t named_var_run_t /var/named/chroot/var/run/named/named-int.pid | ||
| + | /sbin/restorecon -v /var/named/chroot/var/run/named/named-int.pid | ||
Revision as of 05:52, 1 November 2012
Create Custom Modules
Requires package selinux-policy-devel
grep http /var/log/audit/audit.log | audit2allow -m newrelicsock > /tmp/newrelic.te make -f /usr/share/selinux/devel/Makefile semodule -i newrelic
Alternative
grep httpd /var/log/audit/audit.log | audit2allow -M newrelic semodule -i newrelic.pp
Show why selinux is being an asshole
sealert -a /var/log/audit/audit.log
- sealert is provided by the package setroubleshoot
Allowing stuff to do stuff
Httpd
Multiviews & permission to folders
- semanage fcontext -a -t httpd_sys_content_t '/www/files/admin/site'
- restorecon -v '/www/files/admin/site'
Bind
semanage fcontext -a -t named_log_t /var/named/chroot/var/log/named/querylog /sbin/restorecon -v /var/named/chroot/var/log/named/querylog semanage fcontext -a -t named_var_run_t /var/named/chroot/var/run/named/named-int.pid /sbin/restorecon -v /var/named/chroot/var/run/named/named-int.pid