Create Custom Modules

Requires package selinux-policy-devel

grep http /var/log/audit/audit.log | audit2allow -m newrelicsock > /tmp/newrelic.te
make -f /usr/share/selinux/devel/Makefile
semodule -i newrelic

Alternative

grep httpd /var/log/audit/audit.log | audit2allow -M newrelic
semodule -i newrelic.pp

Show why selinux is being an asshole

sealert -a /var/log/audit/audit.log

• sealert is provided by the package setroubleshoot

Allowing stuff to do stuff

Httpd

Access & write to nfs mounts

setsebool -P httpd_use_nfs 1

Blanket access to docroot

chcon -Rv --type=httpd_sys_content_t /var/www/html

Multiviews & permission to folders

• semanage fcontext -a -t httpd_sys_content_t '/www/files/admin/site'
• restorecon -v '/www/files/admin/site'

Bind

semanage fcontext -a -t named_log_t /var/named/chroot/var/log/named/querylog
/sbin/restorecon -v /var/named/chroot/var/log/named/querylog
semanage fcontext -a -t named_var_run_t /var/named/chroot/var/run/named/named-int.pid
/sbin/restorecon -v /var/named/chroot/var/run/named/named-int.pid

Syslog-ng

semanage fcontext -a -t syslogd_var_run_t /syslog
restorecon -v /syslog

sshd

To allow a user to login without a password, make sure the fcontext of the .ssh/ and .ssh/authorized_keys files are correct. Incorrect:

-rw-r--r--. webdev webdev unconfined_u:object_r:default_t:s0 authorized_keys

Correct:

-rw-r--r--. webdev webdev unconfined_u:object_r:ssh_home_t:s0 authorized_keys

Fix this by running this as the user: restorecon -v /home/<user>/.ssh/ Might have to do that for the authorized_keys file too.