Difference between revisions of "SElinux notes"

From Wiki
Jump to: navigation, search
m
 
(4 intermediate revisions by the same user not shown)
Line 18: Line 18:
 
Bacula needs permisssion to manage volumes:
 
Bacula needs permisssion to manage volumes:
  
  semanage fcontext -a -t bacula_store_t '/storage/volumes/default(/.*)?'
+
  semanage fcontext -a -t bacula_store_t '/storage/volumes(/.*)?'
  restorecon -Rv /storage/volumes/default
+
  restorecon -Rv /storage/volumes
  
 
Set file labels for samba:
 
Set file labels for samba:
Line 26: Line 26:
 
  restorecon -Rv /storage/slideshow
 
  restorecon -Rv /storage/slideshow
  
   
+
  You can also temporarily change context using the '''chcon''' command.
You can also temporarily change context using the '''chcon''' command.
+
  
 
  chcon --reference=/root/ -R /www
 
  chcon --reference=/root/ -R /www
  
Apache rules for cpanel:
+
Manually compiling policy files:
 +
module="my_bacula_fd"
 +
checkmodule -M -m -o ${module}.mod ${module}.te
 +
semodule_package -o ${module}.pp -m ${module}.mod
 +
semodule -i ${module}.pp
  
/etc/selinux/targeted/contexts/files/file_contexts.local:
+
Create an selinux equivalence.  This sets the context for /export/home to match /home.
  
<pre>
+
semanage fcontext -a -e /home /export/home
/usr/local/apache/bin/ab    system_u:object_r:bin_t:s0
+
/usr/local/apache/bin/htdbm    system_u:object_r:bin_t:s0
+
/usr/local/apache/bin/htdigest    system_u:object_r:bin_t:s0
+
/usr/local/apache/bin/htpasswd    system_u:object_r:bin_t:s0
+
/usr/local/apache/bin/logresolve    system_u:object_r:bin_t:s0
+
/usr/local/apache/bin/apachectl    system_u:object_r:httpd_initrc_exec_t:s0
+
/usr/local/apache/bin/htcacheclean    system_u:object_r:sbin_t:s0
+
/usr/local/apache/bin/httpd    system_u:object_r:httpd_exec_t:s0
+
/usr/local/apache/bin/httxt2dbm    system_u:object_r:sbin_t:s0
+
/usr/local/apache/bin/rotatelogs    system_u:object_r:httpd_rotatelogs_exec_t:s0
+
/usr/local/apache/conf(/.*)?    system_u:object_r:httpd_config_t:s0
+
/usr/local/apache/error/README    system_u:object_r:httpd_config_t:s0
+
/usr/local/apache/icons/README    system_u:object_r:httpd_config_t:s0
+
/usr/local/apache/icons(/.*)?    system_u:object_r:httpd_sys_content_t:s0
+
/usr/local/apache/error(/.*)?    system_u:object_r:httpd_sys_content_t:s0
+
/usr/local/apache/modules(/.*)?    system_u:object_r:httpd_modules_t:s0
+
/usr/local/apache/logs(/.*)?    system_u:object_r:httpd_log_t:s0
+
</pre>
+
  
A few changes are required to allow apache to run.
+
Modifying an SELinux port.
  
setsebool -P httpd_enable_homedirs on
+
Ports that are defined as part of the system policy can be modified for other uses.
  
php-fpm also needs a boolean set.
+
  semanage port -m -t ssh_port_t -p tcp 443
 
+
  setsebool -P httpd_unified on
+
 
+
Manually compiling policy files:
+
checkmodule -M -m -o cvsweb.mod cvsweb.te
+
semodule_package -o cvsweb.pp -m cvsweb.mod
+
semodule -i cvsweb.pp
+

Latest revision as of 15:54, 16 November 2020

Relabel the file system:

touch /.autorelabel
reboot

Update security policy for a directory:

semanage fcontext -a -t httpd_sys_content_t '/www(/.*)?'
semanage fcontext -a -t httpd_sys_content_t '/usr/share/nginx/html(/.*)?'
semanage fcontext -a -t cvs_data_t '/home/cvsroot(/.*)?'
semanage fcontext -a -t svnserve_content_t '/home/svn/repo(/.*)?'
semanage fcontext -a -t git_rw_content_t '/srv/git/repositories(/.*)?'
semanage fcontext -a -t httpd_sys_content_t "/storage/pub(/.*)?" 
semanage fcontext -a -t 'bacula_store_t' '/storage/volumes(/.*)?'
restorecon -RFv <dir>

Bacula needs permisssion to manage volumes:

semanage fcontext -a -t bacula_store_t '/storage/volumes(/.*)?'
restorecon -Rv /storage/volumes

Set file labels for samba:

semanage fcontext -a -t samba_share_t '/storage/slideshow(/.*)?'
restorecon -Rv /storage/slideshow
You can also temporarily change context using the chcon command.
chcon --reference=/root/ -R /www

Manually compiling policy files:

module="my_bacula_fd"
checkmodule -M -m -o ${module}.mod ${module}.te 
semodule_package -o ${module}.pp -m ${module}.mod 
semodule -i ${module}.pp

Create an selinux equivalence. This sets the context for /export/home to match /home.

semanage fcontext -a -e /home /export/home

Modifying an SELinux port.

Ports that are defined as part of the system policy can be modified for other uses.

semanage port -m -t ssh_port_t -p tcp 443