SElinux notes

From Wiki
Revision as of 20:25, 22 January 2020 by Admin (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Relabel the file system:

touch /.autorelabel
reboot

Update security policy for a directory:

semanage fcontext -a -t httpd_sys_content_t '/www(/.*)?'
semanage fcontext -a -t httpd_sys_content_t '/usr/share/nginx/html(/.*)?'
semanage fcontext -a -t cvs_data_t '/home/cvsroot(/.*)?'
semanage fcontext -a -t svnserve_content_t '/home/svn/repo(/.*)?'
semanage fcontext -a -t git_rw_content_t '/srv/git/repositories(/.*)?'
semanage fcontext -a -t httpd_sys_content_t "/storage/pub(/.*)?" 
semanage fcontext -a -t 'bacula_store_t' '/storage/volumes(/.*)?'
restorecon -RFv <dir>

Bacula needs permisssion to manage volumes:

semanage fcontext -a -t bacula_store_t '/storage/volumes(/.*)?'
restorecon -Rv /storage/volumes

Set file labels for samba:

semanage fcontext -a -t samba_share_t '/storage/slideshow(/.*)?'
restorecon -Rv /storage/slideshow
You can also temporarily change context using the chcon command.
chcon --reference=/root/ -R /www

Manually compiling policy files:

module="my_bacula_fd"
checkmodule -M -m -o ${module}.mod ${module}.te 
semodule_package -o ${module}.pp -m ${module}.mod 
semodule -i ${module}.pp

Create an selinux equivalence. This sets the context for /export/home to match /home.

semanage fcontext -a -e /home /export/home