Difference between revisions of "Selinux Administration"

Make sure that it is selinux that is causing the problem:

sestatus checks the current status of selinux

Temporarily disable selinux with sudo setenforce 0 and test to see if the failure persists.

Check audit logs for selinux errors:

sudo ausearch -m avc

Generate policy file that fixes selinux errors:

sudo ausearch -c 'sendmail' --raw | audit2allow -M my-sendmail
sudo semodule -i my-sendmail.pp

-c 'sendmail' indicates the comm= element from the audit log records that identifies the problems to be fixed. Only these records will be selected for the new policy being created.

Use -ts "MM/DD/YYYY" "HH:MM:SS" in place of the -c option in order to search for log records that were recorded after a certain time.

Browse the my-sendmail.te file before running the semodule command to review the policy changes that will be applied.

Setting security context for files:

ls -lZ displays current file context

chcon modifies the security context:

chcon -R -t httpd_sys_content_t /www/sites

Where:
httpd_sys_content_t - Apache Read-Only access
httpd_sys_rw_content_t - Apache Read/Write access
httpd_log_t - Apache log files
httpd_cache_t - Apache caching

Or, use a reference directory to copy the context it has to another directory tree: chcon -R --reference=/var/www/html /www/sites