Selinux Administration

From Nearline Storage
Jump to navigation Jump to search

Make sure that it is selinux that is causing the problem:

sestatus checks the current status of selinux

Temporarily disable selinux with sudo setenforce 0 and test to see if the failure persists.

Check audit logs for selinux errors: 

sudo ausearch -m avc

Generate policy file that fixes selinux errors: 

sudo ausearch -c 'sendmail' --raw | audit2allow -M my-sendmail
sudo semodule -X 300 -i my-sendmail.pp

-c 'sendmail' indicates the comm= element from the audit log records that identifies the problems to be fixed. Only these records will be selected for the new policy being created.

Use -ts "MM/DD/YYYY" "HH:MM:SS" in place of the -c option in order to search for log records that were recorded after a certain time.

Browse the my-sendmail.te file before running the semodule command to review the policy changes that will be applied.

Setting security context for files:

ls -lZ displays current file context

chcon modifies the security context:

    chcon -R -t httpd_sys_content_t /www/sites

    Where:
    httpd_sys_content_t - Apache Read-Only access
    httpd_sys_rw_content_t - Apache Read/Write access
    httpd_log_t - Apache log files
    httpd_cache_t - Apache caching

    Or, use a reference directory to copy the context it has to another directory tree: chcon -R --reference=/var/www/html /www/sites
Retrieved from "https://wiki.daveking.com/index.php?title=Selinux_Administration&oldid=4598"