Difference between revisions of "Selinux Administration"
(Created page with "'''Make sure that it is selinux that is causing the problem:''' <code>sestatus</code> checks the current status of selinux Temporarily disable selinux with <code>sudo setenf...") |
m |
||
| Line 14: | Line 14: | ||
<pre> | <pre> | ||
| − | sudo ausearch -c 'sendmail' | + | sudo ausearch -c 'sendmail' --raw | audit2allow -M my-sendmail |
sudo semodule -X 300 -i my-sendmail.pp | sudo semodule -X 300 -i my-sendmail.pp | ||
</pre> | </pre> | ||
Revision as of 23:28, 1 January 2022
Make sure that it is selinux that is causing the problem:
sestatus checks the current status of selinux
Temporarily disable selinux with sudo setenforce 0 and test to see if the failure persists.
Check audit logs for selinux errors:
sudo ausearch -m avc
Generate policy file that fixes selinux errors:
sudo ausearch -c 'sendmail' --raw | audit2allow -M my-sendmail sudo semodule -X 300 -i my-sendmail.pp
-c 'sendmail' indicates the comm= element from the audit log records that identifies the problems to be fixed. Only these records will be selected for the new policy being created.
Use -ts "MM/DD/YYYY" "HH:MM:SS" in place of the -c option in order to search for log records that were recorded after a certain time.
Browse the my-sendmail.te file before running the semodule command to review the policy changes that will be applied.
Setting security context for files:
ls -lZ displays current file context
chcon modifies the security context:
chcon -R -t httpd_sys_content_t /www/sites
Where:
httpd_sys_content_t - Apache Read-Only access
httpd_sys_rw_content_t - Apache Read/Write access
httpd_log_t - Apache log files
httpd_cache_t - Apache caching
Or, use a reference directory to copy the context it has to another directory tree:
chcon -R --reference=/var/www/html /opt/dashboard
