selinux is a pain
Richard Shaw
hobbes1069 at gmail.com
Tue Sep 20 14:12:37 UTC 2011
2011/9/20 Bruno Wolff III <bruno at wolff.to>:
> On Tue, Sep 20, 2011 at 09:31:14 -0300,
> Martín Marqués <martin.marques at gmail.com> wrote:
>>
>> For example, I moved the trac repos to /var/lib/trac, and so apache
>> needs extra append and access policy on some of those directories. How
>> would I add those policies?
>
> If you move stuff around that affects the default labelling. You can use
> semanage and restorecon to have the new location have the correct defaults.
>
> Giving the web server access to stuff is risky. The level of risk and benefit
> is something you need to evaluate. But you can label the new location so
> that it will be accessible to the web server. This may cause issues for
> other processes trying to read or write thise files. If so, you may need
> to do a custom policy. The simplest thing is to use audit2allow to see
> what access is needed to allow the service to run. (If done in enforcing mode
> this might take a few iterations.) However you might not want to let the
> web server have access to all files labelled say var_lib_t. So it may turn
> out that you need to create some new labels for the specific files you
> want to let the web server have access to.
Beware of one problem with the sealert/audit2allow instructions. At
least in my experience, it goes through the whole log and creates a
policy to allow all denied actions, not necessarily just the one you
care about. Also, the created policies can be overly generic and allow
way more access than is really needed.
Richard
More information about the users
mailing list