Hello,
I am new to selinux and new to this community, and I was wondering if someone could help
me review two policies for a new web server I am preparing for release. (Apologize in
advance if I am posting this in the wrong location).
Software list:
CentOS 7.2.1511
MariaDB 10.1.13
NGINX 1.9.14
PHP 5.6
Redis 2.8.19
I have modified the web root and the mysql/mariadb data directory and it seems selinux
does not like that at all. Below are some proposed modules from audit2allow. Was wondering
if there are any red flags to using them in production. I got a little nervous when I read
that "Modules created with audit2allow may allow more access than required. It is
recommended that policy created with audit2allow be posted to an SELinux list, such as
fedora-selinux-list, for review."
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/...
Any help greatly appreciated.
module phpfpmlocal 1.0;
require {
type redis_port_t;
type httpd_t;
type httpd_sys_content_t;
class tcp_socket name_connect;
class file { write create unlink setattr append };
class dir { write rmdir setattr remove_name create add_name };
}
#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'httpd_unified'
allow httpd_t httpd_sys_content_t:dir { write rmdir setattr remove_name create add_name
};
#!!!! This avc can be allowed using the boolean 'httpd_unified'
allow httpd_t httpd_sys_content_t:file { write create unlink append setattr };
#!!!! This avc can be allowed using the boolean 'httpd_can_network_connect'
allow httpd_t redis_port_t:tcp_socket name_connect;
module http_t_filerename_local 1.0;
require {
type httpd_t;
type httpd_sys_content_t;
class file rename;
}
#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'httpd_unified'
allow httpd_t httpd_sys_content_t:file rename;
Also, can someone advise if using file_contexts.local is a good or bad practice, and what
is the difference between using the .local v. creating a custom policy. Here is what I
added to /etc/selinux/targeted/contexts/files/file_contexts.local. I am not sure if it is
introducing any new risks by doing so.
/www/mysql(/.*)? system_u:object_r:mysqld_db_t:s0
/www/sites(/.*)? system_u:object_r:httpd_sys_content_t:s0
Thanks in advance,
Michael Stephenson
MS Information Systems, BS Computer Science