Converting semange/restorecon/sesetbool commands into a policy.

Tue Jan 21 14:28:42 UTC 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/21/2014 09:21 AM, William Hargrove wrote:
> I want to convert the selinux commands that I have created for a custom
> install of apache into an selinux policy such that it could be applied to
> multiple machines using puppet.
> 
> 
> 
> As a snapshot of the selinux config, I have something like:
> 
> 
> 
> semanage fcontext -a -t httpd_exec_t "/opt/custom/apache(/.*)?"
> 
> semanage fcontext -a -t httpd_sys_content_t "/var/custom/webcontent(/.*)?"
> 
> etc …
> 
> 
> 
> restorecon -R -v /opt/custom/apache
> 
> restorecon -R -v /var/custom/webcontent
> 
> etc … (to actually apply it)
> 
> 
> 
> # allow apache to initiate connections (proxying/ajp)
> 
> setsebool httpd_can_network_connect on
> 
> setsebool httpd_can_network_relay on
> 
> etc …
> 
> 
> 
> semanage port -a -t http_port_t -p tcp 9xxx-91xx
> 
> etc …
> 
> 
> 
> Now I’ve tried to create a policy for the types above by using chcon to set
> the type on the various directories and then running up audit2allow in the
> hope that it would produce a policy based on the fcontext settings, but it
> doesn’t seem to produce anything. Also, I assume it will only log when an
> attempt is made for access that is then denied rather than give the
> commands to proactively all various options, like enabling builtin
> scripting.
> 
> 
> 
> I’ve not seen a way of handling the Booleans so far and the port commands I
> have used allow httpd_t port_t:tcp_socket name_bind;
> 
> 
> 
> So far the apache.te policy file looks like this:
> 
> 
> 
> module apache 1.0;
> 
> 
> 
> require {
> 
> type httpd_t;
> 
> type httpd_exec_t;
> 
> type httpd_var_run_t;
> 
> type port_t;
> 
> class lnk_file read;
> 
> class dir search;
> 
> class tcp_socket;
> 
> }
> 
> 
> 
> #============= httpd_t ==============
> 
> allow httpd_t httpd_exec_t:dir search;
> 
> allow httpd_t httpd_var_run_t:lnk_file read;
> 
> allow httpd_t port_t:tcp_socket name_bind;
> 
> 
> 
> I’ve be very grateful for any help on this as I’d really like to be able to
> tie up all the commands into a policy file which can be applied as part of
> the apache install process.
> 
> 
> 
> Will.
> 
> 
> 
> 
> --------------------------------------------------------------------------------
>
> 
The information contained in this email is strictly confidential and for the use
> of the addressee only, unless otherwise indicated. If you are not the
> intended recipient, please do not read, copy, use or disclose to others
> this message or any attachment. Please also notify the sender by replying
> to this email or by telephone (+44(020 7896 0011) and then delete the email
> and any copies of it. Opinions, conclusion (etc) that do not relate to the
> official business of this company shall be understood as neither given nor
> endorsed by it. IG is a trading name of IG Markets Limited (a company
> registered in England and Wales, company number 04008957) and IG Index
> Limited (a company registered in England and Wales, company number
> 01190902). Registered address at Cannon Bridge House, 25 Dowgate Hill,
> London EC4R 2YA. Both IG Markets Limited (register number 195355) and IG
> Index Limited (register number 114059) are authorised and regulated by the
> Financial Conduct Authority.
> 
> 
> -- selinux mailing list selinux at lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
You can not do boolean settings within a policy module, they have to be done
with the setsebool type commands.  Puppet has some SELinux bindings that allow
you to set booleans and run semanage commands, so not sure why you want to
package this up in a policy module, which would also need to be installed
within puppet.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLehBoACgkQrlYvE4MpobOIDgCfVCAlEEegv8ylaFeSchRfCbsT
yooAnRjY54EhLOdX/Akhav99h5D+qKqw
=bBLG
-----END PGP SIGNATURE-----