[Discuss] selinux nightmare
Stephen Adler
adler at stephenadler.com
Sun Sep 28 16:25:06 EDT 2014
Hi all,
So I'm brining up apache on my new server and I'm trying to do right by
selinux this time. My default mode is to ignore selinux, put it in
permissive mode, and watch all the error messages get logged but pretty
much ignore what's going on under the selinux hood. Well, I figure this
time I should pay some attention and at least try and minimize all the
error messages I get in my log files.
But now I'm in an selinux rabbit hole. The selinux security apparatus is
just too complicated to try and figure out without doing some
rtfming.... So... can anyone suggest a good selinux for dummies web site
I can pour through? It would love for it to be no more than one single
page with a few key commands that I can learn and be done with it. But I
doubt that's the case. I think I've gone long enough trying to avoid
learning selinux. I've reached the point that I need to really
understand it...
Thanks. Steve.
P.S. this is the kind of stuff I'm confronting....
[root at mipdata0 ~]# sealert -l dd884c85-199f-49c5-b44c-a595ce3cec43
SELinux is preventing /usr/bin/python2.7 from read access on the lnk_file .
***** Plugin catchall_labels (83.8 confidence) suggests *******************
If you want to allow python2.7 to have read access on the lnk_file
Then you need to change the label on $FIX_TARGET_PATH
Do
# semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH'
where FILE_TYPE is one of the following: abrt_retrace_spool_t,
admin_home_t, bin_t, boot_t, calamaris_www_t, cert_t, cobbler_var_lib_t,
cvs_data_t, device_t, devlog_t, dirsrv_share_t, etc_runtime_t, etc_t,
file_context_t, fonts_cache_t, fonts_t, git_sys_content_t,
gitosis_var_lib_t, home_root_t, httpd_apcupsd_cgi_content_t,
httpd_apcupsd_cgi_htaccess_t, httpd_apcupsd_cgi_ra_content_t,
httpd_apcupsd_cgi_rw_content_t, httpd_apcupsd_cgi_script_exec_t,
httpd_awstats_content_t, httpd_awstats_htaccess_t,
httpd_awstats_ra_content_t, httpd_awstats_rw_content_t,
httpd_awstats_script_exec_t, httpd_bugzilla_content_t,
httpd_bugzilla_htaccess_t, httpd_bugzilla_ra_content_t,
httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t,
httpd_cache_t, httpd_collectd_content_t, httpd_collectd_htaccess_t,
httpd_collectd_ra_content_t, httpd_collectd_rw_content_t,
httpd_collectd_script_exec_t, httpd_config_t, httpd_cvs_content_t,
httpd_cvs_htaccess_t, httpd_cvs_ra_content_t, httpd_cvs_rw_content_t,
httpd_cvs_script_exec_t, httpd_dirsrvadmin_content_t,
httpd_dirsrvadmin_htaccess_t, httpd_dirsrvadmin_ra_content_t,
httpd_dirsrvadmin_rw_content_t, httpd_dirsrvadmin_script_exec_t,
httpd_dspam_content_t, httpd_dspam_htaccess_t, httpd_dspam_ra_content_t,
httpd_dspam_rw_content_t, httpd_dspam_script_exec_t,
httpd_git_content_t, httpd_git_htaccess_t, httpd_git_ra_content_t,
httpd_git_rw_content_t, httpd_git_script_exec_t, httpd_log_t,
httpd_man2html_content_t, httpd_man2html_htaccess_t,
httpd_man2html_ra_content_t, httpd_man2html_rw_content_t,
httpd_man2html_script_exec_t, httpd_mediawiki_content_t,
httpd_mediawiki_htaccess_t, httpd_mediawiki_ra_content_t,
httpd_mediawiki_rw_content_t, httpd_mediawiki_script_exec_t,
httpd_modules_t, httpd_mojomojo_content_t, httpd_mojomojo_htaccess_t,
httpd_mojomojo_ra_content_t, httpd_mojomojo_rw_content_t,
httpd_mojomojo_script_exec_t, httpd_munin_content_t,
httpd_munin_htaccess_t, httpd_munin_ra_content_t,
httpd_munin_rw_content_t, httpd_munin_script_exec_t,
httpd_mythtv_content_t, httpd_mythtv_htaccess_t,
httpd_mythtv_ra_content_t, httpd_mythtv_rw_content_t,
httpd_mythtv_script_exec_t, httpd_nagios_content_t,
httpd_nagios_htaccess_t, httpd_nagios_ra_content_t,
httpd_nagios_rw_content_t, httpd_nagios_script_exec_t,
httpd_nutups_cgi_content_t, httpd_nutups_cgi_htaccess_t,
httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t,
httpd_nutups_cgi_script_exec_t, httpd_openshift_content_t,
httpd_openshift_htaccess_t, httpd_openshift_ra_content_t,
httpd_openshift_rw_content_t, httpd_openshift_script_exec_t,
httpd_prewikka_content_t, httpd_prewikka_htaccess_t,
httpd_prewikka_ra_content_t, httpd_prewikka_rw_content_t,
httpd_prewikka_script_exec_t, httpd_smokeping_cgi_content_t,
httpd_smokeping_cgi_htaccess_t, httpd_smokeping_cgi_ra_content_t,
httpd_smokeping_cgi_rw_content_t, httpd_smokeping_cgi_script_exec_t,
httpd_squid_content_t, httpd_squid_htaccess_t, httpd_squid_ra_content_t,
httpd_squid_rw_content_t, httpd_squid_script_exec_t,
httpd_squirrelmail_t, httpd_sys_content_t, httpd_sys_htaccess_t,
httpd_sys_ra_content_t, httpd_sys_rw_content_t, httpd_sys_script_exec_t,
httpd_tmp_t, httpd_tmpfs_t, httpd_user_content_t, httpd_user_htaccess_t,
httpd_user_ra_content_t, httpd_user_rw_content_t,
httpd_user_script_exec_t, httpd_w3c_validator_content_t,
httpd_w3c_validator_htaccess_t, httpd_w3c_validator_ra_content_t,
httpd_w3c_validator_rw_content_t, httpd_w3c_validator_script_exec_t,
httpd_webalizer_content_t, httpd_webalizer_htaccess_t,
httpd_webalizer_ra_content_t, httpd_webalizer_rw_content_t,
httpd_webalizer_script_exec_t, httpd_zoneminder_content_t,
httpd_zoneminder_htaccess_t, httpd_zoneminder_ra_content_t,
httpd_zoneminder_rw_content_t, httpd_zoneminder_script_exec_t,
iso9660_t, jetty_cache_t, jetty_log_t, jetty_var_lib_t, jetty_var_run_t,
ld_so_t, lib_t, locale_t, mailman_archive_t, mailman_data_t,
man_cache_t, man_t, mnt_t, munin_etc_t, mysqld_etc_t, net_conf_t,
passenger_var_lib_t, pki_ra_var_lib_t, pki_tomcat_cert_t,
pki_tps_var_lib_t, proc_t, public_content_rw_t, public_content_t,
root_t, rpm_script_tmp_t, security_t, selinux_config_t, shell_exec_t,
slapd_cert_t, squirrelmail_spool_t, src_t, sssd_var_lib_t, sysfs_t,
system_conf_t, system_db_t, tetex_data_t, textrel_shlib_t, tmp_t,
udev_var_run_t, usr_t, var_lib_t, var_lock_t, var_run_t, var_t,
zarafa_var_lib_t.
Then execute:
restorecon -v '$FIX_TARGET_PATH'
More information about the Discuss
mailing list