|
I want to convert the selinux commands that I have created for a custom install of apache into an selinux policy such that it could be applied to multiple machines using puppet. As a snapshot of the selinux config, I have something like: semanage fcontext -a -t httpd_exec_t "/opt/custom/apache(/.*)?" semanage fcontext -a -t httpd_sys_content_t "/var/custom/webcontent(/.*)?" etc … restorecon -R -v /opt/custom/apache restorecon -R -v /var/custom/webcontent etc … (to actually apply it) # allow apache to initiate connections (proxying/ajp) setsebool httpd_can_network_connect on setsebool httpd_can_network_relay on etc … semanage port -a -t http_port_t -p tcp 9xxx-91xx etc … Now I’ve tried to create a policy for the types above by using chcon to set the type on the various directories and then running up audit2allow in the hope that it would produce a policy based on the fcontext settings, but it doesn’t seem
to produce anything. Also, I assume it will only log when an attempt is made for access that is then denied rather than give the commands to proactively all various options, like enabling builtin scripting. I’ve not seen a way of handling the Booleans so far and the port commands I have used allow httpd_t port_t:tcp_socket name_bind; So far the apache.te policy file looks like this: module apache 1.0; require { type httpd_t; type httpd_exec_t; type httpd_var_run_t; type port_t; class lnk_file read; class dir search; class tcp_socket; } #============= httpd_t ============== allow httpd_t httpd_exec_t:dir search; allow httpd_t httpd_var_run_t:lnk_file read; allow httpd_t port_t:tcp_socket name_bind; I’ve be very grateful for any help on this as I’d really like to be able to tie up all the commands into a policy file which can be applied as part of the apache install process. Will. The information contained in this email is strictly confidential and for the use of the addressee only, unless otherwise indicated. If you are not the intended recipient, please do not read, copy, use or disclose to others this message or any attachment. Please also notify the sender by replying to this email or by telephone (+44(020 7896 0011) and then delete the email and any copies of it. Opinions, conclusion (etc) that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. IG is a trading name of IG Markets Limited (a company registered in England and Wales, company number 04008957) and IG Index Limited (a company registered in England and Wales, company number 01190902). Registered address at Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA. Both IG Markets Limited (register number 195355) and IG Index Limited (register number 114059) are authorised and regulated by the Financial Conduct Authority. |
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
