Help with custom policy package for CentOS-7 (1511), MariaDB 10.1.13, NGINX 1.9.14, PHP-FPM and Redis

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

I am new to selinux and new to this community, and I was wondering if someone could help me review two policies for a new web server I am preparing for release. (Apologize in advance if I am posting this in the wrong location).

Software list:
CentOS 7.2.1511
MariaDB 10.1.13
NGINX 1.9.14
PHP 5.6
Redis 2.8.19

I have modified the web root and the mysql/mariadb data directory and it seems selinux does not like that at all. Below are some proposed modules from audit2allow. Was wondering if there are any red flags to using them in production. I got a little nervous when I read that "Modules created with audit2allow may allow more access than required. It is recommended that policy created with audit2allow be posted to an SELinux list, such as fedora-selinux-list, for review." https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html

Any help greatly appreciated.

module phpfpmlocal 1.0;
require {
        type redis_port_t;
        type httpd_t;
        type httpd_sys_content_t;
        class tcp_socket name_connect;
        class file { write create unlink setattr append };
        class dir { write rmdir setattr remove_name create add_name };
}
#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'httpd_unified'
allow httpd_t httpd_sys_content_t:dir { write rmdir setattr remove_name create add_name };
#!!!! This avc can be allowed using the boolean 'httpd_unified'
allow httpd_t httpd_sys_content_t:file { write create unlink append setattr };
#!!!! This avc can be allowed using the boolean 'httpd_can_network_connect'
allow httpd_t redis_port_t:tcp_socket name_connect;

module http_t_filerename_local 1.0;
require {
        type httpd_t;
        type httpd_sys_content_t;
        class file rename;
}
#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'httpd_unified'
allow httpd_t httpd_sys_content_t:file rename;


Also, can someone advise if using file_contexts.local is a good or bad practice, and what is the difference between using the .local v. creating a custom policy. Here is what I added to /etc/selinux/targeted/contexts/files/file_contexts.local. I am not sure if it is introducing any new risks by doing so.

/www/mysql(/.*)?    system_u:object_r:mysqld_db_t:s0
/www/sites(/.*)?    system_u:object_r:httpd_sys_content_t:s0

Thanks in advance,

Michael Stephenson
MS Information Systems, BS Computer Science
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux