On 04/15/2016 03:22 AM, Michael Stephenson wrote: > Update: I just read how to Manually Customizing Policy Modules at this link here: https://wiki.centos.org/HowTos/SELinux. I did not know I could use the .te file and modify it, this is great news. I kept encountering new issues as I would install new web applications and I was not able to see the older issues anymore when using audit2allow against the logs. I understand now how to modify my local policies as I go, phew. > > That said, here is my new policy that combines the previous two from my frist message. I am running an NGINX web root and MariaDB data dir from a separate SSD mount point '/www'. I am using PHP-FPM for my application code and Redis for session caching. Here is the policy I would like to roll-with. It seems good to me but just wanted a second set of eyes to tell me what I may be missing. > > > module phpfpmlocal 1.1; > > require { > type redis_port_t; > type httpd_t; > type httpd_sys_content_t; > class tcp_socket name_connect; > class file { rename write create unlink setattr append }; > class dir { write rmdir setattr remove_name create add_name }; > } > > #============= httpd_t ============== > > #!!!! This avc can be allowed using the boolean 'httpd_unified' > allow httpd_t httpd_sys_content_t:dir { write rmdir setattr remove_name create add_name }; > > #!!!! This avc can be allowed using the boolean 'httpd_unified' > allow httpd_t httpd_sys_content_t:file { rename write create unlink append setattr }; Hello Michael, the httpd_unified boolean is very powerfull boolean and basically turns SELinux protection off for httpd. I would go with a context which can be written by httpd_t - httpd_sys_rw_content for example. Also you specify local customizations, the semanage tool should be used and *.local file contexts will be updated. semanage fcontext -a -t httpd_sys_rw_content_t "/www/sites(/.*)?" Also the question is if we need to add this label for the entire /www/sites directory and subdirectories or it just needs to access a subdirectory. > > #!!!! This avc can be allowed using the boolean 'httpd_can_network_connect' > allow httpd_t redis_port_t:tcp_socket name_connect; > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx > -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
