On Wed, May 16, 2018 at 01:25:55PM -0400, m.roth@xxxxxxxxx wrote: > Ok, what's the "correct" way to deal with systems developed in-house, that > have their own sets up subdirectories. Assuming the directories fit a standard use-case, add fcontexts so those directories get labeled properly for that use case. E.g. if you have web content in a custom directory: semanage fcontext -a -t httpd_sys_content_t /custom/path/to/html/files(/.*)? semanage fcontext -a -t httpd_sys_script_exec_t /custom/path/to/script/files(/.*)? Then just relabel those directories: restorecon -R /custom/path/to/* Also check selinux booleans to see if there is already one available to enable some functionality you need, e.g. for http: getsebool -a | grep http If those two steps aren't applicable, you have to develop your own policy. Start in permissive mode and use audit2allow. Use a config management system like Puppet to automate the above steps when deploying custom code. _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
