diff --git a/_toc.yml b/_toc.yml index bb7f17c8..2917ccad 100644 --- a/_toc.yml +++ b/_toc.yml @@ -66,6 +66,7 @@ chapters: - file: admin-guide/configuration/ssh_host_hopping - file: admin-guide/configuration/citrix_vda - file: admin-guide/configuration/configuration_email + - file: admin-guide/configuration/selinux_configuration - file: admin-guide/container/index sections: - file: admin-guide/container/docker diff --git a/admin-guide/configuration/selinux_configuration.md b/admin-guide/configuration/selinux_configuration.md new file mode 100644 index 00000000..b5c42c45 --- /dev/null +++ b/admin-guide/configuration/selinux_configuration.md @@ -0,0 +1,60 @@ +# SELinux Configuration + +Enable troubleshoot tools +```yml +base::enable_auditd: true +selinux::setroubleshootd: true +``` + +Enable or disable selinux on a machine (default depends on the RHEL version) +```yml +base::selinux_mode: 'disabled' +``` + +Options: +* `enforcing` +* `permissive` +* `disabled` + + +Use nfs home directory: +```yaml +selinux::use_nfs_home_dirs: true +``` + +Set selinux booleans +```yml +selinux::booleans: [ 'httpd_can_network_connect', 'domain_can_mmap_files'] +``` + + +Set fcontext for specific directories/directory +```yml +selinux::fcontext: + logbook-data: + pathspec: '/var/www/html/logbook-data(/.*)?' + seltype: 'httpd_sys_rw_content_t' + logbook-data-local: + pathspec: '/var/www/html/logbook-data-local(/.*)?' + seltype: 'httpd_sys_rw_content_t' +``` +(you can choose any unique key name) + + +Explicitly specify a selinux module: +```yml +selinux::modules::te: + # SELinux is preventing /usr/local/bin/musrview from setattr access on the directory /usr/lib/fontconfig/cache + 'musrview-font-cache': | + module musrview-font-cache 1.0; + require { + type lib_t; + type httpd_sys_script_t; + class dir setattr; + } + allow httpd_sys_script_t lib_t:dir setattr; + +``` + + +For troubleshooting SELinux related problems please have a look at [SELinux Troublehooting Guide](../troubleshooting/selinux.md)` \ No newline at end of file