From 4641ff20a107567f4e1f7f150bd8a388163f458e Mon Sep 17 00:00:00 2001
From: ebner <simon.ebner@psi.ch>
Date: Mon, 10 Jun 2024 15:02:28 +0200
Subject: [PATCH 1/2] add some info regarding how to configure selinux

---
 _toc.yml                                      |  1 +
 .../configuration/selinux_configuration.md    | 59 +++++++++++++++++++
 2 files changed, 60 insertions(+)
 create mode 100644 admin-guide/configuration/selinux_configuration.md

diff --git a/_toc.yml b/_toc.yml
index bb7f17c8..2917ccad 100644
--- a/_toc.yml
+++ b/_toc.yml
@@ -66,6 +66,7 @@ chapters:
           - file: admin-guide/configuration/ssh_host_hopping
           - file: admin-guide/configuration/citrix_vda
           - file: admin-guide/configuration/configuration_email
+          - file: admin-guide/configuration/selinux_configuration
       - file: admin-guide/container/index
         sections:
           - file: admin-guide/container/docker
diff --git a/admin-guide/configuration/selinux_configuration.md b/admin-guide/configuration/selinux_configuration.md
new file mode 100644
index 00000000..6e67d267
--- /dev/null
+++ b/admin-guide/configuration/selinux_configuration.md
@@ -0,0 +1,59 @@
+# SELinux Configuration
+
+Enable troubleshoot tools
+```yml
+base::enable_auditd: true
+selinux::setroubleshootd: true
+```
+
+Enable or disable selinux on a machine (default depends on the RHEL version)
+```yml
+base::selinux_mode: 'disabled'
+```
+
+Options:
+* `permissive`
+* `enforcing`
+
+
+Use nfs home directory:
+```yaml
+selinux::use_nfs_home_dirs: true
+```
+
+Set selinux booleans
+```yml
+selinux::booleans: [ 'httpd_can_network_connect', 'domain_can_mmap_files']
+```
+
+
+Set fcontext for specific directories/directory
+```yml
+selinux::fcontext:
+  logbook-data:
+    pathspec: '/var/www/html/logbook-data(/.*)?'
+    seltype: 'httpd_sys_rw_content_t'
+  logbook-data-local:
+    pathspec: '/var/www/html/logbook-data-local(/.*)?'
+    seltype: 'httpd_sys_rw_content_t'
+```
+(you can choose any unique key name)
+
+
+Explicitly specify a selinux module:
+```yml
+selinux::modules::te:
+  # SELinux is preventing /usr/local/bin/musrview from setattr access on the directory /usr/lib/fontconfig/cache
+  'musrview-font-cache': |
+    module musrview-font-cache 1.0;
+    require {
+        type lib_t;
+        type httpd_sys_script_t;
+        class dir setattr;
+    }
+    allow httpd_sys_script_t lib_t:dir setattr;
+
+```
+
+
+For troubleshooting SELinux related problems please have a look at [SELinux Troublehooting Guide](../troubleshooting/selinux.md)`
\ No newline at end of file

From 120128b44e475535b9232d83315b15f08046e754 Mon Sep 17 00:00:00 2001
From: ebner <simon.ebner@psi.ch>
Date: Mon, 10 Jun 2024 15:28:15 +0200
Subject: [PATCH 2/2] reordered

---
 admin-guide/configuration/selinux_configuration.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/admin-guide/configuration/selinux_configuration.md b/admin-guide/configuration/selinux_configuration.md
index 6e67d267..b5c42c45 100644
--- a/admin-guide/configuration/selinux_configuration.md
+++ b/admin-guide/configuration/selinux_configuration.md
@@ -12,8 +12,9 @@ base::selinux_mode: 'disabled'
 ```
 
 Options:
-* `permissive`
 * `enforcing`
+* `permissive`
+* `disabled`
 
 
 Use nfs home directory: