Controls/gitea-pages
0
2
Fork 0
Code Pull Requests Actions Activity
Files
eaf6ebc81e0fc7b54fbbee5ba8d3483ade2add7d
gitea-pages/admin-guide/configuration/software/selinux_configuration.md

3.0 KiB
Raw Blame History

SELinux Configuration

SELinux can be configured in Hiera.

For troubleshooting SELinux related problems please have a look at SELinux Troublehooting Guide`

Basic Settings

Enable or disable SELinux with base::selinux. Options:

  • enforcing
  • permissive
  • disabled

Example:

base::selinux_mode: 'disabled'

The default depends on the Puppet role, e.g. for servers it is enforcing while for workstations and consoles it is disabled.

The permissive option is useful for setting up a new server to see where SELinux would block if enabled.

Logging Violations

To record such violations auditd needs to run:

base::enable_auditd: true

On RHEL9 and later this is enabled by default if SELinux is permissive or enforcing.

Then setroubleshootd is very helpful to learn how to configure SELinux if an action is wrongly considered a violation:

selinux::setroubleshootd: true

On RHEL9 and later this is enabled by default if SELinux is permissive or enforcing.

Finetuning

SELinux Booleans

Use NFS home directory:

selinux::use_nfs_home_dirs: true

Set SELinux booleans:

selinux::booleans: [ 'httpd_can_network_connect', 'domain_can_mmap_files']

File Context (fcontext)

Set fcontext for specific directories/directory

selinux::fcontext:
  logbook-data:
    pathspec: '/var/www/html/logbook-data(/.*)?'
    seltype: 'httpd_sys_rw_content_t'
  logbook-data-local:
    pathspec: '/var/www/html/logbook-data-local(/.*)?'
    seltype: 'httpd_sys_rw_content_t'

a unique arbitrary key name for each entry is needed.

If you wish to have the same fcontext configuation as another path do

selinux::fcontext::equivalence:
  apache_ssl_conf:
    path: '/srv/online/config/ssl.conf'
    target: '/etc/httpd/conf/httpd.conf'
  apache_index_html:
    path: '/srv/online/config/index.html'
    target: '/var/www/html/index.html'
  apache_online_web:
    path: '/srv/online/web'
    target: '/var/www/html'
  apache_offlinecheck:
    path: '/srv/offlinecheck'
    target: '/var/www/html'

a unique arbitrary key name for each entry is needed here as well.

Custom Module

Custom SELinux modules can also be added.

Such a module can be created from recorded violations with

ausearch --raw | audit2allow -r -m $CUSTOM_SELINUX_MODULE_NAME

Note that the setroubleshootd log output ususally gives you a narrower search filter for ausearch for each recorded violation.

Each such module needs to be added with a unique key at the Hiera key selinux::modules::te. A full example is

selinux::modules::te:
  # SELinux is preventing /usr/local/bin/musrview from setattr access on the directory /usr/lib/fontconfig/cache
  'musrview-font-cache': |
    module musrview-font-cache 1.0;
    require {
        type lib_t;
        type httpd_sys_script_t;
        class dir setattr;
    }
    allow httpd_sys_script_t lib_t:dir setattr;

Do not forget to increase the version number if you update such a module.

View Git Blame Copy Permalink