[CentOS] selinux-policy update resets /etc/selinux/targeted/contexts/files/file_contexts?
Hi, On an internal webserver (latest C6) I want smb-access to /var/www/html/ In april I did chcon -R -t public_content_rw_t /var/www/html/ setsebool -P allow_smbd_anon_write 1 setsebool -P allow_httpd_anon_write 1 echo /var/www/html/ -- unconfined_u:object_r:public_content_rw_t:s0 /etc/selinux/targeted/contexts/files/file_contexts After the latest round of updates (including selinux-policy.noarch 0:3.7.19-260.el6_6.1 and selinux-policy-targeted.noarch 0:3.7.19-260.el6_6.1) samba-access to /var/www/html was denied. Applying the commands above re-enabled samba-access. Anyone knows how I can configure selinux to remeber this after an update to the policies? Thanks Patrick ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux-policy update resets /etc/selinux/targeted/contexts/files/file_contexts?
On Wed, December 17, 2014 05:07, Patrick Bervoets wrote: Hi, On an internal webserver (latest C6) I want smb-access to /var/www/html/ In april I did chcon -R -t public_content_rw_t /var/www/html/ setsebool -P allow_smbd_anon_write 1 setsebool -P allow_httpd_anon_write 1 echo /var/www/html/ -- unconfined_u:object_r:public_content_rw_t:s0 /etc/selinux/targeted/contexts/files/file_contexts After the latest round of updates (including selinux-policy.noarch 0:3.7.19-260.el6_6.1 and selinux-policy-targeted.noarch 0:3.7.19-260.el6_6.1) samba-access to /var/www/html was denied. Applying the commands above re-enabled samba-access. Anyone knows how I can configure selinux to remeber this after an update to the policies? Thanks Patrick yum install policycoreutils-python man audit2why man audit2allow man semodule If you have setroubleshoot installed then the avc message in /var/log/messages should tell you to run sealert with the requisite parameters. Then follow the instructions. You will likely find it advisable to post your proposed custom se policy changes here first and get feedback about anything that is too broadly permissive. -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux-policy update resets /etc/selinux/targeted/contexts/files/file_contexts?
On Wed, Dec 17, 2014 at 11:07:06AM +0100, Patrick Bervoets wrote: echo /var/www/html/ -- unconfined_u:object_r:public_content_rw_t:s0 /etc/selinux/targeted/contexts/files/file_contexts Next time try putting the local policy into: /etc/selinux/targeted/contexts/files/file_contexts.local ... which isn't overwritten by package updates. This is what would have happened if you had used the 'semanage fcontext' command. -- Jonathan Billings billi...@negate.org ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux-policy update resets /etc/selinux/targeted/contexts/files/file_contexts?
On 12/17/2014 05:07 AM, Patrick Bervoets wrote: Hi, On an internal webserver (latest C6) I want smb-access to /var/www/html/ In april I did chcon -R -t public_content_rw_t /var/www/html/ setsebool -P allow_smbd_anon_write 1 setsebool -P allow_httpd_anon_write 1 echo /var/www/html/ -- unconfined_u:object_r:public_content_rw_t:s0 /etc/selinux/targeted/contexts/files/file_contexts This is incorrect. # semanage fcontext -a -t public_content_rw_t '/var/www/html(/.*?)' # restorecon -R -v /var/www/html Should change the label and it should survive relabel. After the latest round of updates (including selinux-policy.noarch 0:3.7.19-260.el6_6.1 and selinux-policy-targeted.noarch 0:3.7.19-260.el6_6.1) samba-access to /var/www/html was denied. Applying the commands above re-enabled samba-access. Anyone knows how I can configure selinux to remeber this after an update to the policies? Thanks Patrick ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux-policy update resets /etc/selinux/targeted/contexts/files/file_contexts?
Op 17-12-14 om 14:56 schreef Jonathan Billings: On Wed, Dec 17, 2014 at 11:07:06AM +0100, Patrick Bervoets wrote: echo /var/www/html/ -- unconfined_u:object_r:public_content_rw_t:s0 /etc/selinux/targeted/contexts/files/file_contexts Next time try putting the local policy into: /etc/selinux/targeted/contexts/files/file_contexts.local ... which isn't overwritten by package updates. This is what would have happened if you had used the 'semanage fcontext' command. Thank you, it even makes sense :-) Troubleshooting selinux is still on my skills-wishlist. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux-policy update resets /etc/selinux/targeted/contexts/files/file_contexts?
Op 17-12-14 om 15:12 schreef Daniel J Walsh: On 12/17/2014 05:07 AM, Patrick Bervoets wrote: Hi, On an internal webserver (latest C6) I want smb-access to /var/www/html/ In april I did chcon -R -t public_content_rw_t /var/www/html/ setsebool -P allow_smbd_anon_write 1 setsebool -P allow_httpd_anon_write 1 echo /var/www/html/ -- unconfined_u:object_r:public_content_rw_t:s0 /etc/selinux/targeted/contexts/files/file_contexts This is incorrect. # semanage fcontext -a -t public_content_rw_t '/var/www/html(/.*?)' # restorecon -R -v /var/www/html Should change the label and it should survive relabel. After the latest round of updates (including selinux-policy.noarch 0:3.7.19-260.el6_6.1 and selinux-policy-targeted.noarch 0:3.7.19-260.el6_6.1) samba-access to /var/www/html was denied. Thanks, I know I shouldn't just follow serverfault instructions without complete understanding. One day I'll have to learn to master selinux. (and rtfm) Patrick ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos