08Selinux - amagerard/FreeRadius GitHub Wiki
| 01 Sypnoptic | 02 Network | 03 FreeRadius | 04 InstanceDefault | |
|---|---|---|---|---|
| 05 InstanceSql | 06 InstanceLdap | 07 InstanceAD | 08 Selinux | 09 GnomeShell |
| DaloRadius | OpenLdap | SambaAD |
See TemplateVM-selinux.
Check that setroubleshoot is present.
rpm -qa| grep setroubleshoot
rpm -qa| grep setools-console
If not present, it will have to be installed.
dnf install setroubleshoot setools-console
Selinux is enforcing.
setenforce 1
getenforce
enforcing
Stop services.
systemctl stop freeradius-sql
systemctl stop freeradius-ldap
systemctl stop freeradius-ad
systemctl stop smb
systemctl stop nmb
systemctl stop winbind
Clean journalctl.
journalctl --user --flush --rotate --vacuum-time=1s
journalctl --flush --rotate --vacuum-time=1s
You need 2 consoles as root.
Open the first console as root.
journalctl -f
or
journalctl -t setroubleshoot
or
journalctl | grep ausearch
Open the second console as root.
You launch the selinux commands.
The log shows selinux errors and offers solution(s).
systemctl start <service>
systemctl status <service>
Example:
When you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
# semodule -X 300 -i my-phpfpm.pp
You must do.
ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
The answer will be.
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i my-phpfpm.pp
Type the answer.
semodule -i my-phpfpm.pp
Restart the service as many times until you no longer have selinux alert messages.
Redo a clean journal.
journalctl --user --flush --rotate --vacuum-time=1s
journalctl --flush --rotate --vacuum-time=1s
Repeat for the next service.
After fixing all selinux alerts.
Check services.
systemctl start smb
systemctl status smb
systemctl start nmb
systemctl status nmb
systemctl start winbind
systemctl status winbind
systemctl start freeradius-sql
systemctl status freeradius-sql
systemctl start freeradius-ldap
systemctl status freeradius-ldap
systemctl start freeradius-ad
systemctl status freeradius-ad
But this is not enough.
Selinux blocks access to web applications.
You must redo exactly all operations on the web interface and check for selinux errors in the log.
If you managed to delete all the selinux messages, I say congratulations.
Switching to selinux "enforcing".
vi /etc/crontab
# enable selinux enforcing
#@reboot root setenforce 0
restart your server.
reboot ou init 6
It's a good idea to create a folder in your user home and locate to it.
The ausearch commands generate my-xxx.pp or my-xxx.te files, or some other extensions.
This will make it easier to delete them.
Otherwise to find these files.
cd /
find . -name my-"*"
Only delete files ending with pp or te.
It is possible that there are other extensions with 2 letters.
find . -name my-"*".pp -exec rm {} \;