306Selinux - amagerard/FreeRadius GitHub Wiki
| 01- Synoptic | 02- SambaAD | 03- PdnsRecursor | 04- Settings |
|---|---|---|---|
| 05- Maintenance | 06- Selinux | 07- GnomeShell | |
| FreeRadius | DaloRadius | OpenLdap |
|FreeRadius|DaloRadius|ADserver||
See TemplateVM-selinux.
On a Server SambaAd Selinux is permissive.
As the selinux errors are only displayed in permissive mode,
you can delete them.
|FreeRadius|DaloRadius|ADserver||
See TemplateVM-selinux.
Check that setroubleshoot is present.
rpm -qa| grep setroubleshoot
rpm -qa| grep setools-console
If not present, it will have to be installed.
dnf install setroubleshoot setools-console
selinux is permissive.
getenforce
Permissive
Stop services.
systemctl stop samba
systemctl stop fail2ban
Open a console as root.
journalctl -f
or
journalctl -t setroubleshoot
or
journalctl | grep ausearch
Open another console as root.
The log shows selinux errors and offers solution(s).
systemctl start <service>
systemctl status <service>
Example:
When you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
# semodule -X 300 -i my-phpfpm.pp
You must do.
ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
The answer will be.
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i my-phpfpm.pp
Type the answer.
semodule -i my-phpfpm.pp
Restart the service as many times until you no longer have selinux alert messages.
After fixing all selinux alerts.
Check services.
`systemctl start samba`
`systemctl status samba`
`systemctl start fail2ban`
`systemctl status fail2ban`
But this is not enough.
Selinux blocks access to rsat applications.
You must redo exactly all operations on the rsat applications and check for selinux errors in the log.
It is not recommended with SambaAD.
If you managed to delete all the selinux messages, I say congratulations.
Switching to selinux "enforcing".
vi /etc/crontab
# enable selinux enforcing
#@reboot root setenforce 0
restart your server.
reboot ou init 6
Selinux creates files that start with my-<..> .pp.
I didn't find the reason why and whose fault it is.
I delete all these files.
cd /
find . -name my-"*".pp -exec rm {} \;