08Selinux - amagerard/Freeradius GitHub Wiki
| 01 Sypnoptic | 02 Network | 03 FreeRadius | 04 InstanceDefault | |
|---|---|---|---|---|
| 05 InstanceSql | 06 InstanceLdap | 07 InstanceAD | 08 Selinux | 09 GnomeShell |
| DaloRadius | OpenLdap | SambaAD |
See TemplateVM-selinux.
Check that setroubleshoot is present.
rpm -qa| grep setroubleshoot
rpm -qa| grep setools-console
If not present, it will have to be installed.
dnf install setroubleshoot setools-console
selinux is permissive.
getenforce
Permissive
Stop services.
systemctl stop freeradius-sql
systemctl stop freeradius-ldap
systemctl stop freeradius-ad
systemctl stop smb
systemctl stop nmb
systemctl stop winbind
Open a console as root.
journalctl -f
or
journalctl -t setroubleshoot
or
journalctl | grep ausearch
Open another console as root.
The log shows selinux errors and offers solution(s).
systemctl start <service>
systemctl status <service>
Example:
When you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
# semodule -X 300 -i my-phpfpm.pp
You must do.
ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
The answer will be.
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i my-phpfpm.pp
Type the answer.
semodule -i my-phpfpm.pp
Restart the service as many times until you no longer have selinux alert messages.
After fixing all selinux alerts.
Check services.
`systemctl start smb`
`systemctl status smb`
`systemctl start nmb`
`systemctl status nmb`
`systemctl start winbind`
`systemctl status winbind`
`systemctl start freeradius-sql`
`systemctl status freeradius-sql`
`systemctl start freeradius-ldap`
`systemctl status freeradius-ldap`
`systemctl start freeradius-ad`
`systemctl status freeradius-ad`
If you managed to delete all the selinux messages, I say congratulations.
Switching to selinux "enforcing".
vi /etc/crontab
# enable selinux enforcing
#@reboot root setenforce 0
restart your server.
reboot ou init 6
Selinux creates files that start with my-<..> .pp.
I didn't find the reason why and whose fault it is.
I delete all these files.
cd /
find . -name my-"*".pp -exec rm {} \;