08Selinux - amagerard/Freeradius GitHub Wiki

HOME

Redhat/FreeRadius

01 Sypnoptic 02 Network 03 FreeRadius 04 InstanceDefault
05 InstanceSql 06 InstanceLdap 07 InstanceAD 08 Selinux 09 GnomeShell
DaloRadius OpenLdap SambaAD

8. Selinux.

See TemplateVM-selinux.

8.1 Selinux permissive.

Check that setroubleshoot is present.
rpm -qa| grep setroubleshoot
rpm -qa| grep setools-console
If not present, it will have to be installed.
dnf install setroubleshoot setools-console

selinux is permissive.
getenforce

Permissive  

Stop services.
systemctl stop freeradius-sql
systemctl stop freeradius-ldap
systemctl stop freeradius-ad
systemctl stop smb
systemctl stop nmb
systemctl stop winbind

8.2 Troubleshooting alerts.

Open a console as root.
journalctl -f
or
journalctl -t setroubleshoot
or
journalctl | grep ausearch

Open another console as root.

8.3 Troubleshooting alerts.

The log shows selinux errors and offers solution(s).
systemctl start <service>
systemctl status <service>

Example:

When you should report this as a bug.  
   You can generate a local policy module to allow this access.  
   Do  
   allow this access for now by executing:  
   # ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm  
   # semodule -X 300 -i my-phpfpm.pp  

You must do.

ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm  

The answer will be.

******************** IMPORTANT ***********************  
To make this policy package active, execute:  
  
semodule -i my-phpfpm.pp  

Type the answer.
semodule -i my-phpfpm.pp

Restart the service as many times until you no longer have selinux alert messages.

After fixing all selinux alerts.
Check services.

`systemctl start smb`  
`systemctl status smb`  
`systemctl start nmb`  
`systemctl status nmb`  
`systemctl start winbind`  
`systemctl status winbind`  
`systemctl start freeradius-sql`  
`systemctl status freeradius-sql`  
`systemctl start freeradius-ldap`  
`systemctl status freeradius-ldap`  
`systemctl start freeradius-ad`  
`systemctl status freeradius-ad`  

8.4 Selinux enforcing.

If you managed to delete all the selinux messages, I say congratulations.

Switching to selinux "enforcing".
vi /etc/crontab

# enable selinux enforcing  
#@reboot root setenforce 0  

restart your server.
reboot ou init 6

8.5 Selinux garbage files.

Selinux creates files that start with my-<..> .pp.
I didn't find the reason why and whose fault it is.
I delete all these files.
cd /
find . -name my-"*".pp -exec rm {} \;

⚠️ **GitHub.com Fallback** ⚠️