706Selinux - amagerard/Freeradius GitHub Wiki
| 01- Synoptic | 02- SambaAD | 03- PdnsRecursor | 04- Settings |
|---|---|---|---|
| 05- Maintenance | 06- Selinux | 07- GnomeShell | |
| FreeRadius | DaloRadius | OpenLdap |
See TemplateVM-selinux.
On a Server SambaAd Selinux is always permissive.
As the selinux errors are only displayed in permissive mode,
you can delete them.
Check that setroubleshoot is present.
rpm -qa| grep setroubleshoot
rpm -qa| grep setools-console
If not present, it will have to be installed.
dnf install setroubleshoot setools-console
Selinux is enforcing.
setenforce 1
getenforce
enforcing
Stop services.
systemctl stop samba
systemctl stop fail2ban
systemctl stop pdns-recursor
Clean journalctl.
journalctl --user --flush --rotate --vacuum-time=1s
journalctl --flush --rotate --vacuum-time=1s
You need 2 consoles as root.
Open the first console as root.
journalctl -f
or
journalctl -t setroubleshoot
or
journalctl | grep ausearch
Open the second console as root.
You launch the selinux commands.
The log shows selinux errors and offers solution(s).
systemctl start <service>
systemctl status <service>
Example:
When you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
# semodule -X 300 -i my-phpfpm.pp
You must do.
ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
The answer will be.
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i my-phpfpm.pp
Type the answer.
semodule -i my-phpfpm.pp
Restart the service as many times until you no longer have selinux alert messages.
Redo a clean journal.
journalctl --user --flush --rotate --vacuum-time=1s
journalctl --flush --rotate --vacuum-time=1s
Repeat for the next service.
After fixing all selinux alerts.
Check services.
systemctl start samba
systemctl status samba
systemctl start fail2ban
systemctl status fail2ban
systemctl start pdns-recursor
systemctl status pdns-recursor
But this is not enough.
Selinux blocks access to rsat applications.
You must redo exactly all operations on the web interface and check for selinux errors in the log.
If you managed to delete all the selinux messages, I say congratulations.
Selinux with samba-ad will always have permissive status.
Switching to selinux "Permissive".
vi /etc/crontab
# enable selinux Permissive
@reboot root setenforce 0
restart your server.
reboot ou init 6
It's a good idea to create a folder in your user home and locate to it.
The ausearch commands generate my-xxx.pp or my-xxx.te files, or some other extensions.
This will make it easier to delete them.
Otherwise to find these files.
cd /
find . -name my-"*"
Only delete files ending with pp or te.
It is possible that there are other extensions with 2 letters.
find . -name my-"*".pp -exec rm {} \;