Hello,
My problem is to add selinux policies
can any help to say what is wrong with my policies
I write this!
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html(/.*)?/
typo3conf(/.*)?"
I have more instances from typo3
I found this construct in the selinux policies
"/var/www/html(/.*)?/uploads(/.*)?"
but my is not working ?
and I have only errors?
neverallow check failed at /etc/selinux/targeted/tmp/modules/100/selinuxutil/
cil:244
(neverallow selinuxutil_typeattr_1 semanage_store_t (file (relabelto)))
<root>
allow at /etc/selinux/targeted/tmp/modules/100/selinuxutil/cil:675
(allow restorecond_t non_auth_file_type (file (getattr relabelfrom
relabelto)))
<root>
allow at /etc/selinux/targeted/tmp/modules/100/systemd/cil:1108
(allow systemd_tmpfiles_t non_auth_file_type (file (getattr relabelfrom
relabelto)))
neverallow check failed at /etc/selinux/targeted/tmp/modules/100/base/cil:
13121
(neverallow base_typeattr_18 scsi_generic_device_t (blk_file (read)))
<root>
allow at /etc/selinux/targeted/tmp/modules/100/munin/cil:581
(allow disk_munin_plugin_t device_node (blk_file (ioctl read getattr lock
open)))
.........
or is a other way to include policies better ?
--
mit freundlichen Gr?ssen / best regards
G?nther J. Niederwimmer
On 04/30/2017 07:03 AM, G?nther J. Niederwimmer wrote:> I write this! > > semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html(/.*)?/ > typo3conf(/.*)?"OK. Did you get an error?> I have more instances from typo3 > I found this construct in the selinux policies > "/var/www/html(/.*)?/uploads(/.*)?" > > but my is not working ?Can you be specific about what "not working" means? Did you get an error from the semanage command? Are files not labeled correctly? After setting context rules, you can "restorecon -R -v /var/www/html/" to fix the labels of any existing files. You can see their current labels using "ls -lZ /var/www/html".> and I have only errors? > > neverallow check failed at /etc/selinux/targeted/tmp/modules/100/selinuxutil/ > cil:244When do you see that error?
If the content is located under /var/www then you could use restorcon -Rvv to restore the context of all content under /var/www to the default context label as provided by Apache. ----- On 30 Apr, 2017, at 07:03, G?nther J. Niederwimmer gjn at gjn.priv.at wrote: | Hello, | | My problem is to add selinux policies | can any help to say what is wrong with my policies | I write this! | | semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html(/.*)?/ | typo3conf(/.*)?" | | I have more instances from typo3 | I found this construct in the selinux policies | "/var/www/html(/.*)?/uploads(/.*)?" | | but my is not working ? | | and I have only errors? | | neverallow check failed at /etc/selinux/targeted/tmp/modules/100/selinuxutil/ | cil:244 | (neverallow selinuxutil_typeattr_1 semanage_store_t (file (relabelto))) | <root> | allow at /etc/selinux/targeted/tmp/modules/100/selinuxutil/cil:675 | (allow restorecond_t non_auth_file_type (file (getattr relabelfrom | relabelto))) | <root> | allow at /etc/selinux/targeted/tmp/modules/100/systemd/cil:1108 | (allow systemd_tmpfiles_t non_auth_file_type (file (getattr relabelfrom | relabelto))) | | neverallow check failed at /etc/selinux/targeted/tmp/modules/100/base/cil: | 13121 | (neverallow base_typeattr_18 scsi_generic_device_t (blk_file (read))) | <root> | allow at /etc/selinux/targeted/tmp/modules/100/munin/cil:581 | (allow disk_munin_plugin_t device_node (blk_file (ioctl read getattr lock | open))) | ......... | | or is a other way to include policies better ? | -- | mit freundlichen Gr?ssen / best regards | | G?nther J. Niederwimmer | _______________________________________________ | CentOS mailing list | CentOS at centos.org | https://lists.centos.org/mailman/listinfo/centos -- James A. Peltier IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 604-365-6432 Fax : 778-782-3045 E-Mail : jpeltier at sfu.ca Website : http://www.sfu.ca/itservices Twitter : @sfu_rcg Powering Engagement Through Technology
Hello, On Sonntag, 30. April 2017 18:40:23 CEST Gordon Messmer wrote:> On 04/30/2017 07:03 AM, G?nther J. Niederwimmer wrote: > > I write this! > > > > semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html(/.*)?/ > > typo3conf(/.*)?" > > OK. Did you get an error?I have only Errors ;-). when I like to set this Rule ? semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html(/.*)?/ typo3conf(/.*)?" This Errors are displayd ? neverallow check failed at /etc/selinux/targeted/tmp/modules/100/selinuxutil/ cil:244 (neverallow selinuxutil_typeattr_1 semanage_store_t (file (relabelto))) <root> allow at /etc/selinux/targeted/tmp/modules/100/selinuxutil/cil:675 (allow restorecond_t non_auth_file_type (file (getattr relabelfrom relabelto))) <root> allow at /etc/selinux/targeted/tmp/modules/100/systemd/cil:1108 (allow systemd_tmpfiles_t non_auth_file_type (file (getattr relabelfrom relabelto))) But the Rule are not added/set ?> > I have more instances from typo3 > > I found this construct in the selinux policies > > "/var/www/html(/.*)?/uploads(/.*)?" > > > > but my is not working ? > > Can you be specific about what "not working" means? Did you get an > error from the semanage command? Are files not labeled correctly? > > After setting context rules, you can "restorecon -R -v /var/www/html/" > to fix the labels of any existing files. You can see their current > labels using "ls -lZ /var/www/html". > > > and I have only errors? > > > > neverallow check failed at > > /etc/selinux/targeted/tmp/modules/100/selinuxutil/ cil:244 > > When do you see that error? > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos-- mit freundlichen Gr?ssen / best regards G?nther J. Niederwimmer