Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>I worked for a company last year where we were setting it enforcing with the 'targeted' policy enabled on CentOS 5.x systems. It did not interfere with any of the web application code our developers worked on because Apache was in the default policy. It did cause some challenges for software installed from non-Red Hat (or CentOS) packages, but we managed to get around that with the configuration management tool, <a href="http://reductivelabs.com/trac/puppet" rel="noreferrer">Puppet</a>.</p> <p>We used Puppet's template feature to generate our policies. See <a href="http://spook.wpi.edu/" rel="noreferrer">SELinux Enhancements for Puppet</a>, heading "Future stuff", item "Policy Generation".</p> <p>Here's some basic steps from the way we implemented this. Note other than the audit2allow, this was all automated.</p> <p>Generate an SELinux template file for some service named ${name}.</p> <pre><code>sudo audit2allow -m "${name}" -i /var/log/audit/audit.log &gt; ${name}.te </code></pre> <p>Create a script, <code>/etc/selinux/local/${name}-setup.sh</code></p> <pre><code>SOURCE=/etc/selinux/local BUILD=/etc/selinux/local /usr/bin/checkmodule -M -m -o ${BUILD}/${name}.mod ${SOURCE}/${name}.te /usr/bin/semodule_package -o ${BUILD}/${name}.pp -m ${BUILD}/${name}.mod /usr/sbin/semodule -i ${BUILD}/${name}.pp /bin/rm ${BUILD}/${name}.mod ${BUILD}/${name}.pp </code></pre> <p>That said, most people are better off just disabling SELinux and hardening their system through other commonly accepted consensus based best practices such as <a href="http://cisecurity.org/" rel="noreferrer">The Center for Internet Security's Benchmarks</a> (note they recommend SELinux :-)).</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload