Redhat – SELinux: How to add a new security context

redhatselinux

I'm new to SELinux and am trying to add a new security context (label) to test denial. To do this, I try changing a filew to a new context:

chcon -t new_t test

But it fails with "Invalid argument". How do I add the new type "new_t"?

Best Answer

An example for how to create a new type is at http://fedoraproject.org/wiki/PackagingDrafts/SELinux#Creating_new_types

Once you have build the module (make -f /usr/share/selinux/devel/Makefile) and inserted it into SELinux (semodule -i foobar.pp) then you can chcon -t foobar_t test.

Related Solutions

Centos – How to run PhantomJS on CentOS with SELinux

Here's some snippets from http://wiki.centos.org/HowTos/SELinux#7 on how to create a custom policy module with allow2audit.

Try it

setenforce 0
grep phantomjs /var/log/audit/audit.log | audit2allow -m httpd_phantomjs > httpd_phantomjs.te
cat httpd_phantomjs.te

Install it

grep phantomjs /var/log/audit/audit.log | audit2allow -M httpd_phantomjs
semodule -i httpd_phantomjs.pp
ls /etc/selinux/targeted/modules/active/modules/ | grep httpd

Test it

setenforce 1
tail -f /var/log/audit/audit.log

This is untested so please update as necessary. Hope it works for you

Lighttpd fails with 403 – Forbidden with SELinux enabled

You appear to be using a Samba share to store your web content. If you want SELinux to allow your web server to read files on Samba shares, you need to set the appropriate boolean. For instance:

setsebool -P httpd_use_cifs 1

Best Answer

Related Solutions

Centos – How to run PhantomJS on CentOS with SELinux

Lighttpd fails with 403 – Forbidden with SELinux enabled

Related Topic