fredead · April 23, 2016 14:27
diff --git a/Selinux cheat sheet b/Selinux cheat sheet
 Selinux can be difficult when you just want it to work and many people just switch it off
 Here is something simple command lines I use to just set it up, its best to go away for a week and learn it all properly but this is good when you just want to get it done.

 yum install policycoreutils-python # Centos package

 NOTE: all changes take effect and remain even after a reboot

 Allow something to execute / write to a file / area
     # find type name 1st ( this may prove more difficult in which case look at agent logs)
     semanage fcontext -l | grep progname

     semanage fcontext -a -t <type> < /bin/file | /directory(/.*)?>
     restorecon -R -v </bin/file | /directory(/.*)?>     # yes that is -R for recusion
 
 Allow something to use a port 
     # find type name 1st ( this may prove more difficult in which case look at agent logs)
     semanage port -l | grep progname
     
     semanage port -m -t <type> -p tcp <port number>

 When all else fails
    grep program /var/log/audit/audit.log | audit2allow -M mymodule1
    semodule -i mymodule1.pp
    (add reapeat incrementing my module by 1 until it works)

 create your own module ( from the multiples made above)
   Edit mymodule.te
   checkmodule -M -m -o mymodule.mod mymodule.te
   semodule_package -o mymodule.pp -m mymodule.mod
   semodule -i mymodule.pp

 This was done allow zabbix to run docker to check state of known named containers.
 The thing I would say is selinux is more difficult than it should be.
	Selinux can be difficult when you just want it to work and many people just switch it off
	Here is something simple command lines I use to just set it up, its best to go away for a week and learn it all properly but this is good when you just want to get it done.

	yum install policycoreutils-python # Centos package

	NOTE: all changes take effect and remain even after a reboot

	Allow something to execute / write to a file / area
	# find type name 1st ( this may prove more difficult in which case look at agent logs)
	semanage fcontext -l \| grep progname

	semanage fcontext -a -t <type> < /bin/file \| /directory(/.*)?>
	restorecon -R -v </bin/file \| /directory(/.*)?> # yes that is -R for recusion

	Allow something to use a port
	# find type name 1st ( this may prove more difficult in which case look at agent logs)
	semanage port -l \| grep progname

	semanage port -m -t <type> -p tcp <port number>

	When all else fails
	grep program /var/log/audit/audit.log \| audit2allow -M mymodule1
	semodule -i mymodule1.pp
	(add reapeat incrementing my module by 1 until it works)

	create your own module ( from the multiples made above)
	Edit mymodule.te
	checkmodule -M -m -o mymodule.mod mymodule.te
	semodule_package -o mymodule.pp -m mymodule.mod
	semodule -i mymodule.pp

	This was done allow zabbix to run docker to check state of known named containers.
	The thing I would say is selinux is more difficult than it should be.