SE Linux Troubleshooting

Setroubleshoot

^[1]

yum install setroubleshoot setools
sealert -a /var/log/audit/audit.log

Audit2allow (without setroubleshoot)

^[2]

sudo grep fail2ban /var/log/audit/audit.log | audit2allow -M fail2ban2
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i fail2ban2.pp

[ec2-user@ip-172-26-5-161 ~]$ nano fail2ban2.
[ec2-user@ip-172-26-5-161 ~]$ nano fail2ban2.pp 
[ec2-user@ip-172-26-5-161 ~]$ sudo semodule -i fail2ban2.pp 

Configure SELinux on Amazon Linux AMI

^[3]

• Install packages

yum install libselinux libselinux-utils selinux-policy-minimum selinux-policy-mls selinux-policy-targeted policycoreutils 

• Edit grub boot options

Edit /etc/grub.conf and change selinux=0 to selinux=1, then add security=selinux enforcing=1

• ^[4]Then tell selinux you want to relable the filesystem

touch /.autorelabel

• Reboot and check selinux status

sestatus 

SELinux status:                 enabled
SELinuxfs mount:                /selinux
SELinux root directory:         /etc/selinux/
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      30

Application Specific

Apache Settings

Needed to allow apache to write to the web directory for a NextCloud update.

chcon -R -t httpd_sys_rw_content_t /var/www/html

NFS

Ran into a problem with a MySQL container using an NFS bind mount. Ends up there is a conflict^[5]. MySQL requires different context for both the sock file and data files. It was recommended to mount the data with

context="system_u:object_r:mysqld_db_t:s0"

and update my.cnf to use the new data directory. I just ended up running the database in the container then run regular backups to the NFS storage. The reason being that the NFS storage gets backed up offsite.