More in selinux roles

I think the best way to illustrate the point of creating a role for content administration is showing an example.

In file /etc/security/selinux/src/policy/users, added this line:


user webadmin roles { user_r httpd_admin_r };

And created the file /etc/security/selinux/src/policy/domains/misc/webadmin.te with the following content:


#DESC httpd_admin_t - Domain for web content administrators.
#
#################################

# httpd_admin_t has access to all of the httpd files, such as
# the configuration files and the log files. They also
# have access to system content and/or user content
#

full_user_role(httpd_admin)
priv_user(httpd_admin)
role_tty_type_change(user, httpd_admin)

create_dir_file(httpd_admin_t, user_home_dir_t)

allow httpd_admin_t user_home_t:file create_file_perms;

###########################################################################
# Allow the httpd admin to edit or create content
##########################################################################
create_dir_file(httpd_admin_t, httpd_sys_content_t)

###########################################################################
# Allow the httpd admin to view log files
##########################################################################
r_dir_file(httpd_admin_t, httpd_log_t)

#############################################################################
# Allow the httpd admin to use chcon to change contexts on web pages,
# and htaccess files.
###########################################################################
allow httpd_admin_t httpd_sys_content_t:dir { relabelto };
allow httpd_admin_t httpd_sys_content_t:file { relabelto };

And that’s all, folks!

  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: