Is there any danger leaving selinux permanently disabled or in permissive state for an OTRS server (CentOS 7 + OTRS 5) using MariaDB, directly on the internet? If so are there any recommended alternatives? I did try setting up a profile for OTRS unsuccessfully, and I'm debating if it's safe to just leave it in Permissive mode long term.
This is the guide I followed, but I could not get the selinux profile working that they have described here:
http://complemento.net.br/en/2015/11/13 ... -database/
Any advise would be greatly appreciated! Thanks in advance!
selinux
Moderator: crythias
Re: selinux
I have been using this module on RHEL7 and it works fine.
Code: Select all
module otrs 1.0;
require {
type bin_t;
type fs_t;
type httpd_t;
type unconfined_t;
type configfs_t;
type user_tmpfs_t;
class dir { add_name create read remove_name write getattr };
class file { create read setattr unlink write };
class filesystem { associate };
class shm { associate getattr read unix_read unix_write write };
}
allow httpd_t bin_t:dir add_name;
allow httpd_t bin_t:dir remove_name;
allow httpd_t bin_t:dir write;
allow httpd_t bin_t:file create;
allow httpd_t bin_t:file unlink;
allow httpd_t bin_t:file write;
allow httpd_t fs_t:filesystem associate;
allow httpd_t httpd_t:dir add_name;
allow httpd_t httpd_t:dir create;
allow httpd_t httpd_t:dir read;
allow httpd_t httpd_t:dir remove_name;
allow httpd_t httpd_t:dir write;
allow httpd_t configfs_t:dir getattr;
allow httpd_t httpd_t:file create;
allow httpd_t httpd_t:file setattr;
allow httpd_t httpd_t:file unlink;
allow httpd_t user_tmpfs_t:file read;
allow httpd_t user_tmpfs_t:file write;
allow httpd_t unconfined_t:shm associate;
allow httpd_t unconfined_t:shm getattr;
allow httpd_t unconfined_t:shm read;
allow httpd_t unconfined_t:shm unix_read;
allow httpd_t unconfined_t:shm unix_write;
allow httpd_t unconfined_t:shm write;