RHEL + SELinux: Managing Confined Services

What this post is really about: http://linux.web.cern.ch/linux/scientific6/docs/rhel/Managing_Confined_Services/

Found this gem of a guide when it comes to managing SELinux. This page is a mile-n-a-half long, but a great read when you’ve got nothing to do but research linux security policies. I stumbled across it when searching for the section #sect-Managing_Confined_Services-The_Apache_HTTP_Server-The_Apache_HTTP_Server_and_SELinux (i think the docs are taking SEO to a whole new, overkill, level – or perhaps its just scripts “do what it do”). This doc has an awesome intro to custom selinux policy generation.

What this post ended up being about (the title is completely misleading):

I was configuring a utility server with a “utilwww” user (needed to test some geoip scripts, using maxmind db api,  on a boat load of IP addresses). For easier access i wanted to grant FTP access using vsftpd – crap, in retrospect I could have just used SCP, oh well – but was having some problems with selinux blocking the reads on the dir. This was expected since the type wasn’t set to httpd_sys_content_t (the VM is running centos 5.7 btw).

Another problem was that by default the home dir’s mode was 700. Not sure why useradd does this and not 744 (or it might have been 744, don’t recall exactly). After scratching my head a bit more wondering why the sucker wasn’t working, i realized that apache (httpd) needs execute perms as well, so a little chmod 755 utilwww did the trick.

In summary (might be missing a few steps here, but this is at least the high level):

puttin’ stuff down.

putting tips and tricks here that are in my head. at least WP will retain the information, rather than FB… sometimes I ask myself how the hell I did something and go to search for it: not in my browser history, not in old fb posts (plus there’s too much other crap to sift through), and I don’t post to anything else.
…also rolled this thing into twitter, maybe it’ll help someone.