[Discuss] selinux nightmare

[adler at stephenadler.com (Stephen Adler)]

Hi all,

So I'm brining up apache on my new server and I'm trying to do right by 
selinux this time. My default mode is to ignore selinux, put it in 
permissive mode, and watch all the error messages get logged but pretty 
much ignore what's going on under the selinux hood. Well, I figure this 
time I should pay some attention and at least try and minimize all the 
error messages I get in my log files.

But now I'm in an selinux rabbit hole. The selinux security apparatus is 
just too complicated to try and figure out without doing some 
rtfming.... So... can anyone suggest a good selinux for dummies web site 
I can pour through? It would love for it to be no more than one single 
page with a few key commands that I can learn and be done with it. But I 
doubt that's the case. I think I've gone long enough trying to avoid 
learning selinux. I've reached the point that I need to really 
understand it...

Thanks. Steve.

P.S. this is the kind of stuff I'm confronting....

[root at mipdata0 ~]#  sealert -l dd884c85-199f-49c5-b44c-a595ce3cec43
SELinux is preventing /usr/bin/python2.7 from read access on the lnk_file .

*****  Plugin catchall_labels (83.8 confidence) suggests *******************

If you want to allow python2.7 to have read access on the  lnk_file
Then you need to change the label on $FIX_TARGET_PATH
Do
# semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH'
where FILE_TYPE is one of the following: abrt_retrace_spool_t, 
admin_home_t, bin_t, boot_t, calamaris_www_t, cert_t, cobbler_var_lib_t, 
cvs_data_t, device_t, devlog_t, dirsrv_share_t, etc_runtime_t, etc_t, 
file_context_t, fonts_cache_t, fonts_t, git_sys_content_t, 
gitosis_var_lib_t, home_root_t, httpd_apcupsd_cgi_content_t, 
httpd_apcupsd_cgi_htaccess_t, httpd_apcupsd_cgi_ra_content_t, 
httpd_apcupsd_cgi_rw_content_t, httpd_apcupsd_cgi_script_exec_t, 
httpd_awstats_content_t, httpd_awstats_htaccess_t, 
httpd_awstats_ra_content_t, httpd_awstats_rw_content_t, 
httpd_awstats_script_exec_t, httpd_bugzilla_content_t, 
httpd_bugzilla_htaccess_t, httpd_bugzilla_ra_content_t, 
httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t, 
httpd_cache_t, httpd_collectd_content_t, httpd_collectd_htaccess_t, 
httpd_collectd_ra_content_t, httpd_collectd_rw_content_t, 
httpd_collectd_script_exec_t, httpd_config_t, httpd_cvs_content_t, 
httpd_cvs_htaccess_t, httpd_cvs_ra_content_t, httpd_cvs_rw_content_t, 
httpd_cvs_script_exec_t, httpd_dirsrvadmin_content_t, 
httpd_dirsrvadmin_htaccess_t, httpd_dirsrvadmin_ra_content_t, 
httpd_dirsrvadmin_rw_content_t, httpd_dirsrvadmin_script_exec_t, 
httpd_dspam_content_t, httpd_dspam_htaccess_t, httpd_dspam_ra_content_t, 
httpd_dspam_rw_content_t, httpd_dspam_script_exec_t, 
httpd_git_content_t, httpd_git_htaccess_t, httpd_git_ra_content_t, 
httpd_git_rw_content_t, httpd_git_script_exec_t, httpd_log_t, 
httpd_man2html_content_t, httpd_man2html_htaccess_t, 
httpd_man2html_ra_content_t, httpd_man2html_rw_content_t, 
httpd_man2html_script_exec_t, httpd_mediawiki_content_t, 
httpd_mediawiki_htaccess_t, httpd_mediawiki_ra_content_t, 
httpd_mediawiki_rw_content_t, httpd_mediawiki_script_exec_t, 
httpd_modules_t, httpd_mojomojo_content_t, httpd_mojomojo_htaccess_t, 
httpd_mojomojo_ra_content_t, httpd_mojomojo_rw_content_t, 
httpd_mojomojo_script_exec_t, httpd_munin_content_t, 
httpd_munin_htaccess_t, httpd_munin_ra_content_t, 
httpd_munin_rw_content_t, httpd_munin_script_exec_t, 
httpd_mythtv_content_t, httpd_mythtv_htaccess_t, 
httpd_mythtv_ra_content_t, httpd_mythtv_rw_content_t, 
httpd_mythtv_script_exec_t, httpd_nagios_content_t, 
httpd_nagios_htaccess_t, httpd_nagios_ra_content_t, 
httpd_nagios_rw_content_t, httpd_nagios_script_exec_t, 
httpd_nutups_cgi_content_t, httpd_nutups_cgi_htaccess_t, 
httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t, 
httpd_nutups_cgi_script_exec_t, httpd_openshift_content_t, 
httpd_openshift_htaccess_t, httpd_openshift_ra_content_t, 
httpd_openshift_rw_content_t, httpd_openshift_script_exec_t, 
httpd_prewikka_content_t, httpd_prewikka_htaccess_t, 
httpd_prewikka_ra_content_t, httpd_prewikka_rw_content_t, 
httpd_prewikka_script_exec_t, httpd_smokeping_cgi_content_t, 
httpd_smokeping_cgi_htaccess_t, httpd_smokeping_cgi_ra_content_t, 
httpd_smokeping_cgi_rw_content_t, httpd_smokeping_cgi_script_exec_t, 
httpd_squid_content_t, httpd_squid_htaccess_t, httpd_squid_ra_content_t, 
httpd_squid_rw_content_t, httpd_squid_script_exec_t, 
httpd_squirrelmail_t, httpd_sys_content_t, httpd_sys_htaccess_t, 
httpd_sys_ra_content_t, httpd_sys_rw_content_t, httpd_sys_script_exec_t, 
httpd_tmp_t, httpd_tmpfs_t, httpd_user_content_t, httpd_user_htaccess_t, 
httpd_user_ra_content_t, httpd_user_rw_content_t, 
httpd_user_script_exec_t, httpd_w3c_validator_content_t, 
httpd_w3c_validator_htaccess_t, httpd_w3c_validator_ra_content_t, 
httpd_w3c_validator_rw_content_t, httpd_w3c_validator_script_exec_t, 
httpd_webalizer_content_t, httpd_webalizer_htaccess_t, 
httpd_webalizer_ra_content_t, httpd_webalizer_rw_content_t, 
httpd_webalizer_script_exec_t, httpd_zoneminder_content_t, 
httpd_zoneminder_htaccess_t, httpd_zoneminder_ra_content_t, 
httpd_zoneminder_rw_content_t, httpd_zoneminder_script_exec_t, 
iso9660_t, jetty_cache_t, jetty_log_t, jetty_var_lib_t, jetty_var_run_t, 
ld_so_t, lib_t, locale_t, mailman_archive_t, mailman_data_t, 
man_cache_t, man_t, mnt_t, munin_etc_t, mysqld_etc_t, net_conf_t, 
passenger_var_lib_t, pki_ra_var_lib_t, pki_tomcat_cert_t, 
pki_tps_var_lib_t, proc_t, public_content_rw_t, public_content_t, 
root_t, rpm_script_tmp_t, security_t, selinux_config_t, shell_exec_t, 
slapd_cert_t, squirrelmail_spool_t, src_t, sssd_var_lib_t, sysfs_t, 
system_conf_t, system_db_t, tetex_data_t, textrel_shlib_t, tmp_t, 
udev_var_run_t, usr_t, var_lib_t, var_lock_t, var_run_t, var_t, 
zarafa_var_lib_t.
Then execute:
restorecon -v '$FIX_TARGET_PATH'