Мы используем FreeBSD в качестве разделителя PPTP из-за реализации PPTP полностью в ядре, таким образом, это не имеет никаких издержек для копирования пакетов к и от пространства пользователя для en/decapsulation. Четырехъядерный Xeon с дескрипторами гиперпоточности около 400 пользователей и 250 Мбит трафика PPTP в пике со средним числом загрузки около 2.5, но этому нужны хорошие сетевые адаптеры Intel для обработки пакетов с низким использованием ЦП.
First of all: congratulations for not disabling SELinux and trying instead to understand it and configure it properly.
Filtering the AVC denials you posted in your question makes much more clear what the problem could be:
# cat avc_denials | audit2allow
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t gitosis_var_lib_t:dir { read search open getattr };
allow httpd_sys_script_t gitosis_var_lib_t:file { read getattr open ioctl append };
The usual method to debug AVC denials, however, makes use of the ausearch(8)
command:
# ausearch -m avc -ts recent | audit2allow
Check the manpage for further information on the switches you can use.
With this information, now you know what is happening: the process labeled httpd_sys_script_t
, possibly the CGI code gitolite3
uses to publish its repos, is being denied access to files and directories labeled gitosis_var_lib_t
(the repos) to execute different operations (read
, search
, open
, ...).
Now you should determine whether to grant this access or not. Let's suppose you want to grant access. You would need to create a custom policy module describing the rules defining the access you want to grant. This is more or less simple depending on the complexity of the process:
# ausearch -m avc -ts 10:40:00 | audit2allow -m my_gitolite3 > my_gitolite3.te
This will produce a type enforcement
description like this:
module my_gitolite3 1.0;
require {
type httpd_sys_script_t;
type gitosis_var_lib_t;
class dir { read search open getattr };
class file { read getattr open ioctl append };
}
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t gitosis_var_lib_t:dir { read search open getattr };
allow httpd_sys_script_t gitosis_var_lib_t:file { read getattr open ioctl append };
You should proceed to review the code to ensure its correctness (in this case, it's simple enough). The next step is to compile the type enforcement
code into a module
:
# checkmodule -M -m -o my_mygitolite3.mod my_gitolite3.te
The module must be packaged into a policy package
for you to be able to load it and unload it at will:
# semodule_package -o my_gitolite3.pp -m my_gitolite3.mod
Now, you can load the policy using:
# semodule -i my_gitolite3.pp
Check it is correctly loaded:
# semodule -l | grep my_gitolite3
Then, try to trigger the denials again and see if there are more (different) alerts in the audit log regarding this same process.
Further editions of the type enforcement
code will need the version
(1.0
) to be updated, or loading the package will fail. Updating the policy package
will be done:
# semodule -u my_gitolite3.pp
There is a lot to learn when starting with SELinux. Some useful references:
apropos selinux
, both gitosis_selinux
and httpd_selinux
, will be of interest hereFrom the RHEL docs
A good introductory presentation by Dave Quigley: