Operations grimoire/RHEL: Difference between revisions
From Nasqueron Agora
(Created page with "Docker engines servers uses CentOS Stream (e.g. Dwellers) or Rocky (e.g. docker-002). == SELinux == States targeting RHEL machines need to apply the relevant SELinux context to '''each''' directory and file. For example, to apply the context <code>httpd_log_t</code> to <code>/var/log/www</code>: {% set has_selinux = salt['grains.get']('selinux:enabled', False) %} /var/log/www: file.directory: - user: {{ options["www_user"] }} - group...") |
(No difference)
|
Latest revision as of 23:35, 30 May 2023
Docker engines servers uses CentOS Stream (e.g. Dwellers) or Rocky (e.g. docker-002).
SELinux
States targeting RHEL machines need to apply the relevant SELinux context to each directory and file.
For example, to apply the context httpd_log_t to /var/log/www:
{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
/var/log/www:
file.directory:
- user: {{ options["www_user"] }}
- group: web
- dir_mode: 711
{% if has_selinux %}
selinux_context_nginx_logs:
selinux.fcontext_policy_present:
- name: /var/log/www
- sel_type: httpd_log_t
selinux_context_nginx_logs_applied:
selinux.fcontext_policy_applied:
- name: /var/log/www
{% endif %}
You'll find examples in rOPS: roles/paas-docker/containers/ files.
For booleans (sebool) or custom policies, you'll find examples in rOPS: roles/paas-docker/nginx/selinux.sls
