-
Notifications
You must be signed in to change notification settings - Fork 20
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #322 from percona/ps-9225
PS-9225 Update post-installation docs
- Loading branch information
Showing
12 changed files
with
1,116 additions
and
449 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,65 @@ | ||
| # Additional SELinux tools and management | ||
|
|
||
| ## Installing SELinux management tools | ||
|
|
||
| To install SELinux management tools on RHEL 7, use the following command as root: | ||
|
|
||
| ```{.bash data-prompt="$"} | ||
| $ yum -y install policycoreutils-python | ||
| ``` | ||
|
|
||
| On RHEL 8, utilize the following command as root: | ||
|
|
||
| ```{.bash data-prompt="$"} | ||
| $ yum -y install policycoreutils-python-utils | ||
| ``` | ||
|
|
||
| Ensure you have root privileges to execute these commands. | ||
|
|
||
| ## Switching SELinux mode | ||
|
|
||
| SELinux can operate in three modes: Disabled, Permissive, and Enforcing. | ||
|
|
||
| To switch SELinux mode until the next reboot, use either of the following commands as root: | ||
|
|
||
| ```{.bash data-prompt="$"} | ||
| $ setenforce Enforcing | ||
| ``` | ||
| or | ||
| ```{.bash data-prompt="$"} | ||
| $ setenforce 1 | ||
| ``` | ||
|
|
||
| To view the current SELinux mode, use either of the following commands: | ||
|
|
||
| ```{.bash data-prompt="$"} | ||
| $ getenforce | ||
| ``` | ||
| or | ||
| ```{.bash data-prompt="$"} | ||
| $ sestatus | grep -i mode | ||
| ``` | ||
|
|
||
| ## Managing SELinux policies | ||
|
|
||
| ### Using the semanage command | ||
|
|
||
| To add a service to the permissive domain, execute the following as root: | ||
|
|
||
| ```{.bash data-prompt="$"} | ||
| $ semanage permissive -a <service_name> | ||
| ``` | ||
|
|
||
| To delete a service from the permissive domain, run: | ||
|
|
||
| ```{.bash data-prompt="$"} | ||
| $ semanage permissive -d <service_name> | ||
| ``` | ||
|
|
||
| ### List the current Permissive domains | ||
|
|
||
| To list the current permissive domains, use the following command: | ||
|
|
||
| ```{.bash data-prompt="$"} | ||
| $ semanage permissive -l | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| # AppArmor profile modes | ||
|
|
||
| AppArmor profile modes determine how applications interact with system resources. You can mix enforce mode profiles and complain mode profiles in your server. | ||
|
|
||
| | Mode | Description | | ||
| |------------|--------------------------------------------------------------------------------------------------------------------------| | ||
| | Enforce | Restricts MySQL processes according to the rules defined in the profile. Any action violating these rules is denied. | | ||
| | Complain | Allows MySQL processes to take restricted actions, but logs these actions for review. | | ||
| | Disabled | Turns off profile restrictions entirely, allowing MySQL processes to take any action without logging. | | ||
|
|
||
| Understanding these modes helps MySQL developers ensure that their applications can access necessary resources while maintaining system security. | ||
|
|
||
| ## Benefits | ||
|
|
||
| | Benefit | Description | | ||
| |-------------------|---------------------------------------------------------------------------------------------------------------------| | ||
| | Enhanced Security | AppArmor profile modes, such as Enforce and Complain, help enforce security policies to prevent unauthorized access. | | ||
| | Easy Troubleshooting | Profile modes provide flexibility in troubleshooting access issues by allowing developers to switch between modes. | | ||
|
|
||
| ### Disadvantages | ||
|
|
||
| | Disadvantage | Description | | ||
| |--------------------|----------------------------------------------------------------------------------------------------------------------| | ||
| | Limited Flexibility | Profile modes may restrict certain actions or access, potentially limiting the functionality of MySQL applications. | | ||
| | Complexity | Understanding and managing different profile modes can be complex for beginner developers, leading to errors. | | ||
| | Debugging Challenges | Troubleshooting issues related to profile modes, such as DENIED entries in logs, may require additional expertise. | | ||
|
|
||
| ## AppArmor links: | ||
|
|
||
| [AppArmor](apparmor.md)<br> | ||
| [Manage AppArmor Profiles](manage-apparmor-profiles.md)<br> | ||
| [Disable AppArmor](disable-apparmor.md)<br> | ||
| [Configure AppArmor](configure-apparmor.md)<br> | ||
| [Troubleshoot AppArmor](troubleshoot-apparmor.md) | ||
|
|
Oops, something went wrong.