RHEL 6 SElinux policy for 2.1.5

Thiago Figueiro TFigueiro at au.westfield.com
Tue Jun 21 06:23:11 CEST 2011

I used the 2.1.5 EPEL 6 packages from http://download.fedora.redhat.com/pub/epel/6/x86_64/repoview/varnish.html in our systems but it looks they are lacking the selinux policy.

It's not hard to create a policy but it's a repetitive and boring task.  See below for the policy we're using; no guarantees it will work with your particular configuration but hopefully that will save you some time and point you in the right direction.

I'm not sure why varnishd needs to write to /etc/varnish but oh well... :-)

# cat varnish.te 

module varnish 1.0;

require {
	type home_root_t;
	type varnishd_t;
	type boot_t;
	type varnishlog_t;
	type file_t;
	type varnishd_etc_t;
	class dir { write remove_name search getattr add_name };
	class file { execute setattr read create write getattr unlink open };

#============= varnishd_t ==============
allow varnishd_t boot_t:dir getattr;
allow varnishd_t file_t:dir search;
allow varnishd_t file_t:file { read write getattr };
allow varnishd_t home_root_t:dir getattr;
allow varnishd_t varnishd_etc_t:dir { write remove_name add_name };
allow varnishd_t varnishd_etc_t:file { write create unlink execute setattr };

#============= varnishlog_t ==============
allow varnishlog_t varnishd_etc_t:dir search;
allow varnishlog_t varnishd_etc_t:file open;
allow varnishlog_t varnishd_etc_t:file read;

This electronic mail message, including any and/or all attachments, is for the sole use of the intended recipient(s), and may contain confidential and/or privileged information, pertaining to business conducted under the direction and supervision of the sending organization. All electronic mail messages, which may have been established as expressed views and/or opinions (stated either within the electronic mail message or any of its attachments), are left to the sole responsibility of that of the sender, and are not necessarily attributed to the sending organization. Unauthorized interception, review, use, disclosure or distribution of any such information contained within this electronic mail message and/or its attachment(s), is (are) strictly prohibited. If you are not the intended recipient, please contact the sender by replying to this electronic mail message, along with the destruction all copies of the original electronic mail message (along with any attachments).

More information about the varnish-misc mailing list