Selinux

list selinux setting on directory.

# ls -Zld /var/ www/cgi-bin /usr/local/linuxcoe-sd/cgi-bin/
drwxr-xr-x  2 root:object_r:usr_t              root root 4096 Jun 12 12:55 /usr/local/linuxcoe-sd/cgi-bin/
drwxr-xr-x  2 system_u:object_r:httpd_sys_script_exec_t root root 4096 Feb 28  2005 /var/www/cgi-bin

Copy security contex from another directory.

# chcon --reference=/var/www/cgi-bin -R /usr/local/linuxcoe-sd/cgi-bin

Show selinux status.

# sestatus

Set selinux status.

# setenforce Enforcing
# setenforce Permissive

View Processes protected by SELinux

# ps -ZC httpd

How to read selinux informatino

This is based upon user:role:type:mls

Get selinux bolean values.

# getsebool -a

Enable bolean value, permanently.

# setsebool -P httpd_unified=1

Change mode of directory and subdirectories.

# chcon -R -t httpd_sys_content_rw_t /var/www/html/www-halfface/photos/album-data

Set selinux permission on home drive.

# chcon -R -t user_home_dir_t /home/anita/ && chcon -R -t user_home_t /home/anita/mail/

Restore selinux permission.

# restorecon /dir

roles known to the system.

# seinfo -r

Get graphical application showing selinux problems.

# sudo sealert -b

which ports are application able to listen on.

# semanage port -l

make httpd able to listen on port 81

# semanage port -a -t http_port_t -p tcp 81

view selinux activities

# aureport -i --input-logs --start recent --avc

Have a closer look at what an entry means.

# ausearch --input-logs -i -a 30492

View latest selinux logfile entries.

# ausearch -m avc --start recent

Vies one selinux log entry.

# ausearch -m avc -a 9293

Default policy

targeted

Selinux audit entries interpreted be audit2allow

# ausearch -m avc --start recent | audit2allow -m trouble | less

Create a loadable module from audit log entries.

# ausearch -m avc --start recent | audit2allow -M trouble

load module.

# semodule -i trouble.pp

create pp

checkmodule -M -m -o selinux_avcstat.mod selinux_avcstat.te
semodule_package -o selinux_avcstat.pp -m selinux_avcstat.mod

list available modules

# semodule -l

Allow httpd to write to cache directory

setsebool -P allow_httpd_anon_write=1
# Write permission.
chcon -R -t public_content_rw_t /var/www/html/temp

Selinux

Contents

list selinux setting on directory.

Copy security contex from another directory.

Show selinux status.

Set selinux status.

View Processes protected by SELinux

How to read selinux informatino

Get selinux bolean values.

Enable bolean value, permanently.

Change mode of directory and subdirectories.

roles known to the system.

Get graphical application showing selinux problems.

which ports are application able to listen on.

make httpd able to listen on port 81

view selinux activities

Default policy

Selinux audit entries interpreted be audit2allow

Create a loadable module from audit log entries.

load module.

create pp

list available modules

Allow httpd to write to cache directory

Navigation menu

Selinux

list selinux setting on directory.

Copy security contex from another directory.

Show selinux status.

Set selinux status.

View Processes protected by SELinux

How to read selinux informatino

Get selinux bolean values.

Enable bolean value, permanently.

Change mode of directory and subdirectories.

roles known to the system.

Get graphical application showing selinux problems.

which ports are application able to listen on.

make httpd able to listen on port 81

view selinux activities

Default policy

Selinux audit entries interpreted be audit2allow

Create a loadable module from audit log entries.

load module.

create pp

list available modules

Allow httpd to write to cache directory

Navigation menu

Search