Selinux
Jump to navigation
Jump to search
list selinux setting on directory.
# ls -Zld /var/ www/cgi-bin /usr/local/linuxcoe-sd/cgi-bin/ drwxr-xr-x 2 root:object_r:usr_t root root 4096 Jun 12 12:55 /usr/local/linuxcoe-sd/cgi-bin/ drwxr-xr-x 2 system_u:object_r:httpd_sys_script_exec_t root root 4096 Feb 28 2005 /var/www/cgi-bin
Copy security contex from another directory.
# chcon --reference=/var/www/cgi-bin -R /usr/local/linuxcoe-sd/cgi-bin
Show selinux status.
# sestatus
Set selinux status.
# setenforce Enforcing # setenforce Permissive
View Processes protected by SELinux
# ps -ZC httpd
How to read selinux informatino
This is based upon user:role:type:mls
Get selinux bolean values.
# getsebool -a
Enable bolean value, permanently.
# setsebool -P httpd_unified=1
Change mode of directory and subdirectories.
# chcon -R -t httpd_sys_content_rw_t /var/www/html/www-halfface/photos/album-data
Set selinux permission on home drive.
# chcon -R -t user_home_dir_t /home/anita/ && chcon -R -t user_home_t /home/anita/mail/
Restore selinux permission.
restorecon /dir
Restore files from tar archive.
tar -xvf archive.tar | restorecon -f -
roles known to the system.
# seinfo -r
Get graphical application showing selinux problems.
# sudo sealert -b
which ports are application able to listen on.
# semanage port -l
make httpd able to listen on port 81
# semanage port -a -t http_port_t -p tcp 81
view selinux activities
# aureport -i --input-logs --start recent --avc
Have a closer look at what an entry means.
# ausearch --input-logs -i -a 30492
View latest selinux logfile entries.
# ausearch -m avc --start recent
Vies one selinux log entry.
# ausearch -m avc -a 9293
Default policy
targeted
Selinux audit entries interpreted be audit2allow
# ausearch -m avc --start recent | audit2allow -m trouble | less
Create a loadable module from audit log entries.
# ausearch -m avc --start recent | audit2allow -M trouble
load module.
# semodule -i trouble.pp
create pp
checkmodule -M -m -o selinux_avcstat.mod selinux_avcstat.te semodule_package -o selinux_avcstat.pp -m selinux_avcstat.mod
list available modules
# semodule -l
Allow httpd to write to cache directory
setsebool -P allow_httpd_anon_write=1 # Write permission. chcon -R -t public_content_rw_t /var/www/html/temp