Selinux: Difference between revisions

From Halfface
Jump to navigation Jump to search
No edit summary
No edit summary
Line 1: Line 1:
list selinux setting on directory.
==list selinux setting on directory.==
  ls -Zld /var/ www/cgi-bin /usr/local/linuxcoe-sd/cgi-bin/
  ls -Zld /var/ www/cgi-bin /usr/local/linuxcoe-sd/cgi-bin/
  drwxr-xr-x  2 root:object_r:usr_t              root root 4096 Jun 12 12:55 /usr/local/linuxcoe-sd/cgi-bin/
  drwxr-xr-x  2 root:object_r:usr_t              root root 4096 Jun 12 12:55 /usr/local/linuxcoe-sd/cgi-bin/
  drwxr-xr-x  2 system_u:object_r:httpd_sys_script_exec_t root root 4096 Feb 28  2005 /var/www/cgi-bin
  drwxr-xr-x  2 system_u:object_r:httpd_sys_script_exec_t root root 4096 Feb 28  2005 /var/www/cgi-bin


Copy security contex from another directory.
==Copy security contex from another directory.==
  chcon --reference=/var/www/cgi-bin -R /usr/local/linuxcoe-sd/cgi-bin
  chcon --reference=/var/www/cgi-bin -R /usr/local/linuxcoe-sd/cgi-bin


Show selinux status.
==Show selinux status.==
  sestatus
  sestatus


Set selinux status.
==Set selinux status.==
  setenforce Enforcing
  setenforce Enforcing


View Processes protected by SELinux
==View Processes protected by SELinux==
  # ps -ZC httpd
  # ps -ZC httpd


==How to read selinux informatino==
*user
*user
The role is used to indicate the user of the context.  If a user logs in as root they will have a user value of root.  If they log in as a regular user, like tom, they will have the value of user_u.  Users who su  to root will continue to have the value of user_u.    Processes also have a value, system_u.
The role is used to indicate the user of the context.  If a user logs in as root they will have a user value of root.  If they log in as a regular user, like tom, they will have the value of user_u.  Users who su  to root will continue to have the value of user_u.    Processes also have a value, system_u.

Revision as of 18:28, 8 July 2010

list selinux setting on directory.

ls -Zld /var/ www/cgi-bin /usr/local/linuxcoe-sd/cgi-bin/
drwxr-xr-x  2 root:object_r:usr_t              root root 4096 Jun 12 12:55 /usr/local/linuxcoe-sd/cgi-bin/
drwxr-xr-x  2 system_u:object_r:httpd_sys_script_exec_t root root 4096 Feb 28  2005 /var/www/cgi-bin

Copy security contex from another directory.

chcon --reference=/var/www/cgi-bin -R /usr/local/linuxcoe-sd/cgi-bin

Show selinux status.

sestatus

Set selinux status.

setenforce Enforcing

View Processes protected by SELinux

# ps -ZC httpd

How to read selinux informatino

  • user

The role is used to indicate the user of the context. If a user logs in as root they will have a user value of root. If they log in as a regular user, like tom, they will have the value of user_u. Users who su to root will continue to have the value of user_u. Processes also have a value, system_u.

  • role

This is used to define the role of the user. Files have a role of object_r and processes have a role of system_r. Users, like processes have the role of system_r.

  • type

Types are used to create a type enforcement which determines which process types can have access to which file types.

  • sensitivity

This is a security feature used by government agencies.

  • category

This provides a way to block access to categories of people including root.

user: role: type: sensitivity: category

If you view the settings for the index.html file in /var/www/html you will see these attributes listed.

# ls -Z

-rw-r--r-- root root root:object_r:httpd_sys_content_t index.html

user: root:

role: object_r:

type: httpd_sys_content_t

sensitivity:

category

Get selinux bolean values.

# getsebool -a

Enable bolean value, permanently.

# setsebool -P httpd_unified=1

==Change mode of directory and subdirectories.

#  chcon -R -t httpd_sys_content_rw_t /var/www/html/www-halfface/photos/album-data