Selinux: Difference between revisions

From Halfface
Jump to navigation Jump to search
 
(3 intermediate revisions by the same user not shown)
Line 29: Line 29:
Set selinux permission on home drive.
Set selinux permission on home drive.
  # chcon -R -t user_home_dir_t /home/anita/ && chcon -R -t user_home_t /home/anita/mail/
  # chcon -R -t user_home_dir_t /home/anita/ && chcon -R -t user_home_t /home/anita/mail/
Restore selinux permission.
=Restore selinux permission.=
  # restorecon /dir
  restorecon /dir
Restore files from tar archive.
tar -xvf archive.tar | restorecon -f -
 
==roles known to the system.==
==roles known to the system.==
  # seinfo -r
  # seinfo -r
Line 63: Line 66:
  # semodule -i trouble.pp
  # semodule -i trouble.pp


==create pp==
checkmodule -M -m -o selinux_avcstat.mod selinux_avcstat.te
semodule_package -o selinux_avcstat.pp -m selinux_avcstat.mod
==list available modules==
==list available modules==
  # semodule -l
  # semodule -l
==Allow httpd to write to cache directory==
setsebool -P allow_httpd_anon_write=1
# Write permission.
chcon -R -t public_content_rw_t /var/www/html/temp

Latest revision as of 09:34, 9 May 2024

list selinux setting on directory.

# ls -Zld /var/ www/cgi-bin /usr/local/linuxcoe-sd/cgi-bin/
drwxr-xr-x  2 root:object_r:usr_t              root root 4096 Jun 12 12:55 /usr/local/linuxcoe-sd/cgi-bin/
drwxr-xr-x  2 system_u:object_r:httpd_sys_script_exec_t root root 4096 Feb 28  2005 /var/www/cgi-bin

Copy security contex from another directory.

# chcon --reference=/var/www/cgi-bin -R /usr/local/linuxcoe-sd/cgi-bin

Show selinux status.

# sestatus

Set selinux status.

# setenforce Enforcing
# setenforce Permissive

View Processes protected by SELinux

# ps -ZC httpd

How to read selinux informatino

This is based upon user:role:type:mls

Get selinux bolean values.

# getsebool -a

Enable bolean value, permanently.

# setsebool -P httpd_unified=1

Change mode of directory and subdirectories.

# chcon -R -t httpd_sys_content_rw_t /var/www/html/www-halfface/photos/album-data

Set selinux permission on home drive.

# chcon -R -t user_home_dir_t /home/anita/ && chcon -R -t user_home_t /home/anita/mail/

Restore selinux permission.

restorecon /dir

Restore files from tar archive.

tar -xvf archive.tar | restorecon -f -

roles known to the system.

# seinfo -r

Get graphical application showing selinux problems.

# sudo sealert -b

which ports are application able to listen on.

# semanage port -l

make httpd able to listen on port 81

# semanage port -a -t http_port_t -p tcp 81

view selinux activities

# aureport -i --input-logs --start recent --avc

Have a closer look at what an entry means.

# ausearch --input-logs -i -a 30492

View latest selinux logfile entries.

# ausearch -m avc --start recent

Vies one selinux log entry.

# ausearch -m avc -a 9293

Default policy

targeted

Selinux audit entries interpreted be audit2allow

# ausearch -m avc --start recent | audit2allow -m trouble | less

Create a loadable module from audit log entries.

# ausearch -m avc --start recent | audit2allow -M trouble

load module.

# semodule -i trouble.pp

create pp

checkmodule -M -m -o selinux_avcstat.mod selinux_avcstat.te
semodule_package -o selinux_avcstat.pp -m selinux_avcstat.mod

list available modules

# semodule -l

Allow httpd to write to cache directory

setsebool -P allow_httpd_anon_write=1
# Write permission.
chcon -R -t public_content_rw_t /var/www/html/temp