Selinux: Difference between revisions
Jump to navigation
Jump to search
| (4 intermediate revisions by the same user not shown) | |||
| Line 29: | Line 29: | ||
Set selinux permission on home drive. | Set selinux permission on home drive. | ||
# chcon -R -t user_home_dir_t /home/anita/ && chcon -R -t user_home_t /home/anita/mail/ | # chcon -R -t user_home_dir_t /home/anita/ && chcon -R -t user_home_t /home/anita/mail/ | ||
Restore selinux permission. | =Restore selinux permission.= | ||
restorecon /dir | |||
Restore files from tar archive. | |||
tar -xvf archive.tar | restorecon -f - | |||
==roles known to the system.== | ==roles known to the system.== | ||
# seinfo -r | # seinfo -r | ||
| Line 61: | Line 64: | ||
==load module.== | ==load module.== | ||
# semodule -i | # semodule -i trouble.pp | ||
==create pp== | |||
checkmodule -M -m -o selinux_avcstat.mod selinux_avcstat.te | |||
semodule_package -o selinux_avcstat.pp -m selinux_avcstat.mod | |||
==list available modules== | ==list available modules== | ||
# semodule -l | # semodule -l | ||
==Allow httpd to write to cache directory== | |||
setsebool -P allow_httpd_anon_write=1 | |||
# Write permission. | |||
chcon -R -t public_content_rw_t /var/www/html/temp | |||
Latest revision as of 09:34, 9 May 2024
list selinux setting on directory.
# ls -Zld /var/ www/cgi-bin /usr/local/linuxcoe-sd/cgi-bin/ drwxr-xr-x 2 root:object_r:usr_t root root 4096 Jun 12 12:55 /usr/local/linuxcoe-sd/cgi-bin/ drwxr-xr-x 2 system_u:object_r:httpd_sys_script_exec_t root root 4096 Feb 28 2005 /var/www/cgi-bin
Copy security contex from another directory.
# chcon --reference=/var/www/cgi-bin -R /usr/local/linuxcoe-sd/cgi-bin
Show selinux status.
# sestatus
Set selinux status.
# setenforce Enforcing # setenforce Permissive
View Processes protected by SELinux
# ps -ZC httpd
How to read selinux informatino
This is based upon user:role:type:mls
Get selinux bolean values.
# getsebool -a
Enable bolean value, permanently.
# setsebool -P httpd_unified=1
Change mode of directory and subdirectories.
# chcon -R -t httpd_sys_content_rw_t /var/www/html/www-halfface/photos/album-data
Set selinux permission on home drive.
# chcon -R -t user_home_dir_t /home/anita/ && chcon -R -t user_home_t /home/anita/mail/
Restore selinux permission.
restorecon /dir
Restore files from tar archive.
tar -xvf archive.tar | restorecon -f -
roles known to the system.
# seinfo -r
Get graphical application showing selinux problems.
# sudo sealert -b
which ports are application able to listen on.
# semanage port -l
make httpd able to listen on port 81
# semanage port -a -t http_port_t -p tcp 81
view selinux activities
# aureport -i --input-logs --start recent --avc
Have a closer look at what an entry means.
# ausearch --input-logs -i -a 30492
View latest selinux logfile entries.
# ausearch -m avc --start recent
Vies one selinux log entry.
# ausearch -m avc -a 9293
Default policy
targeted
Selinux audit entries interpreted be audit2allow
# ausearch -m avc --start recent | audit2allow -m trouble | less
Create a loadable module from audit log entries.
# ausearch -m avc --start recent | audit2allow -M trouble
load module.
# semodule -i trouble.pp
create pp
checkmodule -M -m -o selinux_avcstat.mod selinux_avcstat.te semodule_package -o selinux_avcstat.pp -m selinux_avcstat.mod
list available modules
# semodule -l
Allow httpd to write to cache directory
setsebool -P allow_httpd_anon_write=1 # Write permission. chcon -R -t public_content_rw_t /var/www/html/temp