Selinux: Difference between revisions
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
list selinux setting on directory. | ==list selinux setting on directory.== | ||
ls -Zld /var/ www/cgi-bin /usr/local/linuxcoe-sd/cgi-bin/ | ls -Zld /var/ www/cgi-bin /usr/local/linuxcoe-sd/cgi-bin/ | ||
drwxr-xr-x 2 root:object_r:usr_t root root 4096 Jun 12 12:55 /usr/local/linuxcoe-sd/cgi-bin/ | drwxr-xr-x 2 root:object_r:usr_t root root 4096 Jun 12 12:55 /usr/local/linuxcoe-sd/cgi-bin/ | ||
drwxr-xr-x 2 system_u:object_r:httpd_sys_script_exec_t root root 4096 Feb 28 2005 /var/www/cgi-bin | drwxr-xr-x 2 system_u:object_r:httpd_sys_script_exec_t root root 4096 Feb 28 2005 /var/www/cgi-bin | ||
Copy security contex from another directory. | ==Copy security contex from another directory.== | ||
chcon --reference=/var/www/cgi-bin -R /usr/local/linuxcoe-sd/cgi-bin | chcon --reference=/var/www/cgi-bin -R /usr/local/linuxcoe-sd/cgi-bin | ||
Show selinux status. | ==Show selinux status.== | ||
sestatus | sestatus | ||
Set selinux status. | ==Set selinux status.== | ||
setenforce Enforcing | setenforce Enforcing | ||
View Processes protected by SELinux | ==View Processes protected by SELinux== | ||
# ps -ZC httpd | # ps -ZC httpd | ||
==How to read selinux informatino== | |||
*user | *user | ||
The role is used to indicate the user of the context. If a user logs in as root they will have a user value of root. If they log in as a regular user, like tom, they will have the value of user_u. Users who su to root will continue to have the value of user_u. Processes also have a value, system_u. | The role is used to indicate the user of the context. If a user logs in as root they will have a user value of root. If they log in as a regular user, like tom, they will have the value of user_u. Users who su to root will continue to have the value of user_u. Processes also have a value, system_u. | ||
Revision as of 18:28, 8 July 2010
list selinux setting on directory.
ls -Zld /var/ www/cgi-bin /usr/local/linuxcoe-sd/cgi-bin/ drwxr-xr-x 2 root:object_r:usr_t root root 4096 Jun 12 12:55 /usr/local/linuxcoe-sd/cgi-bin/ drwxr-xr-x 2 system_u:object_r:httpd_sys_script_exec_t root root 4096 Feb 28 2005 /var/www/cgi-bin
Copy security contex from another directory.
chcon --reference=/var/www/cgi-bin -R /usr/local/linuxcoe-sd/cgi-bin
Show selinux status.
sestatus
Set selinux status.
setenforce Enforcing
View Processes protected by SELinux
# ps -ZC httpd
How to read selinux informatino
- user
The role is used to indicate the user of the context. If a user logs in as root they will have a user value of root. If they log in as a regular user, like tom, they will have the value of user_u. Users who su to root will continue to have the value of user_u. Processes also have a value, system_u.
- role
This is used to define the role of the user. Files have a role of object_r and processes have a role of system_r. Users, like processes have the role of system_r.
- type
Types are used to create a type enforcement which determines which process types can have access to which file types.
- sensitivity
This is a security feature used by government agencies.
- category
This provides a way to block access to categories of people including root.
user: role: type: sensitivity: category
If you view the settings for the index.html file in /var/www/html you will see these attributes listed.
# ls -Z
-rw-r--r-- root root root:object_r:httpd_sys_content_t index.html
user: root:
role: object_r:
type: httpd_sys_content_t
sensitivity:
category
Get selinux bolean values.
# getsebool -a
Enable bolean value, permanently.
# setsebool -P httpd_unified=1
==Change mode of directory and subdirectories.
# chcon -R -t httpd_sys_content_rw_t /var/www/html/www-halfface/photos/album-data