Selinux: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
| (26 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
list selinux setting on directory. | ==list selinux setting on directory.== | ||
ls -Zld /var/ www/cgi-bin /usr/local/linuxcoe-sd/cgi-bin/ | # ls -Zld /var/ www/cgi-bin /usr/local/linuxcoe-sd/cgi-bin/ | ||
drwxr-xr-x 2 root:object_r:usr_t root root 4096 Jun 12 12:55 /usr/local/linuxcoe-sd/cgi-bin/ | drwxr-xr-x 2 root:object_r:usr_t root root 4096 Jun 12 12:55 /usr/local/linuxcoe-sd/cgi-bin/ | ||
drwxr-xr-x 2 system_u:object_r:httpd_sys_script_exec_t root root 4096 Feb 28 2005 /var/www/cgi-bin | drwxr-xr-x 2 system_u:object_r:httpd_sys_script_exec_t root root 4096 Feb 28 2005 /var/www/cgi-bin | ||
Copy security contex from another directory. | ==Copy security contex from another directory.== | ||
chcon --reference=/var/www/cgi-bin -R /usr/local/linuxcoe-sd/cgi-bin | # chcon --reference=/var/www/cgi-bin -R /usr/local/linuxcoe-sd/cgi-bin | ||
==Show selinux status.== | |||
# sestatus | |||
==Set selinux status.== | |||
# setenforce Enforcing | |||
# setenforce Permissive | |||
==View Processes protected by SELinux== | |||
# ps -ZC httpd | |||
==How to read selinux informatino== | |||
This is based upon user:role:type:mls | |||
==Get selinux bolean values.== | |||
# getsebool -a | |||
==Enable bolean value, permanently.== | |||
# setsebool -P httpd_unified=1 | |||
==Change mode of directory and subdirectories.== | |||
# chcon -R -t httpd_sys_content_rw_t /var/www/html/www-halfface/photos/album-data | |||
Set selinux permission on home drive. | |||
# chcon -R -t user_home_dir_t /home/anita/ && chcon -R -t user_home_t /home/anita/mail/ | |||
Restore selinux permission. | |||
# restorecon /dir | |||
==roles known to the system.== | |||
# seinfo -r | |||
==Get graphical application showing selinux problems.== | |||
# sudo sealert -b | |||
==which ports are application able to listen on.== | |||
# semanage port -l | |||
==make httpd able to listen on port 81== | |||
# semanage port -a -t http_port_t -p tcp 81 | |||
==view selinux activities== | |||
# aureport -i --input-logs --start recent --avc | |||
Have a closer look at what an entry means. | |||
# ausearch --input-logs -i -a 30492 | |||
View latest selinux logfile entries. | |||
# ausearch -m avc --start recent | |||
Vies one selinux log entry. | |||
# ausearch -m avc -a 9293 | |||
==Default policy== | |||
targeted | |||
==Selinux audit entries interpreted be audit2allow== | |||
# ausearch -m avc --start recent | audit2allow -m trouble | less | |||
==Create a loadable module from audit log entries.== | |||
# ausearch -m avc --start recent | audit2allow -M trouble | |||
==load module.== | |||
# semodule -i trouble.pp | |||
==create pp== | |||
checkmodule -M -m -o selinux_avcstat.mod selinux_avcstat.te | |||
semodule_package -o selinux_avcstat.pp -m selinux_avcstat.mod | |||
==list available modules== | |||
# semodule -l | |||
==Allow httpd to write to cache directory== | |||
setsebool -P allow_httpd_anon_write=1 | |||
# Write permission. | |||
chcon -R -t public_content_rw_t /var/www/html/temp | |||
Revision as of 21:14, 31 March 2015
list selinux setting on directory.
# ls -Zld /var/ www/cgi-bin /usr/local/linuxcoe-sd/cgi-bin/ drwxr-xr-x 2 root:object_r:usr_t root root 4096 Jun 12 12:55 /usr/local/linuxcoe-sd/cgi-bin/ drwxr-xr-x 2 system_u:object_r:httpd_sys_script_exec_t root root 4096 Feb 28 2005 /var/www/cgi-bin
Copy security contex from another directory.
# chcon --reference=/var/www/cgi-bin -R /usr/local/linuxcoe-sd/cgi-bin
Show selinux status.
# sestatus
Set selinux status.
# setenforce Enforcing # setenforce Permissive
View Processes protected by SELinux
# ps -ZC httpd
How to read selinux informatino
This is based upon user:role:type:mls
Get selinux bolean values.
# getsebool -a
Enable bolean value, permanently.
# setsebool -P httpd_unified=1
Change mode of directory and subdirectories.
# chcon -R -t httpd_sys_content_rw_t /var/www/html/www-halfface/photos/album-data
Set selinux permission on home drive.
# chcon -R -t user_home_dir_t /home/anita/ && chcon -R -t user_home_t /home/anita/mail/
Restore selinux permission.
# restorecon /dir
roles known to the system.
# seinfo -r
Get graphical application showing selinux problems.
# sudo sealert -b
which ports are application able to listen on.
# semanage port -l
make httpd able to listen on port 81
# semanage port -a -t http_port_t -p tcp 81
view selinux activities
# aureport -i --input-logs --start recent --avc
Have a closer look at what an entry means.
# ausearch --input-logs -i -a 30492
View latest selinux logfile entries.
# ausearch -m avc --start recent
Vies one selinux log entry.
# ausearch -m avc -a 9293
Default policy
targeted
Selinux audit entries interpreted be audit2allow
# ausearch -m avc --start recent | audit2allow -m trouble | less
Create a loadable module from audit log entries.
# ausearch -m avc --start recent | audit2allow -M trouble
load module.
# semodule -i trouble.pp
create pp
checkmodule -M -m -o selinux_avcstat.mod selinux_avcstat.te semodule_package -o selinux_avcstat.pp -m selinux_avcstat.mod
list available modules
# semodule -l
Allow httpd to write to cache directory
setsebool -P allow_httpd_anon_write=1 # Write permission. chcon -R -t public_content_rw_t /var/www/html/temp