Selinux: Difference between revisions

Revision as of 21:14, 31 March 2015

list selinux setting on directory.

# ls -Zld /var/ www/cgi-bin /usr/local/linuxcoe-sd/cgi-bin/
drwxr-xr-x  2 root:object_r:usr_t              root root 4096 Jun 12 12:55 /usr/local/linuxcoe-sd/cgi-bin/
drwxr-xr-x  2 system_u:object_r:httpd_sys_script_exec_t root root 4096 Feb 28  2005 /var/www/cgi-bin

Copy security contex from another directory.

# chcon --reference=/var/www/cgi-bin -R /usr/local/linuxcoe-sd/cgi-bin

Show selinux status.

# sestatus

Set selinux status.

# setenforce Enforcing
# setenforce Permissive

View Processes protected by SELinux

# ps -ZC httpd

How to read selinux informatino

This is based upon user:role:type:mls

Get selinux bolean values.

# getsebool -a

Enable bolean value, permanently.

# setsebool -P httpd_unified=1

Change mode of directory and subdirectories.

# chcon -R -t httpd_sys_content_rw_t /var/www/html/www-halfface/photos/album-data

Set selinux permission on home drive.

# chcon -R -t user_home_dir_t /home/anita/ && chcon -R -t user_home_t /home/anita/mail/

Restore selinux permission.

# restorecon /dir

roles known to the system.

# seinfo -r

Get graphical application showing selinux problems.

# sudo sealert -b

which ports are application able to listen on.

# semanage port -l

make httpd able to listen on port 81

# semanage port -a -t http_port_t -p tcp 81

view selinux activities

# aureport -i --input-logs --start recent --avc

Have a closer look at what an entry means.

# ausearch --input-logs -i -a 30492

View latest selinux logfile entries.

# ausearch -m avc --start recent

Vies one selinux log entry.

# ausearch -m avc -a 9293

Default policy

targeted

Selinux audit entries interpreted be audit2allow

# ausearch -m avc --start recent | audit2allow -m trouble | less

Create a loadable module from audit log entries.

# ausearch -m avc --start recent | audit2allow -M trouble

load module.

# semodule -i trouble.pp

create pp

checkmodule -M -m -o selinux_avcstat.mod selinux_avcstat.te
semodule_package -o selinux_avcstat.pp -m selinux_avcstat.mod

list available modules

# semodule -l

Allow httpd to write to cache directory

setsebool -P allow_httpd_anon_write=1
# Write permission.
chcon -R -t public_content_rw_t /var/www/html/temp

Selinux: Difference between revisions

Revision as of 21:14, 31 March 2015

Contents

list selinux setting on directory.

Copy security contex from another directory.

Show selinux status.

Set selinux status.

View Processes protected by SELinux

How to read selinux informatino

Get selinux bolean values.

Enable bolean value, permanently.

Change mode of directory and subdirectories.

roles known to the system.

Get graphical application showing selinux problems.

which ports are application able to listen on.

make httpd able to listen on port 81

view selinux activities

Default policy

Selinux audit entries interpreted be audit2allow

Create a loadable module from audit log entries.

load module.

create pp

list available modules

Allow httpd to write to cache directory

Navigation menu

@@ Line 1: / Line 1: @@
-list selinux setting on directory.
+==list selinux setting on directory.==
-  ls -Zld /var/ www/cgi-bin /usr/local/linuxcoe-sd/cgi-bin/
+  # ls -Zld /var/ www/cgi-bin /usr/local/linuxcoe-sd/cgi-bin/
   drwxr-xr-x  2 root:object_r:usr_t              root root 4096 Jun 12 12:55 /usr/local/linuxcoe-sd/cgi-bin/
   drwxr-xr-x  2 system_u:object_r:httpd_sys_script_exec_t root root 4096 Feb 28  2005 /var/www/cgi-bin
-Copy security contex from another directory.
+==Copy security contex from another directory.==
-  chcon --reference=/var/www/cgi-bin -R /usr/local/linuxcoe-sd/cgi-bin
+  # chcon --reference=/var/www/cgi-bin -R /usr/local/linuxcoe-sd/cgi-bin
-Show selinux status.
+==Show selinux status.==
-  sestatus
+  # sestatus
-Set selinux status.
+==Set selinux status.==
-  setenforce Enforcing
+  # setenforce Enforcing
+ # setenforce Permissive
-View Processes protected by SELinux
+==View Processes protected by SELinux==
   # ps -ZC httpd
-*user
+==How to read selinux informatino==
-The role is used to indicate the user of the context.  If a user logs in as root they will have a user value of root.  If they log in as a regular user, like tom, they will have the value of user_u.  Users who su  to root will continue to have the value of user_u.    Processes also have a value, system_u.
-*role
-This is used to define the role of the user.  Files have a role of object_r and processes have a role of system_r.  Users, like processes have the role of system_r.
-*type
-Types are used to create a type enforcement which determines which process types can have access to which file types.
-*sensitivity
-This is a security feature used by government agencies.
-*category
-This provides a way to block access to categories of people including root.
-user: role: type: sensitivity: category
+This is based upon user:role:type:mls
-If you view the settings for the index.html file in /var/www/html you will see these attributes listed.
+==Get selinux bolean values.==
+ # getsebool -a
+==Enable bolean value, permanently.==
+ # setsebool -P httpd_unified=1
+==Change mode of directory and subdirectories.==
+ # chcon -R -t httpd_sys_content_rw_t /var/www/html/www-halfface/photos/album-data
+Set selinux permission on home drive.
+ # chcon -R -t user_home_dir_t /home/anita/ && chcon -R -t user_home_t /home/anita/mail/
+Restore selinux permission.
+ # restorecon /dir
+==roles known to the system.==
+ # seinfo -r
-  # ls -Z
+==Get graphical application showing selinux problems.==
--rw-r--r--  root root root:object_r:httpd_sys_content_t index.html
+  # sudo sealert -b
-user: 				root:
+==which ports are application able to listen on.==
+ # semanage port -l
-role:				object_r:
+==make httpd able to listen on port 81==
+ # semanage port -a -t http_port_t -p tcp 81
-type:				httpd_sys_content_t
+==view selinux activities==
+ # aureport -i --input-logs --start recent --avc
+Have  a closer look at what an entry means.
+ # ausearch --input-logs -i -a 30492
+View latest selinux logfile entries.
+ # ausearch -m avc --start recent
+Vies one selinux log entry.
+ # ausearch -m avc -a 9293
-sensitivity:
+==Default policy==
+ targeted
-category
+==Selinux audit entries interpreted be audit2allow==
+ # ausearch -m avc --start recent | audit2allow -m trouble | less
+==Create a loadable module from audit log entries.==
+ # ausearch -m avc --start recent | audit2allow -M trouble
+==load module.==
+ # semodule -i trouble.pp
+==create pp==
+ checkmodule -M -m -o selinux_avcstat.mod selinux_avcstat.te
+ semodule_package -o selinux_avcstat.pp -m selinux_avcstat.mod
+==list available modules==
+ # semodule -l
+==Allow httpd to write to cache directory==
+ setsebool -P allow_httpd_anon_write=1
+ # Write permission.
+ chcon -R -t public_content_rw_t /var/www/html/temp

Selinux: Difference between revisions

Revision as of 21:14, 31 March 2015

list selinux setting on directory.

Copy security contex from another directory.

Show selinux status.

Set selinux status.

View Processes protected by SELinux

How to read selinux informatino

Get selinux bolean values.

Enable bolean value, permanently.

Change mode of directory and subdirectories.

roles known to the system.

Get graphical application showing selinux problems.

which ports are application able to listen on.

make httpd able to listen on port 81

view selinux activities

Default policy

Selinux audit entries interpreted be audit2allow

Create a loadable module from audit log entries.

load module.

create pp

list available modules

Allow httpd to write to cache directory

Navigation menu

Search