Selinux: Difference between revisions

From Halfface
Jump to navigation Jump to search
(17 intermediate revisions by the same user not shown)
Line 1: Line 1:
==list selinux setting on directory.==
==list selinux setting on directory.==
  ls -Zld /var/ www/cgi-bin /usr/local/linuxcoe-sd/cgi-bin/
  # ls -Zld /var/ www/cgi-bin /usr/local/linuxcoe-sd/cgi-bin/
  drwxr-xr-x  2 root:object_r:usr_t              root root 4096 Jun 12 12:55 /usr/local/linuxcoe-sd/cgi-bin/
  drwxr-xr-x  2 root:object_r:usr_t              root root 4096 Jun 12 12:55 /usr/local/linuxcoe-sd/cgi-bin/
  drwxr-xr-x  2 system_u:object_r:httpd_sys_script_exec_t root root 4096 Feb 28  2005 /var/www/cgi-bin
  drwxr-xr-x  2 system_u:object_r:httpd_sys_script_exec_t root root 4096 Feb 28  2005 /var/www/cgi-bin


==Copy security contex from another directory.==
==Copy security contex from another directory.==
  chcon --reference=/var/www/cgi-bin -R /usr/local/linuxcoe-sd/cgi-bin
  # chcon --reference=/var/www/cgi-bin -R /usr/local/linuxcoe-sd/cgi-bin


==Show selinux status.==
==Show selinux status.==
  sestatus
  # sestatus


==Set selinux status.==
==Set selinux status.==
  setenforce Enforcing
  # setenforce Enforcing
# setenforce Permissive


==View Processes protected by SELinux==
==View Processes protected by SELinux==
Line 17: Line 18:


==How to read selinux informatino==
==How to read selinux informatino==
*user
The role is used to indicate the user of the context.  If a user logs in as root they will have a user value of root.  If they log in as a regular user, like tom, they will have the value of user_u.  Users who su  to root will continue to have the value of user_u.    Processes also have a value, system_u.
*role
This is used to define the role of the user.  Files have a role of object_r and processes have a role of system_r.  Users, like processes have the role of system_r.
*type
Types are used to create a type enforcement which determines which process types can have access to which file types.
*sensitivity
This is a security feature used by government agencies.
*category
This provides a way to block access to categories of people including root.


user: role: type: sensitivity: category
This is based upon user:role:type:mls
 
If you view the settings for the index.html file in /var/www/html you will see these attributes listed.
 
# ls -Z
-rw-r--r--  root root root:object_r:httpd_sys_content_t index.html
 
user: root:
 
role: object_r:
 
type: httpd_sys_content_t
 
sensitivity:
 
category


==Get selinux bolean values.==
==Get selinux bolean values.==
Line 49: Line 25:
==Enable bolean value, permanently.==
==Enable bolean value, permanently.==
  # setsebool -P httpd_unified=1
  # setsebool -P httpd_unified=1
==Change mode of directory and subdirectories.
==Change mode of directory and subdirectories.==
  # chcon -R -t httpd_sys_content_rw_t /var/www/html/www-halfface/photos/album-data
  # chcon -R -t httpd_sys_content_rw_t /var/www/html/www-halfface/photos/album-data
Set selinux permission on home drive.
# chcon -R -t user_home_dir_t /home/anita/ && chcon -R -t user_home_t /home/anita/mail/
Restore selinux permission.
# restorecon /dir
==roles known to the system.==
# seinfo -r


==Get graphical application showing selinux problems.==
==Get graphical application showing selinux problems.==
  sudo sealert -b
  # sudo sealert -b


==which ports are application able to listen on.==
==which ports are application able to listen on.==
  semanage port -l
  # semanage port -l


==make httpd able to listen on port 81==
==make httpd able to listen on port 81==
Line 65: Line 47:
Have  a closer look at what an entry means.
Have  a closer look at what an entry means.
  # ausearch --input-logs -i -a 30492
  # ausearch --input-logs -i -a 30492
==grep logfiles to generate rules.==
View latest selinux logfile entries.
  grep munin /var/log/audit/audit.log | audit2allow -m munin > /temp/munin.te
# ausearch -m avc --start recent
Vies one selinux log entry.
# ausearch -m avc -a 9293
 
==Default policy==
  targeted
 
==Selinux audit entries interpreted be audit2allow==
# ausearch -m avc --start recent | audit2allow -m trouble | less
==Create a loadable module from audit log entries.==
# ausearch -m avc --start recent | audit2allow -M trouble
 
==load module.==
# semodule -i trouble.pp
 
==create pp==
checkmodule -M -m -o selinux_avcstat.mod selinux_avcstat.te
semodule_package -o selinux_avcstat.pp -m selinux_avcstat.mod
==list available modules==
# semodule -l
==Allow httpd to write to cache directory==
setsebool -P allow_httpd_anon_write=1
# Write permission.
chcon -R -t public_content_rw_t /var/www/html/temp

Revision as of 21:14, 31 March 2015

list selinux setting on directory.

# ls -Zld /var/ www/cgi-bin /usr/local/linuxcoe-sd/cgi-bin/
drwxr-xr-x  2 root:object_r:usr_t              root root 4096 Jun 12 12:55 /usr/local/linuxcoe-sd/cgi-bin/
drwxr-xr-x  2 system_u:object_r:httpd_sys_script_exec_t root root 4096 Feb 28  2005 /var/www/cgi-bin

Copy security contex from another directory.

# chcon --reference=/var/www/cgi-bin -R /usr/local/linuxcoe-sd/cgi-bin

Show selinux status.

# sestatus

Set selinux status.

# setenforce Enforcing
# setenforce Permissive

View Processes protected by SELinux

# ps -ZC httpd

How to read selinux informatino

This is based upon user:role:type:mls

Get selinux bolean values.

# getsebool -a

Enable bolean value, permanently.

# setsebool -P httpd_unified=1

Change mode of directory and subdirectories.

# chcon -R -t httpd_sys_content_rw_t /var/www/html/www-halfface/photos/album-data

Set selinux permission on home drive. 

# chcon -R -t user_home_dir_t /home/anita/ && chcon -R -t user_home_t /home/anita/mail/

Restore selinux permission. 

# restorecon /dir

roles known to the system.

# seinfo -r

Get graphical application showing selinux problems.

# sudo sealert -b

which ports are application able to listen on.

# semanage port -l

make httpd able to listen on port 81

# semanage port -a -t http_port_t -p tcp 81

view selinux activities

# aureport -i --input-logs --start recent --avc

Have a closer look at what an entry means. 

# ausearch --input-logs -i -a 30492

View latest selinux logfile entries. 

# ausearch -m avc --start recent

Vies one selinux log entry. 

# ausearch -m avc -a 9293

Default policy

targeted

Selinux audit entries interpreted be audit2allow

# ausearch -m avc --start recent | audit2allow -m trouble | less

Create a loadable module from audit log entries.

# ausearch -m avc --start recent | audit2allow -M trouble

load module.

# semodule -i trouble.pp

create pp

checkmodule -M -m -o selinux_avcstat.mod selinux_avcstat.te
semodule_package -o selinux_avcstat.pp -m selinux_avcstat.mod

list available modules

# semodule -l

Allow httpd to write to cache directory

setsebool -P allow_httpd_anon_write=1
# Write permission.
chcon -R -t public_content_rw_t /var/www/html/temp
Retrieved from "https://halfface.se/wiki/index.php?title=Selinux&oldid=12356"