Difference between revisions of "Selinux"
From Christoph's Personal Wiki
(New page: '''SELinux''' * Check for errors: sealert -a /var/log/audit/audit.log Category:Linux Command Line Tools) |
(→Examples) |
||
| (5 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| − | '''SELinux''' | + | '''Security-Enhanced Linux''' ('''SELinux''') is a Linux kernel security module that provides the mechanism for supporting access control security policies |
| + | |||
| + | ==Examples== | ||
| + | $ vi /etc/sysconfig/selinux | ||
| + | $ sestatus | ||
| + | $ getenforce | ||
| + | $ setenforce | ||
| + | $ setenforce 0 || setenforce Enforcing | ||
| + | $ ps axZ | ||
| + | $ ps -ZC httpd | ||
| + | $ ls -laZ /var/www/ | ||
| + | $ semanage fcontext -l | grep httpd | ||
| + | $ restorecon -Rv /var/www/html/ | ||
| + | $ chcon --reference=/var/www/html /webserver | ||
| + | $ #~OR~ | ||
| + | $ matchpathcon /var/www/html | ||
| + | $ semanage fcontext -l | grep httpd_sys_content_t # gives you examples for the next command: | ||
| + | $ semanage fcontext -a -f "" -t httpd_sys_content_t '/webserver(/.*)?' | ||
| + | $ restorecon -RFvv /webserver | ||
| + | $ ls -Zd /webserver/ | ||
| + | $ man -k '_selinux' | ||
| + | $ getsebool -a | grep httpd | ||
| + | $ getsebool httpd_enable_homedirs | ||
| + | $ setsebool httpd_enable_homedirs on | ||
| + | $ semanage boolean -l | grep httpd_enable_homedirs | ||
| + | $ setsebool -P httpd_enable_homedirs on # make it persistent | ||
* Check for errors: | * Check for errors: | ||
sealert -a /var/log/audit/audit.log | sealert -a /var/log/audit/audit.log | ||
| + | |||
| + | $ grep -i selinux /var/log/messages | ||
| + | May 6 15:29:43 server3 setroubleshoot: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/index.html. For complete SELinux messages. run sealert -l b31143ab-e303-4d90-a691-1f07ceaa18aa | ||
| + | May 6 15:29:44 server3 setroubleshoot: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/index.html. For complete SELinux messages. run sealert -l b31143ab-e303-4d90-a691-1f07ceaa18aa | ||
| + | $ sealert -l b31143ab-e303-4d90-a691-1f07ceaa18aa | ||
| + | <pre> | ||
| + | SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/web_content/index.html. | ||
| + | |||
| + | ***** Plugin restorecon (99.5 confidence) suggests ************************* | ||
| + | |||
| + | If you want to fix the label. | ||
| + | /var/www/html/index.html default label should be httpd_sys_content_t. | ||
| + | Then you can run restorecon. | ||
| + | Do | ||
| + | # /sbin/restorecon -v /var/www/html/index.html | ||
| + | |||
| + | ***** Plugin catchall (1.49 confidence) suggests *************************** | ||
| + | |||
| + | If you believe that httpd should be allowed getattr access on the index.html file by default. | ||
| + | Then you should report this as a bug. | ||
| + | You can generate a local policy module to allow this access. | ||
| + | Do | ||
| + | allow this access for now by executing: | ||
| + | # grep httpd /var/log/audit/audit.log | audit2allow -M mypol | ||
| + | # semodule -i mypol.pp | ||
| + | </pre> | ||
| + | |||
| + | ==External links== | ||
| + | * [http://stopdisablingselinux.com/ Stop disabling SELinux] | ||
[[Category:Linux Command Line Tools]] | [[Category:Linux Command Line Tools]] | ||
Latest revision as of 22:50, 8 September 2016
Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides the mechanism for supporting access control security policies
Examples
$ vi /etc/sysconfig/selinux $ sestatus $ getenforce $ setenforce $ setenforce 0 || setenforce Enforcing $ ps axZ $ ps -ZC httpd $ ls -laZ /var/www/ $ semanage fcontext -l | grep httpd $ restorecon -Rv /var/www/html/ $ chcon --reference=/var/www/html /webserver $ #~OR~ $ matchpathcon /var/www/html $ semanage fcontext -l | grep httpd_sys_content_t # gives you examples for the next command: $ semanage fcontext -a -f "" -t httpd_sys_content_t '/webserver(/.*)?' $ restorecon -RFvv /webserver $ ls -Zd /webserver/ $ man -k '_selinux' $ getsebool -a | grep httpd $ getsebool httpd_enable_homedirs $ setsebool httpd_enable_homedirs on $ semanage boolean -l | grep httpd_enable_homedirs $ setsebool -P httpd_enable_homedirs on # make it persistent
- Check for errors:
sealert -a /var/log/audit/audit.log
$ grep -i selinux /var/log/messages May 6 15:29:43 server3 setroubleshoot: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/index.html. For complete SELinux messages. run sealert -l b31143ab-e303-4d90-a691-1f07ceaa18aa May 6 15:29:44 server3 setroubleshoot: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/index.html. For complete SELinux messages. run sealert -l b31143ab-e303-4d90-a691-1f07ceaa18aa $ sealert -l b31143ab-e303-4d90-a691-1f07ceaa18aa
SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/web_content/index.html. ***** Plugin restorecon (99.5 confidence) suggests ************************* If you want to fix the label. /var/www/html/index.html default label should be httpd_sys_content_t. Then you can run restorecon. Do # /sbin/restorecon -v /var/www/html/index.html ***** Plugin catchall (1.49 confidence) suggests *************************** If you believe that httpd should be allowed getattr access on the index.html file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep httpd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
