Selinux

From Christoph's Personal Wiki
Jump to: navigation, search

Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides the mechanism for supporting access control security policies

Examples

$ vi /etc/sysconfig/selinux
$ sestatus
$ getenforce
$ setenforce
$ setenforce 0 || setenforce Enforcing
$ ps axZ
$ ps -ZC httpd
$ ls -laZ /var/www/
$ semanage fcontext -l | grep httpd
$ restorecon -Rv /var/www/html/
$ chcon --reference=/var/www/html /webserver
$ #~OR~
$ matchpathcon /var/www/html
$ semanage fcontext -l | grep httpd_sys_content_t  # gives you examples for the next command:
$ semanage fcontext -a -f "" -t httpd_sys_content_t '/webserver(/.*)?'
$ restorecon -RFvv /webserver
$ ls -Zd /webserver/
$ man -k '_selinux'
$ getsebool -a | grep httpd
$ getsebool httpd_enable_homedirs
$ setsebool httpd_enable_homedirs on
$ semanage boolean -l | grep httpd_enable_homedirs
$ setsebool -P httpd_enable_homedirs on # make it persistent
  • Check for errors:
sealert -a /var/log/audit/audit.log
$ grep -i selinux /var/log/messages
May  6 15:29:43 server3 setroubleshoot: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/index.html. For complete SELinux messages. run sealert -l b31143ab-e303-4d90-a691-1f07ceaa18aa
May  6 15:29:44 server3 setroubleshoot: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/index.html. For complete SELinux messages. run sealert -l b31143ab-e303-4d90-a691-1f07ceaa18aa
$ sealert -l b31143ab-e303-4d90-a691-1f07ceaa18aa
SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/web_content/index.html.

*****  Plugin restorecon (99.5 confidence) suggests  *************************

If you want to fix the label. 
/var/www/html/index.html default label should be httpd_sys_content_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /var/www/html/index.html

*****  Plugin catchall (1.49 confidence) suggests  ***************************

If you believe that httpd should be allowed getattr access on the index.html file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

External links