Controls/gitea-pages
0
2
Fork 0
Code Pull Requests Actions Activity

SELinux troubleshooting guide

Browse Source
This commit is contained in:
buchel_k
2023-05-24 16:41:56 +02:00
parent 53e894d7b7
commit ddd0f2ee32
2 changed files with 90 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
_toc.yml
+1
View File
@@ -85,6 +85,7 @@ chapters:
- file: admin-guide/troubleshooting/deployment
- file: admin-guide/troubleshooting/login
- file: admin-guide/troubleshooting/package_management
- file: admin-guide/troubleshooting/selinux
- file: admin-guide/troubleshooting/boot
- file: admin-guide/troubleshooting/kerberos
admin-guide/troubleshooting/selinux.md
+89
View File
@@ -0,0 +1,89 @@
# SELinux
## Basic Checks and Actions
Check mode/status SELinux:
```bash
getenforce
```
Change mode/status SELinux from enforce to permissive:
```bash
setenforce 0
```
Show SELinux context of a file:
```bash
ls -Z <file>
```
Show SELinux context attached to process
```bash
ps -Z
```
Show SELinux booleans
```bash
getsebool -a
```
Set SELinux boolean
```bash
setsebool -P httpd_can_connect_ldap on
setsebool -P httpd_can_check_spam off
```
`-P` makes it permanent and it will survive reboots.
List defined SELinux contexts:
```bash
semanage fcontext --list
```
Add SELinux context for directories/files:
```bash
semanage fcontext --add -t httpd_log_t "/var/www(/.*)?/log(/.*)?"
```
Restore SELinux context of a directory/file
```bash
restorecon -Rv /var/www/html/var
```
## in Depth Log Analysis and Module Creation
Ensure that `setroubleshoot-server` is installed for better readable log entries in `/var/log/audit/audit.log` and the journal.
To be sure you see everything, enable full logging with
```bash
semodule -DB
```
Check the new log entries since the start of your test
```bash
ausearch -ts 14:29
```
Create a new SELinux policy file for the events logged since the start of your test
```bash
ausearch -ts 14:28 --raw | audit2allow -M my-application
```
This will create a `my-application.te` policy file with the source code (e.g. to be modified and distributed with Ansible or Puppet) and the copiled `my-application.pp` policy file.
To install the new SELinux policy file run
```bash
semodule --install my-application.pp
```
To compile the binary SELinux policy file yourself run
```bash
cd /tmp; checkmodule --mls -m --output my-application.mod $PATH_TO/my-application.te; semodule_package --outfile my-application.pp --module my-application.mod
```
References:
- [SELinux Guide](https://docs.linuxfabrik.ch/base/security/selinux.html) (German)
- How to read SELinux logs: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/troubleshooting-problems-related-to-selinux_using-selinux
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/troubleshooting-problems-related-to-selinux_using-selinux