From ddd0f2ee32cf1413e50a717ac78949cf9f9d56e6 Mon Sep 17 00:00:00 2001 From: Konrad Bucheli Date: Wed, 24 May 2023 16:41:56 +0200 Subject: [PATCH] SELinux troubleshooting guide --- _toc.yml | 1 + admin-guide/troubleshooting/selinux.md | 89 ++++++++++++++++++++++++++ 2 files changed, 90 insertions(+) create mode 100644 admin-guide/troubleshooting/selinux.md diff --git a/_toc.yml b/_toc.yml index 3523398a..e9b3a71c 100644 --- a/_toc.yml +++ b/_toc.yml @@ -85,6 +85,7 @@ chapters: - file: admin-guide/troubleshooting/deployment - file: admin-guide/troubleshooting/login - file: admin-guide/troubleshooting/package_management + - file: admin-guide/troubleshooting/selinux - file: admin-guide/troubleshooting/boot - file: admin-guide/troubleshooting/kerberos diff --git a/admin-guide/troubleshooting/selinux.md b/admin-guide/troubleshooting/selinux.md new file mode 100644 index 00000000..1f00974b --- /dev/null +++ b/admin-guide/troubleshooting/selinux.md @@ -0,0 +1,89 @@ +# SELinux + + +## Basic Checks and Actions + +Check mode/status SELinux: +```bash +getenforce +``` + +Change mode/status SELinux from enforce to permissive: +```bash +setenforce 0 +``` + +Show SELinux context of a file: +```bash +ls -Z +``` + +Show SELinux context attached to process +```bash +ps -Z +``` + +Show SELinux booleans +```bash +getsebool -a +``` + +Set SELinux boolean +```bash +setsebool -P httpd_can_connect_ldap on +setsebool -P httpd_can_check_spam off +``` +`-P` makes it permanent and it will survive reboots. + +List defined SELinux contexts: +```bash +semanage fcontext --list +``` + +Add SELinux context for directories/files: +```bash +semanage fcontext --add -t httpd_log_t "/var/www(/.*)?/log(/.*)?" +``` + +Restore SELinux context of a directory/file +```bash +restorecon -Rv /var/www/html/var +``` + +## in Depth Log Analysis and Module Creation + +Ensure that `setroubleshoot-server` is installed for better readable log entries in `/var/log/audit/audit.log` and the journal. + +To be sure you see everything, enable full logging with +```bash +semodule -DB +``` + +Check the new log entries since the start of your test +```bash +ausearch -ts 14:29 +``` + +Create a new SELinux policy file for the events logged since the start of your test + +```bash +ausearch -ts 14:28 --raw | audit2allow -M my-application +``` + +This will create a `my-application.te` policy file with the source code (e.g. to be modified and distributed with Ansible or Puppet) and the copiled `my-application.pp` policy file. + +To install the new SELinux policy file run +```bash +semodule --install my-application.pp +``` + +To compile the binary SELinux policy file yourself run +```bash +cd /tmp; checkmodule --mls -m --output my-application.mod $PATH_TO/my-application.te; semodule_package --outfile my-application.pp --module my-application.mod +``` + + +References: +- [SELinux Guide](https://docs.linuxfabrik.ch/base/security/selinux.html) (German) +- How to read SELinux logs: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/troubleshooting-problems-related-to-selinux_using-selinux +- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/troubleshooting-problems-related-to-selinux_using-selinux