2.2 KiB
SELinux
Basic Checks and Actions
Check mode/status SELinux:
getenforce
Change mode/status SELinux from enforce to permissive:
setenforce 0
Show SELinux context of a file:
ls -Z <file>
Show SELinux context attached to process
ps -Z
Show SELinux booleans
getsebool -a
Set SELinux boolean
setsebool -P httpd_can_connect_ldap on
setsebool -P httpd_can_check_spam off
-P makes it permanent and it will survive reboots.
List defined SELinux contexts:
semanage fcontext --list
Add SELinux context for directories/files:
semanage fcontext --add -t httpd_log_t "/var/www(/.*)?/log(/.*)?"
Restore SELinux context of a directory/file
restorecon -Rv /var/www/html/var
in Depth Log Analysis and Module Creation
Ensure that setroubleshoot-server is installed for better readable log entries in /var/log/audit/audit.log and the journal.
To be sure you see everything, enable full logging with
semodule -DB
Check the new log entries since the start of your test
ausearch -ts 14:29
Create a new SELinux policy file for the events logged since the start of your test
ausearch -ts 14:28 --raw | audit2allow -M my-application
This will create a my-application.te policy file with the source code (e.g. to be modified and distributed with Ansible or Puppet) and the copiled my-application.pp policy file.
To install the new SELinux policy file run
semodule --install my-application.pp
To compile the binary SELinux policy file yourself run
cd /tmp; checkmodule --mls -m --output my-application.mod $PATH_TO/my-application.te; semodule_package --outfile my-application.pp --module my-application.mod
References:
- SELinux Guide (German)
- Short SELinux Manual (English)
- How to read SELinux logs: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/troubleshooting-problems-related-to-selinux_using-selinux
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/troubleshooting-problems-related-to-selinux_using-selinux