gitea-pages/admin-guide/troubleshooting/selinux.md

SELinux

General information on SELinux can be found here:

• SELinux coloring book - Original: https://people.redhat.com/duffy/selinux/selinux-coloring-book_A4-Stapled.pdf

Modes

SELinux can be in one of three modes:

• enforcing - The SELinux policy is enforced, violations are logged.
• permissive - The SELinux policy is not enforced, but violations are still logged.
• disabled - SELinux is not loaded at all.

Going from enforcing or permissive to/from disabled requires a reboot.

Contexts

On an SELinux system every file has a context, and the SELinux policy controls whether a confined service can access files of a given context.

The context of files can be listed with the stat command or by passing the -Z option to ls::

$ ls -Z /etc/fstab
-rw-r--r--. root root system_u:object_r:etc_t:s0       /etc/fstab

$ stat /etc/fstab
File: ‘/etc/fstab’
Size: 619       	Blocks: 8          IO Block: 4096   regular file
Device: fd01h/64769d	Inode: 134320258   Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:etc_t:s0
Access: 2017-05-13 21:50:43.533927373 +0200
Modify: 2016-04-03 04:19:02.289004083 +0200
Change: 2016-04-03 04:29:29.955011505 +0200
Birth: -

When files are created they are assigned a default context based on their path according to the system policy.

The default contexts configured for various filesystem locations can be listed by running :manpage:semanage:

$ semanage fcontext -l
...
/usr/.*                                            all files          system_u:object_r:usr_t:s0 
/var/.*                                            all files          system_u:object_r:var_t:s0 
/run/.*                                            all files          system_u:object_r:var_run_t:s0 
/srv/.*                                            all files          system_u:object_r:var_t:s0 
...

It is possible to add/list local customizations to the default contexts of the system:

$ semanage fcontext -a -t httpd_sys_content_t '/srv/web/data(/.*)?'
$ semanage fcontext -a -t etc_t /srv/web/httpd.conf

$ semanage fcontext -l -C
/srv/web/httpd.conf                                all files          system_u:object_r:etc_t:s0 
/srv/web/data(/.*)?                                all files          system_u:object_r:httpd_sys_content_t:s0 

Use the restorecon command to restore the context of a file or directory tree according to the system policy::

$ restorecon -v /etc/fstab
$ restorecon -vR /etc/puppetlabs/

It is also possible to trigger a relabeling of all files with default contexts by::

touch /.autorelabel
reboot

For debugging or during development the chcon command can be used:

chcon -t etc_t /srv/web/httpd.conf

.. important:: This is not enough! The next ``restorecon(8)``, relabeling, or system
   redeployment will not honor the changes made with :manpage:`chcon(1)`. Use
   :manpage:`semanage(8)` as described above or change the location of the files
   in question so that they are classified correctly by the system policy.

Booleans

SELinux booleans are variables which control certain restrictions enforced by the SELinux policy. An example would be httpd_can_network_connect, which controls whether Apache can open network connections.

The state of SELinux booleans is either on or off and can be queried using getsebool:

# List all SELinux booleans and their states
getsebool -a

# Show the state of a given variable
getsebool httpd_can_network_connect

The setsebool command changes the state of a boolean:

setsebool httpd_can_network_connect on

Basic Checks and Actions

Check mode/status SELinux:

getenforce

Change mode/status SELinux from enforce to permissive:

setenforce 0

Show SELinux context of a file:

ls -Z <file>

Show SELinux context attached to process

ps -Z

Show SELinux booleans

getsebool -a

Set SELinux boolean

setsebool -P httpd_can_connect_ldap on
setsebool -P httpd_can_check_spam off

-P makes it permanent and it will survive reboots.

List defined SELinux contexts:

semanage fcontext --list

Add SELinux context for directories/files:

semanage fcontext --add -t httpd_log_t "/var/www(/.*)?/log(/.*)?"

Restore SELinux context of a directory/file

restorecon -Rv /var/www/html/var

in Depth Log Analysis and Module Creation

Ensure that setroubleshoot-server is installed for better readable log entries in /var/log/audit/audit.log and the journal.

To see everything, you may enable full logging by disabling the noaudit rules:

semodule -DB

revert again after, else it will fill your log:

semodule -B

Check the new log entries since the start of your test

ausearch -ts 14:29

Create a new SELinux policy file for the events logged since the start of your test

ausearch -ts 14:28 --raw | audit2allow -M my-application

This will create a my-application.te policy file with the source code (e.g. to be modified and distributed with Ansible or Puppet) and the copiled my-application.pp policy file.

If you just need the TE source code as output (e.g. for Puppet), then do

ausearch -ts 14:28 --raw | audit2allow -r -m my-application

To add such a module to Hiera for Puppet see SELinux Configuration.

To install the new SELinux policy file run

semodule --install my-application.pp

To compile the binary SELinux policy file yourself run

cd /tmp; checkmodule --mls -m --output my-application.mod $PATH_TO/my-application.te; semodule_package --outfile my-application.pp --module my-application.mod

References:

• SELinux Guide (German)
• Short SELinux Manual (English)
• How to read SELinux logs: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/troubleshooting-problems-related-to-selinux_using-selinux
• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/troubleshooting-problems-related-to-selinux_using-selinux