Controls/gitea-pages
0
2
Fork 0
Code Pull Requests Actions Activity
Files
cdcc025dbd4c2f4288505ffec4e2bfcffe7cc9af
gitea-pages/admin-guide/troubleshooting/selinux.md
T
buchel_k dafb9d0da8 create files subdirectory
2024-10-04 14:29:09 +02:00

200 lines
6.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# SELinux
General information on SELinux can be found here:
- [SELinux coloring book](_static/selinux-coloring-book_A4-Stapled.pdf) - Original: https://people.redhat.com/duffy/selinux/selinux-coloring-book_A4-Stapled.pdf
## Modes
SELinux can be in one of three modes:
- `enforcing` - The SELinux policy is enforced, violations are logged.
- `permissive` - The SELinux policy is **not** enforced, but violations are still logged.
- `disabled` - SELinux is not loaded at all.
Going from ``enforcing`` or ``permissive`` to/from ``disabled`` requires a reboot.
## Contexts
On an SELinux system every file has a context, and the SELinux policy controls whether a confined service can access files of a given context.
The context of files can be listed with the `stat` command or by passing the `-Z` option to `ls`::
```bash
$ ls -Z /etc/fstab
-rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/fstab
$ stat /etc/fstab
File: /etc/fstab
Size: 619 Blocks: 8 IO Block: 4096 regular file
Device: fd01h/64769d Inode: 134320258 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Context: system_u:object_r:etc_t:s0
Access: 2017-05-13 21:50:43.533927373 +0200
Modify: 2016-04-03 04:19:02.289004083 +0200
Change: 2016-04-03 04:29:29.955011505 +0200
Birth: -
```
When files are created they are assigned a default context based on their path according to the system policy.
The default contexts configured for various filesystem locations can be listed by running :manpage:`semanage`:
```bash
$ semanage fcontext -l
...
/usr/.* all files system_u:object_r:usr_t:s0
/var/.* all files system_u:object_r:var_t:s0
/run/.* all files system_u:object_r:var_run_t:s0
/srv/.* all files system_u:object_r:var_t:s0
...
```
It is possible to add/list local customizations to the default contexts of the system:
```bash
$ semanage fcontext -a -t httpd_sys_content_t '/srv/web/data(/.*)?'
$ semanage fcontext -a -t etc_t /srv/web/httpd.conf
$ semanage fcontext -l -C
/srv/web/httpd.conf all files system_u:object_r:etc_t:s0
/srv/web/data(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
```
Use the `restorecon` command to restore the context of a file or directory tree according to the system policy::
```bash
$ restorecon -v /etc/fstab
$ restorecon -vR /etc/puppetlabs/
```
It is also possible to trigger a relabeling of all files with default contexts by::
```bash
touch /.autorelabel
reboot
```
For debugging or during development the `chcon` command can be used:
```bash
chcon -t etc_t /srv/web/httpd.conf
.. important:: This is not enough! The next ``restorecon(8)``, relabeling, or system
redeployment will not honor the changes made with :manpage:`chcon(1)`. Use
:manpage:`semanage(8)` as described above or change the location of the files
in question so that they are classified correctly by the system policy.
```
## Booleans
SELinux booleans are variables which control certain restrictions enforced by the SELinux policy. An example would be `httpd_can_network_connect`, which controls whether Apache can open network connections.
The state of SELinux booleans is either `on` or `off` and can be queried using `getsebool`:
```bash
# List all SELinux booleans and their states
getsebool -a
# Show the state of a given variable
getsebool httpd_can_network_connect
```
The `setsebool` command changes the state of a boolean:
```bash
setsebool httpd_can_network_connect on
```
## Basic Checks and Actions
Check mode/status SELinux:
```bash
getenforce
```
Change mode/status SELinux from enforce to permissive:
```bash
setenforce 0
```
Show SELinux context of a file:
```bash
ls -Z <file>
```
Show SELinux context attached to process
```bash
ps -Z
```
Show SELinux booleans
```bash
getsebool -a
```
Set SELinux boolean
```bash
setsebool -P httpd_can_connect_ldap on
setsebool -P httpd_can_check_spam off
```
`-P` makes it permanent and it will survive reboots.
List defined SELinux contexts:
```bash
semanage fcontext --list
```
Add SELinux context for directories/files:
```bash
semanage fcontext --add -t httpd_log_t "/var/www(/.*)?/log(/.*)?"
```
Restore SELinux context of a directory/file
```bash
restorecon -Rv /var/www/html/var
```
## in Depth Log Analysis and Module Creation
Ensure that `setroubleshoot-server` is installed for better readable log entries in `/var/log/audit/audit.log` and the journal.
To see everything, you may enable full logging by disabling the `noaudit` rules:
```bash
semodule -DB
```
revert again after, else it will fill your log:
```bash
semodule -B
```
Check the new log entries since the start of your test
```bash
ausearch -ts 14:29
```
Create a new SELinux policy file for the events logged since the start of your test
```bash
ausearch -ts 14:28 --raw | audit2allow -M my-application
```
This will create a `my-application.te` policy file with the source code (e.g. to be modified and distributed with Ansible or Puppet) and the copiled `my-application.pp` policy file.
If you just need the TE source code as output (e.g. for Puppet), then do
```bash
ausearch -ts 14:28 --raw | audit2allow -r -m my-application
```
To add such a module to Hiera for Puppet see [SELinux Configuration](../configuration/software/selinux_configuration).
To install the new SELinux policy file run
```bash
semodule --install my-application.pp
```
To compile the binary SELinux policy file yourself run
```bash
cd /tmp; checkmodule --mls -m --output my-application.mod $PATH_TO/my-application.te; semodule_package --outfile my-application.pp --module my-application.mod
```
References:
- [SELinux Guide](https://docs.linuxfabrik.ch/base/security/selinux.html) (German)
- [Short SELinux Manual](https://dokuwiki.dsteiner.ch/selinux) (English)
- How to read SELinux logs: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/troubleshooting-problems-related-to-selinux_using-selinux
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/troubleshooting-problems-related-to-selinux_using-selinux
View Git Blame Copy Permalink