Files
Controls-docs/admin-guide/troubleshooting/selinux.md
T
2023-06-05 08:59:59 +02:00

91 lines
2.2 KiB
Markdown

# SELinux
## Basic Checks and Actions
Check mode/status SELinux:
```bash
getenforce
```
Change mode/status SELinux from enforce to permissive:
```bash
setenforce 0
```
Show SELinux context of a file:
```bash
ls -Z <file>
```
Show SELinux context attached to process
```bash
ps -Z
```
Show SELinux booleans
```bash
getsebool -a
```
Set SELinux boolean
```bash
setsebool -P httpd_can_connect_ldap on
setsebool -P httpd_can_check_spam off
```
`-P` makes it permanent and it will survive reboots.
List defined SELinux contexts:
```bash
semanage fcontext --list
```
Add SELinux context for directories/files:
```bash
semanage fcontext --add -t httpd_log_t "/var/www(/.*)?/log(/.*)?"
```
Restore SELinux context of a directory/file
```bash
restorecon -Rv /var/www/html/var
```
## in Depth Log Analysis and Module Creation
Ensure that `setroubleshoot-server` is installed for better readable log entries in `/var/log/audit/audit.log` and the journal.
To be sure you see everything, enable full logging with
```bash
semodule -DB
```
Check the new log entries since the start of your test
```bash
ausearch -ts 14:29
```
Create a new SELinux policy file for the events logged since the start of your test
```bash
ausearch -ts 14:28 --raw | audit2allow -M my-application
```
This will create a `my-application.te` policy file with the source code (e.g. to be modified and distributed with Ansible or Puppet) and the copiled `my-application.pp` policy file.
To install the new SELinux policy file run
```bash
semodule --install my-application.pp
```
To compile the binary SELinux policy file yourself run
```bash
cd /tmp; checkmodule --mls -m --output my-application.mod $PATH_TO/my-application.te; semodule_package --outfile my-application.pp --module my-application.mod
```
References:
- [SELinux Guide](https://docs.linuxfabrik.ch/base/security/selinux.html) (German)
- [Short SELinux Manual](https://dokuwiki.dsteiner.ch/selinux) (English)
- How to read SELinux logs: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/troubleshooting-problems-related-to-selinux_using-selinux
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/troubleshooting-problems-related-to-selinux_using-selinux