forked from Controls/gitea-pages
91 lines
2.2 KiB
Markdown
91 lines
2.2 KiB
Markdown
# SELinux
|
|
|
|
|
|
## Basic Checks and Actions
|
|
|
|
Check mode/status SELinux:
|
|
```bash
|
|
getenforce
|
|
```
|
|
|
|
Change mode/status SELinux from enforce to permissive:
|
|
```bash
|
|
setenforce 0
|
|
```
|
|
|
|
Show SELinux context of a file:
|
|
```bash
|
|
ls -Z <file>
|
|
```
|
|
|
|
Show SELinux context attached to process
|
|
```bash
|
|
ps -Z
|
|
```
|
|
|
|
Show SELinux booleans
|
|
```bash
|
|
getsebool -a
|
|
```
|
|
|
|
Set SELinux boolean
|
|
```bash
|
|
setsebool -P httpd_can_connect_ldap on
|
|
setsebool -P httpd_can_check_spam off
|
|
```
|
|
`-P` makes it permanent and it will survive reboots.
|
|
|
|
List defined SELinux contexts:
|
|
```bash
|
|
semanage fcontext --list
|
|
```
|
|
|
|
Add SELinux context for directories/files:
|
|
```bash
|
|
semanage fcontext --add -t httpd_log_t "/var/www(/.*)?/log(/.*)?"
|
|
```
|
|
|
|
Restore SELinux context of a directory/file
|
|
```bash
|
|
restorecon -Rv /var/www/html/var
|
|
```
|
|
|
|
## in Depth Log Analysis and Module Creation
|
|
|
|
Ensure that `setroubleshoot-server` is installed for better readable log entries in `/var/log/audit/audit.log` and the journal.
|
|
|
|
To be sure you see everything, enable full logging with
|
|
```bash
|
|
semodule -DB
|
|
```
|
|
|
|
Check the new log entries since the start of your test
|
|
```bash
|
|
ausearch -ts 14:29
|
|
```
|
|
|
|
Create a new SELinux policy file for the events logged since the start of your test
|
|
|
|
```bash
|
|
ausearch -ts 14:28 --raw | audit2allow -M my-application
|
|
```
|
|
|
|
This will create a `my-application.te` policy file with the source code (e.g. to be modified and distributed with Ansible or Puppet) and the copiled `my-application.pp` policy file.
|
|
|
|
To install the new SELinux policy file run
|
|
```bash
|
|
semodule --install my-application.pp
|
|
```
|
|
|
|
To compile the binary SELinux policy file yourself run
|
|
```bash
|
|
cd /tmp; checkmodule --mls -m --output my-application.mod $PATH_TO/my-application.te; semodule_package --outfile my-application.pp --module my-application.mod
|
|
```
|
|
|
|
|
|
References:
|
|
- [SELinux Guide](https://docs.linuxfabrik.ch/base/security/selinux.html) (German)
|
|
- [Short SELinux Manual](https://dokuwiki.dsteiner.ch/selinux) (English)
|
|
- How to read SELinux logs: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/troubleshooting-problems-related-to-selinux_using-selinux
|
|
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/troubleshooting-problems-related-to-selinux_using-selinux
|