(Featured image: Just something I created)
starting log services
# chkconfig --levels 2345 auditd on # chkconfig --levels 2345 rsyslog on
# service auditd start
When in permissive mode users can mislabel files, to fix this and force relabeling on boot use:
#touch /.autorelabel; reboot
Enable SELinux
Run SELinux in permissive mode by changing /etc/selinux/config
SELINUX=permissive
Run SELinux in enforce mode by changing /etc/selinux/config
SELINUX=enforce
Get Booleans:
Listing Boolean
semanage boolean -l
List booleans with current state
getsebool -a
Get state of individual boolean
getsebool httpd_verify_dns
Configure Boolean
setboolean httpd_verify_dns on
make changes done thought setboolean persistance
setboolean -P httpd_varify_dns on
SELinux Contexts: Labeling Files
SELinux context are the security relavent information put on by labels on processes and files. You can use ls -Z <file> or ps -xZ to see labels (Context info).
Make temporary changes by using chcon
chcon is used to changes to file context. But it is temporary, in that in case of a file system relabel or execution of restorecon, changes you made though chcon will be reverted. Thus make this tool a great tool to troubleshoot access denied errors.
changing file context
chcon -t httpd_sys_content_t /var/www/html/testfile
changing all files/folder’s context in html directory (Inclusive).
chcon -R -t httpd_sys_content_t /var/www/html
restoring your changes
restorecon -R -v httpd_sys_content_t /var/www/html
Note: -t = type, -v = verbose, -R = file and its children (recursively)
Persistent Changes Through Context Modifing
To make persistant change use use semange fcontext
semanage fcontext -a options file-name|directory-name
this will create a context on /etc/selinux/targeted/contexts/files/file_contexts.local file. Thats the file get restored when you make a change using chcon and call restorecon.
options can be for changing type -t <type>
To apply changes use restorecon ( Kind of misleading here).
restorecon -v file-name|directory-name
Create a context for directories and files
semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
will apply httpd_sys_content_t will apply httpd_sys_content_t to /web and its content. Now this command does not change the file type directly. The label of files on web is still default_t. This command add an entry to /etc/selinux/targeted/contexts/files/file_contexts.local
/web(/.*)? system_u:object_r:httpd_sys_content_t:s0
Now run
restorecon -R -v /web
this will restore the default from /etc/selinux/targeted/contexts/files/file_contexts.local, thus resulting in httpd_sys_content_t for all the files inside web (inclusive) directory.
Delete a context
semanage fcontext -d "/web(/.*)?"
Types
The default_t is the type used on files that do not match any patterns on fcontext (file-context) configuration. This is done so that we could distingush them from files that do not have a context on disk. files with default_t generally kept inaccessible until you assign a type to them.
Commands
use cp to copy without preserving SELinux context
to preserve the context use
cp --preserve=context file1 /var/www/html/
Note: Linux mv command will preserve the context. If you move a file from home directory to www/html directory, your httpd wil not able to access them. You will see a 403 error.
Checking Default Context
use matchpathcon to compare current configuration to default
matchpathcon -V /var/www/html/*
Keep context when tar ing
tar --selinux -cf test.tar file{1,2,3}
Un-tar-ing
tar -xvf archive.tar | restorecon -f -
or
tar --selinux -xvf test.tar
Information Gathering Tools
See stats of access vector cache
avcstat
Get a breakdown of a policy such as Booleans, types, number of classes, allow rools and others.
seinfo
This can also list number of types
seinfo -adomain -x
seinfo -aunconfined_domain_type -x
seinfo --permissive -x
Search particular type in policy
sesearch
sesearch --role_allow -t httpd_sys_content_t /etc/selinux/targeted/policy/policy.31
sesearch --allow # get allowed rules