Difference between revisions of "SELinux"
Jump to navigation
Jump to search
| Line 35: | Line 35: | ||
* a utility to assist controlling the kernel's audit system | * a utility to assist controlling the kernel's audit system | ||
==== examples==== | ==== examples==== | ||
| − | * <code>auditctl -a always,exit -S all -F pid=1005</code> | + | * <code>auditctl -a always,exit -S all -F pid=1005</code> |
| − | * <code>auditctl -a always,exit -S openat -F auid=510</code> | + | ** To see all syscalls made by a specific program |
| − | * <code>auditctl -a always,exit -S openat -F success=0</code> | + | * <code>auditctl -a always,exit -S openat -F auid=510</code> |
| − | * <code>auditctl -w /etc/shadow -p wa</code> or <code>auditctl -a always,exit -F path=/etc/shadow -F perm=wa</code> | + | ** To see files opened by a specific user |
| − | * <code>auditctl -w /etc/ -p wa</code> or <code>auditctl -a always,exit -F dir=/etc/ -F perm=wa</code> | + | * <code>auditctl -a always,exit -S openat -F success=0</code> |
| − | * <code>auditctl -a always,exit -F dir=/home/ -F uid=0 -C auid!=obj_uid</code> | + | ** To see unsuccessful openat calls |
| + | * <code>auditctl -w /etc/shadow -p wa</code> or <code>auditctl -a always,exit -F path=/etc/shadow -F perm=wa</code> | ||
| + | ** To watch a file for changes | ||
| + | * <code>auditctl -w /etc/ -p wa</code> or <code>auditctl -a always,exit -F dir=/etc/ -F perm=wa</code> | ||
| + | ** To recursively watch a directory for changes | ||
| + | * <code>auditctl -a always,exit -F dir=/home/ -F uid=0 -C auid!=obj_uid</code> | ||
| + | ** To see if an admin is accessing other user's files | ||
Revision as of 18:47, 19 July 2019
Contents
General
ls -Z- getsebool -a | grep httpd
- semanage boolean -l | sort | less
- SE Control programs: getsebool, setsebool, booleans, togglesebool, semanage
- CentOS6 SELinux troubleshooting
- "SELinux decisions, such as allowing or disallowing access, are cached. This cache is known as the Access Vector Cache (AVC). Denial messages are logged when SELinux denies access. These denials are also known as "AVC denials""
- CentOS7 SELinux troubleshooting
SELinux and webservers
- boolean httpd_unified: when disabled, the webserver document directory becomes a read-only world (httpd_sys_content_t).
- Configuring SELinux for apache web servers
semanage
- SELinux Policy Management tool
semanage fcontext -a -t httpd_sys_content_t "/var/www/lgorders/admin(/.*)?
restorecon
- restore file(s) default SELinux security contexts.
- passively check whether the file contexts are all set as specified by the active policy
restorecon -Rv .- -n is dry-run (passive-check)
- When you cp files from one location to another, they keep their original context
- If you scp (from another machine?) directly into place, they get the context corresponding to the receiving location.
- Every time you copy (cp) new/modified files into /var/www/lgorders you’ll have to run
sudo restorecon -R /var/www/lgordersto allow httpd to use them.
auditd
- If Linux audit daemon (see below) is turned on, SELinux problems should be written to file
/var/log/audit/audit.log audit2allowandaudit2whyman auditd- /etc/audit/auditd.conf
service auditd status- dumps infos to /var/log/audit/audit.log
aureport -aausearch -m avc -ts recent- denials from the last 10 minutes
auditctl
- a utility to assist controlling the kernel's audit system
examples
auditctl -a always,exit -S all -F pid=1005- To see all syscalls made by a specific program
auditctl -a always,exit -S openat -F auid=510- To see files opened by a specific user
auditctl -a always,exit -S openat -F success=0- To see unsuccessful openat calls
auditctl -w /etc/shadow -p waorauditctl -a always,exit -F path=/etc/shadow -F perm=wa- To watch a file for changes
auditctl -w /etc/ -p waorauditctl -a always,exit -F dir=/etc/ -F perm=wa- To recursively watch a directory for changes
auditctl -a always,exit -F dir=/home/ -F uid=0 -C auid!=obj_uid- To see if an admin is accessing other user's files
