Difference between revisions of "SELinux"

From Colettapedia
Jump to navigation Jump to search
(5 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
==General==
 
==General==
 
* <code>ls -Z</code>
 
* <code>ls -Z</code>
* <code>audit2allow</code> and <code>audit2why</code>
+
* sestatus - to get status, e.g., whether in enforcing or not
* If Linux audit daemon (see below) is turned on, SELinux problems should be written to file <code>/var/log/audit/audit.log </code>
+
** also setenforce and getenforce
 +
* getsebool -a | grep httpd
 +
* semanage boolean -l | sort | less
 +
* SE Control programs: getsebool, setsebool, booleans, togglesebool, semanage
 
* [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/chap-security-enhanced_linux-troubleshooting CentOS6 SELinux troubleshooting]
 
* [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/chap-security-enhanced_linux-troubleshooting CentOS6 SELinux troubleshooting]
 
** "SELinux decisions, such as allowing or disallowing access, are cached. This cache is known as the Access Vector Cache (AVC). Denial messages are logged when SELinux denies access. These denials are also known as "AVC denials""
 
** "SELinux decisions, such as allowing or disallowing access, are cached. This cache is known as the Access Vector Cache (AVC). Denial messages are logged when SELinux denies access. These denials are also known as "AVC denials""
 
* [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems CentOS7 SELinux troubleshooting]
 
* [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems CentOS7 SELinux troubleshooting]
 
+
==SELinux and webservers==
===semanage===
+
* boolean httpd_unified: when disabled, the webserver document directory becomes a read-only world (httpd_sys_content_t).
 +
* [https://www.serverlab.ca/tutorials/linux/web-servers-linux/configuring-selinux-policies-for-apache-web-servers/ Configuring SELinux for apache web servers]
 +
==semanage==
 
* SELinux Policy Management tool
 
* SELinux Policy Management tool
 
* <code>semanage fcontext -a -t httpd_sys_content_t "/var/www/lgorders/admin(/.*)?</code>
 
* <code>semanage fcontext -a -t httpd_sys_content_t "/var/www/lgorders/admin(/.*)?</code>
===restorecon===
+
==restorecon==
 
* restore file(s) default SELinux security contexts.
 
* restore file(s) default SELinux security contexts.
 
* passively check whether the file contexts are all set as specified by the active policy
 
* passively check whether the file contexts are all set as specified by the active policy
Line 20: Line 25:
 
# Every time you copy (cp) new/modified files into /var/www/lgorders you’ll have to run <code>sudo restorecon -R /var/www/lgorders</code> to allow httpd to use them.
 
# Every time you copy (cp) new/modified files into /var/www/lgorders you’ll have to run <code>sudo restorecon -R /var/www/lgorders</code> to allow httpd to use them.
  
==Linux audit daemon==
+
==auditd==
 +
* If Linux audit daemon (see below) is turned on, SELinux problems should be written to file <code>/var/log/audit/audit.log </code>
 +
* <code>audit2allow</code> and <code>audit2why</code>
 
* <code>man auditd</code>
 
* <code>man auditd</code>
 
* /etc/audit/auditd.conf
 
* /etc/audit/auditd.conf
Line 27: Line 34:
 
* <code>aureport -a</code>
 
* <code>aureport -a</code>
 
* <code>ausearch -m avc -ts recent</code> - denials from the last 10 minutes
 
* <code>ausearch -m avc -ts recent</code> - denials from the last 10 minutes
 +
=== auditctl ===
 +
* a utility to assist controlling the kernel's audit system
 +
* -a always,exit = append action always to syscall exit list
 +
* -S open = any open call made by a program
 +
* -F success!=0 = create a rule field evaluating on the exit value
 +
==== examples====
 +
* <code>auditctl -a always,exit -S all -F pid=1005</code>
 +
** To see all syscalls made by a specific program
 +
* <code>auditctl -a always,exit -S openat -F auid=510</code>
 +
** To see files opened by a specific user
 +
* <code>auditctl -a always,exit -S openat -F success=0</code>
 +
** To see unsuccessful openat calls
 +
* <code>auditctl -w /etc/shadow -p wa</code> or <code>auditctl -a always,exit -F path=/etc/shadow -F perm=wa</code>
 +
** To watch a file for changes
 +
* <code>auditctl -w /etc/ -p wa</code> or <code>auditctl -a always,exit -F dir=/etc/ -F perm=wa</code>
 +
** To recursively watch a directory for changes
 +
* <code>auditctl -a always,exit -F dir=/home/ -F uid=0 -C auid!=obj_uid</code>
 +
** To see if an admin is accessing other user's files

Revision as of 19:08, 19 July 2019

General

  • ls -Z
  • sestatus - to get status, e.g., whether in enforcing or not
    • also setenforce and getenforce
  • getsebool -a | grep httpd
  • semanage boolean -l | sort | less
  • SE Control programs: getsebool, setsebool, booleans, togglesebool, semanage
  • CentOS6 SELinux troubleshooting
    • "SELinux decisions, such as allowing or disallowing access, are cached. This cache is known as the Access Vector Cache (AVC). Denial messages are logged when SELinux denies access. These denials are also known as "AVC denials""
  • CentOS7 SELinux troubleshooting

SELinux and webservers

semanage

  • SELinux Policy Management tool
  • semanage fcontext -a -t httpd_sys_content_t "/var/www/lgorders/admin(/.*)?

restorecon

  • restore file(s) default SELinux security contexts.
  • passively check whether the file contexts are all set as specified by the active policy
  • restorecon -Rv .
    • -n is dry-run (passive-check)
  1. When you cp files from one location to another, they keep their original context
  2. If you scp (from another machine?) directly into place, they get the context corresponding to the receiving location.
  3. Every time you copy (cp) new/modified files into /var/www/lgorders you’ll have to run sudo restorecon -R /var/www/lgorders to allow httpd to use them.

auditd

  • If Linux audit daemon (see below) is turned on, SELinux problems should be written to file /var/log/audit/audit.log
  • audit2allow and audit2why
  • man auditd
  • /etc/audit/auditd.conf
  • service auditd status
  • dumps infos to /var/log/audit/audit.log
  • aureport -a
  • ausearch -m avc -ts recent - denials from the last 10 minutes

auditctl

  • a utility to assist controlling the kernel's audit system
  • -a always,exit = append action always to syscall exit list
  • -S open = any open call made by a program
  • -F success!=0 = create a rule field evaluating on the exit value

examples

  • auditctl -a always,exit -S all -F pid=1005
    • To see all syscalls made by a specific program
  • auditctl -a always,exit -S openat -F auid=510
    • To see files opened by a specific user
  • auditctl -a always,exit -S openat -F success=0
    • To see unsuccessful openat calls
  • auditctl -w /etc/shadow -p wa or auditctl -a always,exit -F path=/etc/shadow -F perm=wa
    • To watch a file for changes
  • auditctl -w /etc/ -p wa or auditctl -a always,exit -F dir=/etc/ -F perm=wa
    • To recursively watch a directory for changes
  • auditctl -a always,exit -F dir=/home/ -F uid=0 -C auid!=obj_uid
    • To see if an admin is accessing other user's files
Retrieved from "https://chriscoletta.com/index.php?title=SELinux&oldid=3431"