SELinux

From Colettapedia
Revision as of 14:58, 19 July 2019 by Colettace (talk | contribs)
Jump to navigation Jump to search

General

semanage

  • SELinux Policy Management tool
  • semanage fcontext -a -t httpd_sys_content_t "/var/www/lgorders/admin(/.*)?

restorecon

  • restore file(s) default SELinux security contexts.
  • passively check whether the file contexts are all set as specified by the active policy
  • restorecon -Rv .
    • -n is dry-run (passive-check)
  1. When you cp files from one location to another, they keep their original context
  2. If you scp (from another machine?) directly into place, they get the context corresponding to the receiving location.
  3. Every time you copy (cp) new/modified files into /var/www/lgorders you’ll have to run sudo restorecon -R /var/www/lgorders to allow httpd to use them.

Linux audit daemon

  • If Linux audit daemon (see below) is turned on, SELinux problems should be written to file /var/log/audit/audit.log
  • audit2allow and audit2why
  • man auditd
  • /etc/audit/auditd.conf
  • service auditd status
  • dumps infos to /var/log/audit/audit.log
  • aureport -a
  • ausearch -m avc -ts recent - denials from the last 10 minutes