Difference between revisions of "SELinux"
Jump to navigation
Jump to search
Line 1: | Line 1: | ||
==General== | ==General== | ||
* <code>ls -Z</code> | * <code>ls -Z</code> | ||
− | * | + | * getsebool -a | grep httpd |
− | * | + | * SE Control programs: getsebool, setsebool, booleans, togglesebool, semanage |
* [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/chap-security-enhanced_linux-troubleshooting CentOS6 SELinux troubleshooting] | * [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/chap-security-enhanced_linux-troubleshooting CentOS6 SELinux troubleshooting] | ||
** "SELinux decisions, such as allowing or disallowing access, are cached. This cache is known as the Access Vector Cache (AVC). Denial messages are logged when SELinux denies access. These denials are also known as "AVC denials"" | ** "SELinux decisions, such as allowing or disallowing access, are cached. This cache is known as the Access Vector Cache (AVC). Denial messages are logged when SELinux denies access. These denials are also known as "AVC denials"" | ||
* [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems CentOS7 SELinux troubleshooting] | * [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems CentOS7 SELinux troubleshooting] | ||
− | + | * [https://www.serverlab.ca/tutorials/linux/web-servers-linux/configuring-selinux-policies-for-apache-web-servers/ Configuring SELinux for apache web servers] | |
− | + | ==semanage== | |
* SELinux Policy Management tool | * SELinux Policy Management tool | ||
* <code>semanage fcontext -a -t httpd_sys_content_t "/var/www/lgorders/admin(/.*)?</code> | * <code>semanage fcontext -a -t httpd_sys_content_t "/var/www/lgorders/admin(/.*)?</code> | ||
− | + | ==restorecon== | |
* restore file(s) default SELinux security contexts. | * restore file(s) default SELinux security contexts. | ||
* passively check whether the file contexts are all set as specified by the active policy | * passively check whether the file contexts are all set as specified by the active policy | ||
Line 21: | Line 21: | ||
==Linux audit daemon== | ==Linux audit daemon== | ||
+ | * If Linux audit daemon (see below) is turned on, SELinux problems should be written to file <code>/var/log/audit/audit.log </code> | ||
+ | * <code>audit2allow</code> and <code>audit2why</code> | ||
* <code>man auditd</code> | * <code>man auditd</code> | ||
* /etc/audit/auditd.conf | * /etc/audit/auditd.conf |
Revision as of 14:58, 19 July 2019
General
ls -Z
- getsebool -a | grep httpd
- SE Control programs: getsebool, setsebool, booleans, togglesebool, semanage
- CentOS6 SELinux troubleshooting
- "SELinux decisions, such as allowing or disallowing access, are cached. This cache is known as the Access Vector Cache (AVC). Denial messages are logged when SELinux denies access. These denials are also known as "AVC denials""
- CentOS7 SELinux troubleshooting
- Configuring SELinux for apache web servers
semanage
- SELinux Policy Management tool
semanage fcontext -a -t httpd_sys_content_t "/var/www/lgorders/admin(/.*)?
restorecon
- restore file(s) default SELinux security contexts.
- passively check whether the file contexts are all set as specified by the active policy
restorecon -Rv .
- -n is dry-run (passive-check)
- When you cp files from one location to another, they keep their original context
- If you scp (from another machine?) directly into place, they get the context corresponding to the receiving location.
- Every time you copy (cp) new/modified files into /var/www/lgorders you’ll have to run
sudo restorecon -R /var/www/lgorders
to allow httpd to use them.
Linux audit daemon
- If Linux audit daemon (see below) is turned on, SELinux problems should be written to file
/var/log/audit/audit.log
audit2allow
andaudit2why
man auditd
- /etc/audit/auditd.conf
service auditd status
- dumps infos to /var/log/audit/audit.log
aureport -a
ausearch -m avc -ts recent
- denials from the last 10 minutes