Difference between revisions of "SELinux"
Jump to navigation
Jump to search
Line 1: | Line 1: | ||
==General== | ==General== | ||
− | * <code>ls -Z</code> | + | * <code>man selinux</code> |
+ | ** <code>man -k selinux | less</code> to see list of SELinux topics, of which there are MANY. | ||
+ | * See contexts | ||
+ | ** file contextx: <code>ls -Z</code> | ||
+ | ** process contexts <code>ps aux -Z</code> | ||
+ | * Configuration file - /etc/selinux/config | ||
+ | * Policy file - /sys/fs/selinux/policy | ||
+ | ** Use seinfo to get statistics for policy file | ||
* sestatus - to get status, e.g., whether in enforcing or not | * sestatus - to get status, e.g., whether in enforcing or not | ||
** also setenforce and getenforce | ** also setenforce and getenforce | ||
Line 9: | Line 16: | ||
** "SELinux decisions, such as allowing or disallowing access, are cached. This cache is known as the Access Vector Cache (AVC). Denial messages are logged when SELinux denies access. These denials are also known as "AVC denials"" | ** "SELinux decisions, such as allowing or disallowing access, are cached. This cache is known as the Access Vector Cache (AVC). Denial messages are logged when SELinux denies access. These denials are also known as "AVC denials"" | ||
* [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems CentOS7 SELinux troubleshooting] | * [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems CentOS7 SELinux troubleshooting] | ||
+ | |||
==SELinux and webservers== | ==SELinux and webservers== | ||
* boolean httpd_unified: when disabled, the webserver document directory becomes a read-only world (httpd_sys_content_t). | * boolean httpd_unified: when disabled, the webserver document directory becomes a read-only world (httpd_sys_content_t). | ||
* [https://www.serverlab.ca/tutorials/linux/web-servers-linux/configuring-selinux-policies-for-apache-web-servers/ Configuring SELinux for apache web servers] | * [https://www.serverlab.ca/tutorials/linux/web-servers-linux/configuring-selinux-policies-for-apache-web-servers/ Configuring SELinux for apache web servers] | ||
+ | |||
+ | ==sesearch== | ||
+ | * <code>yum install setools-console</code> | ||
+ | * SELinux policy query tool | ||
+ | |||
==semanage== | ==semanage== |
Revision as of 01:17, 7 October 2019
Contents
General
man selinux
man -k selinux | less
to see list of SELinux topics, of which there are MANY.
- See contexts
- file contextx:
ls -Z
- process contexts
ps aux -Z
- file contextx:
- Configuration file - /etc/selinux/config
- Policy file - /sys/fs/selinux/policy
- Use seinfo to get statistics for policy file
- sestatus - to get status, e.g., whether in enforcing or not
- also setenforce and getenforce
semanage boolean -l | sort | less
- Pre CentOS 6:
getsebool -a | grep httpd
- Pre CentOS 6:
- SE Control programs: getsebool, setsebool, booleans, togglesebool, semanage
- CentOS6 SELinux troubleshooting
- "SELinux decisions, such as allowing or disallowing access, are cached. This cache is known as the Access Vector Cache (AVC). Denial messages are logged when SELinux denies access. These denials are also known as "AVC denials""
- CentOS7 SELinux troubleshooting
SELinux and webservers
- boolean httpd_unified: when disabled, the webserver document directory becomes a read-only world (httpd_sys_content_t).
- Configuring SELinux for apache web servers
sesearch
yum install setools-console
- SELinux policy query tool
semanage
- SELinux Policy Management tool
- subcommands
- import
- export
- login
- user
- port - manage network port type definitions
- interface
- module
- node
- fcontext - Manage file context mapping definitions
- boolean - Manage booleans to selectively enable functionality
- permissive - manage process type enforcement
- dontaudit - disable/enable dontaudit rules in policy
- ibpkey
- ibendport
fcontext
- man 8 semanage-fcontext
- Apparently, you have to run restorecon after you set the file context
semanage fcontext -a -t httpd_sys_content_t "/var/www/lgorders/admin(/.*)?
restorecon -R -v /var/www/lgorders/admin
port
semanage port -l
- List all the ports and contexts known to SELinux- e.g.
semanage port -l | grep http
- e.g.
restorecon
- restore file(s) default SELinux security contexts.
- passively check whether the file contexts are all set as specified by the active policy
restorecon -Rv .
- -n is dry-run (passive-check)
- When you cp files from one location to another, they keep their original context
- If you scp (from another machine?) directly into place, they get the context corresponding to the receiving location.
- Every time you copy (cp) new/modified files into /var/www/lgorders you’ll have to run
sudo restorecon -R /var/www/lgorders
to allow httpd to use them.
auditd
- If Linux audit daemon (see below) is turned on, SELinux problems should be written to file
/var/log/audit/audit.log
audit2allow
andaudit2why
- cat /var/log/audit/audit.log | audit2allow
man auditd
- /etc/audit/auditd.conf
service auditd status
- dumps infos to /var/log/audit/audit.log
aureport -a
ausearch -m avc -ts recent
- denials from the last 10 minutes
auditctl
- a utility to assist controlling the kernel's audit system
- -a always,exit = append action always to syscall exit list
- -S open = any open call made by a program
- -F success!=0 = create a rule field evaluating on the exit value
examples
auditctl -a always,exit -S all -F pid=1005
- To see all syscalls made by a specific program
auditctl -a always,exit -S openat -F auid=510
- To see files opened by a specific user
auditctl -a always,exit -S openat -F success=0
- To see unsuccessful openat calls
auditctl -w /etc/shadow -p wa
orauditctl -a always,exit -F path=/etc/shadow -F perm=wa
- To watch a file for changes
auditctl -w /etc/ -p wa
orauditctl -a always,exit -F dir=/etc/ -F perm=wa
- To recursively watch a directory for changes
auditctl -a always,exit -F dir=/home/ -F uid=0 -C auid!=obj_uid
- To see if an admin is accessing other user's files