SELinux

From Colettapedia
Jump to navigation Jump to search

General

  • man selinux
    • man -k selinux | less to see list of SELinux topics, of which there are MANY.
  • See contexts
    • file contextx: ls -Z
    • process contexts ps aux -Z
  • Configuration file - /etc/selinux/config
  • Policy file - /sys/fs/selinux/policy
    • Use seinfo to get statistics for policy file
  • sestatus - to get status, e.g., whether in enforcing or not
    • also setenforce and getenforce
  • semanage boolean -l | sort | less
    • Pre CentOS 6: getsebool -a | grep httpd
  • SE Control programs: getsebool, setsebool, booleans, togglesebool, semanage

References

SELinux and webservers

sesearch

  • yum install setools-console
  • SELinux policy query tool


semanage

  • SELinux Policy Management tool
  • subcommands
    • import
    • export
    • login
    • user
    • port - manage network port type definitions
    • interface
    • module
    • node
    • fcontext - Manage file context mapping definitions
    • boolean - Manage booleans to selectively enable functionality
    • permissive - manage process type enforcement
    • dontaudit - disable/enable dontaudit rules in policy
    • ibpkey
    • ibendport

fcontext

  • man 8 semanage-fcontext
  • Apparently, you have to run restorecon after you set the file context
    • semanage fcontext -a -t httpd_sys_content_t "/var/www/lgorders/admin(/.*)?
    • restorecon -R -v /var/www/lgorders/admin

port

  • semanage port -l - List all the ports and contexts known to SELinux
    • e.g. semanage port -l | grep http

restorecon

  • restore file(s) default SELinux security contexts.
  • passively check whether the file contexts are all set as specified by the active policy
  • restorecon -Rv .
    • -n is dry-run (passive-check)
  1. When you cp files from one location to another, they keep their original context
  2. If you scp (from another machine?) directly into place, they get the context corresponding to the receiving location.
  3. Every time you copy (cp) new/modified files into /var/www/lgorders you’ll have to run sudo restorecon -R /var/www/lgorders to allow httpd to use them.

auditd

  • If Linux audit daemon (see below) is turned on, SELinux problems should be written to file /var/log/audit/audit.log
  • audit2allow and audit2why
    • cat /var/log/audit/audit.log | audit2allow
  • man auditd
  • /etc/audit/auditd.conf
  • service auditd status
  • dumps infos to /var/log/audit/audit.log
  • aureport -a
  • ausearch -m avc -ts recent - denials from the last 10 minutes

auditctl

  • a utility to assist controlling the kernel's audit system
  • -a always,exit = append action always to syscall exit list
  • -S open = any open call made by a program
  • -F success!=0 = create a rule field evaluating on the exit value

examples

  • auditctl -a always,exit -S all -F pid=1005
    • To see all syscalls made by a specific program
  • auditctl -a always,exit -S openat -F auid=510
    • To see files opened by a specific user
  • auditctl -a always,exit -S openat -F success=0
    • To see unsuccessful openat calls
  • auditctl -w /etc/shadow -p wa or auditctl -a always,exit -F path=/etc/shadow -F perm=wa
    • To watch a file for changes
  • auditctl -w /etc/ -p wa or auditctl -a always,exit -F dir=/etc/ -F perm=wa
    • To recursively watch a directory for changes
  • auditctl -a always,exit -F dir=/home/ -F uid=0 -C auid!=obj_uid
    • To see if an admin is accessing other user's files