SELinux Operations: Difference between revisions
Jump to navigation
Jump to search
(Created page with "=Internal= * SELinux Subjects") |
No edit summary |
||
| Line 2: | Line 2: | ||
* [[selinux#Subjects|SELinux Subjects]] | * [[selinux#Subjects|SELinux Subjects]] | ||
=Get the SELinux Security Context for a Directory= | |||
<pre> | |||
ls -lZ <dir> | |||
</pre> | |||
=Diagnosing and Fixing SELinux Problems= | |||
If you have a suspicion that SELinux may be at the root of your problems, run: | |||
<pre> | |||
sealert -a /var/log/audit/audit.log | |||
</pre> | |||
You may get an output similar to the following one, which helps diagnose the problem: | |||
<pre> | |||
[...] | |||
SELinux is preventing /usr/sbin/httpd from write access on the file manager.node.nodes.lock. | |||
[...] | |||
</pre> | |||
Then use <tt>audit2allow</tt> to parse the audit logs and generate the SELinux policy to allow a denied operation. | |||
<pre> | |||
grep httpd /var/log/audit/audit.log | audit2allow | |||
</pre> | |||
<pre> | |||
#============= httpd_t ============== | |||
allow httpd_t httpd_log_t:file write; | |||
</pre> | |||
After you see it, you can write the policy in a file: | |||
<pre> | |||
grep httpd /var/log/audit/audit.log | audit2allow -M mysepolicy | |||
</pre> | |||
This will generate two files: a binary .pp file and a text .te file. | |||
Apply the policy with: | |||
<pre> | |||
semodule -i mysepolicy.pp | |||
</pre> | |||
The policy such applies survives a reboot. | |||
Revision as of 23:08, 8 January 2016
Internal
Get the SELinux Security Context for a Directory
ls -lZ <dir>
Diagnosing and Fixing SELinux Problems
If you have a suspicion that SELinux may be at the root of your problems, run:
sealert -a /var/log/audit/audit.log
You may get an output similar to the following one, which helps diagnose the problem:
[...] SELinux is preventing /usr/sbin/httpd from write access on the file manager.node.nodes.lock. [...]
Then use audit2allow to parse the audit logs and generate the SELinux policy to allow a denied operation.
grep httpd /var/log/audit/audit.log | audit2allow
#============= httpd_t ============== allow httpd_t httpd_log_t:file write;
After you see it, you can write the policy in a file:
grep httpd /var/log/audit/audit.log | audit2allow -M mysepolicy
This will generate two files: a binary .pp file and a text .te file.
Apply the policy with:
semodule -i mysepolicy.pp
The policy such applies survives a reboot.