SELinux Operations: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
 
(26 intermediate revisions by the same user not shown)
Line 1: Line 1:
=Internal=
=Internal=


* [[selinux#Subjects|SELinux Subjects]]
* [[selinux#Subjects|SELinux]]


=Get the SELinux Security Context for a Directory=
=How to Find Out Whether SELinux is Enabled=


<pre>
<pre>
ls -lZ <dir>
getenforce
</pre>
</pre>


=Diagnosing and Fixing SELinux Problems=
If SELinux is enabled, the command will return "Enforcing".


If you have a suspicion that SELinux may be at the root of your problems, run:
More details can be obtained with:


<pre>
<pre>
sealert -a /var/log/audit/audit.log
sestatus
</pre>
</pre>


You may get an output similar to the following one, which helps diagnose the problem:
=How to Disable Enforcement=
 
Configure:
 
SELINUX=disabled
 
in the <code>/etc/selinux/config</code> file then reboot the system.
 
==Configure Permissive Mode==
 
To set SELinux in "permissive" mode at runtime, execute:
 
setenforce Permissive
 
but this setting won't survive reboot.
 
=Get the SELinux Security Context for a Directory=
 
ls -lZ <dir>
 
=SELinux Policy Boolean Operations=
 
==Listing SELinux Policy Booleans==
 
getsebool -a
 
==Changing SELinux Policy Booleans at Runtime==
 
setsebool rsync_full_access=on
 
Without specifying anything else, the change does not survive reboot. To make the change permanent across reboots, use -P, which writes all pending values to the policy file on disk.
 
setsebool -P rsync_full_access=on


<pre>
=<span id='Diagnosing_and_Fixing_SELinux_Problems'></span>Troubleshooting, Diagnosing and Fixing SELinux Problems=
[...]
SELinux is preventing /usr/sbin/httpd from write access on the file manager.node.nodes.lock.
[...]
</pre>


Then use <tt>audit2allow</tt> to parse the audit logs and generate the SELinux policy to allow a denied operation.
If you have a suspicion that SELinux may be at the root of your problems, run:
<font size=-1>
tail -f /var/log/audit/audit.log
</font>


<pre>
Useful SELinux problem messages can also be found in <code>/var/log/messages</code>:
grep httpd /var/log/audit/audit.log | audit2allow
<font size=-1>
</pre>
tail -f /var/log/messages
</font>


<pre>
#============= httpd_t ==============
allow httpd_t httpd_log_t:file write;
</pre>


Then:
<font size=-1>
sealert -a /var/log/audit/audit.log
</font>
You may get an output similar to the following one, which helps diagnose the problem:
<font size=-1>
[...]
SELinux is preventing /usr/sbin/httpd from write access on the file manager.node.nodes.lock.
[...]
</font>
Then use <code>audit2allow</code> to parse the audit logs and generate the SELinux policy to allow a denied operation.
<font size=-1>
grep httpd /var/log/audit/audit.log | audit2allow
#============= httpd_t ==============
allow httpd_t httpd_log_t:file write;
</font>
After you see it, you can write the policy in a file:
After you see it, you can write the policy in a file:


<pre>
<font size=-1>
grep httpd /var/log/audit/audit.log | audit2allow -M mysepolicy
grep httpd /var/log/audit/audit.log | audit2allow -M mysepolicy
</pre>
</font>


This will generate two files: a binary .pp file and a text .te file.
This will generate two files: a binary .pp file and a text .te file. The binary file thus generated can be installed as follows:


Apply the policy with:
<font size=-1>
 
semodule -i mysepolicy.pp
<pre>
</font>
semodule -i mysepolicy.pp
</pre>


The policy such applies survives a reboot.
The policy so applied survives a reboot.


=Compile and Apply a Policy=
==Modify and Compile a Policy==


Start from the text policy file. In our case <tt>mypolicy.te</tt>:
The text (.te) file can be manually modified, compiled and installed, as follows. Assuming the text file is similar to:


<pre>
<pre>


module mypolicy 1.0;
module mysepolicy 1.0;


require {
require {
         type httpd_log_t;
         type httpd_log_t;
         type httpd_t;
         type httpd_t;
         class file write;
        type unreserved_port_t;
        class tcp_socket name_bind;
        class dir remove_name;
         class file { write unlink };
        class udp_socket name_bind;
}
}


#============= httpd_t ==============
#============= httpd_t ==============
allow httpd_t httpd_log_t:dir remove_name;
allow httpd_t httpd_log_t:file unlink;
allow httpd_t httpd_log_t:file write;
allow httpd_t httpd_log_t:file write;
allow httpd_t unreserved_port_t:udp_socket name_bind;
allow httpd_t unreserved_port_t:tcp_socket name_bind;
</pre>
</pre>


Compile the policy:
The policy can be compiled:
 
checkmodule -M -m -o mysepolicy.mod mysepolicy.te
 
Create the module package:
 
semodule_package -o  mysepolicy.pp -m mysepolicy.mod


<pre>
Install the policy:
checkmodule -M -m -o mypolicy.mod mypolicy.te
 
</pre>
semodule -i mysepolicy.pp
 
Verify that the policy was installed:
 
semodule -l | grep mysepolicy
 
==Inspect and Adjust SELinux Policy Boolean Values==
 
See: {{Internal|SELinux_Concepts#SELinux_Policy_Booleans|SELinux Policy Booleans}}

Latest revision as of 00:23, 1 January 2024

Internal

How to Find Out Whether SELinux is Enabled

getenforce

If SELinux is enabled, the command will return "Enforcing".

More details can be obtained with:

sestatus

How to Disable Enforcement

Configure:

SELINUX=disabled

in the /etc/selinux/config file then reboot the system.

Configure Permissive Mode

To set SELinux in "permissive" mode at runtime, execute:

setenforce Permissive

but this setting won't survive reboot.

Get the SELinux Security Context for a Directory

ls -lZ <dir>

SELinux Policy Boolean Operations

Listing SELinux Policy Booleans

getsebool -a

Changing SELinux Policy Booleans at Runtime

setsebool rsync_full_access=on

Without specifying anything else, the change does not survive reboot. To make the change permanent across reboots, use -P, which writes all pending values to the policy file on disk.

setsebool -P rsync_full_access=on

Troubleshooting, Diagnosing and Fixing SELinux Problems

If you have a suspicion that SELinux may be at the root of your problems, run:

tail -f /var/log/audit/audit.log

Useful SELinux problem messages can also be found in /var/log/messages:

tail -f /var/log/messages


Then:

sealert -a /var/log/audit/audit.log

You may get an output similar to the following one, which helps diagnose the problem:

[...]
SELinux is preventing /usr/sbin/httpd from write access on the file manager.node.nodes.lock.
[...]

Then use audit2allow to parse the audit logs and generate the SELinux policy to allow a denied operation.

grep httpd /var/log/audit/audit.log | audit2allow

#============= httpd_t ==============
allow httpd_t httpd_log_t:file write;

After you see it, you can write the policy in a file:

grep httpd /var/log/audit/audit.log | audit2allow -M mysepolicy

This will generate two files: a binary .pp file and a text .te file. The binary file thus generated can be installed as follows:

semodule -i mysepolicy.pp

The policy so applied survives a reboot.

Modify and Compile a Policy

The text (.te) file can be manually modified, compiled and installed, as follows. Assuming the text file is similar to:


module mysepolicy 1.0;

require {
        type httpd_log_t;
        type httpd_t;
        type unreserved_port_t;
        class tcp_socket name_bind;
        class dir remove_name;
        class file { write unlink };
        class udp_socket name_bind;
}

#============= httpd_t ==============
allow httpd_t httpd_log_t:dir remove_name;
allow httpd_t httpd_log_t:file unlink;
allow httpd_t httpd_log_t:file write;
allow httpd_t unreserved_port_t:udp_socket name_bind;
allow httpd_t unreserved_port_t:tcp_socket name_bind;

The policy can be compiled:

checkmodule -M -m -o mysepolicy.mod mysepolicy.te

Create the module package:

semodule_package -o  mysepolicy.pp -m mysepolicy.mod 

Install the policy:

semodule -i mysepolicy.pp

Verify that the policy was installed:

semodule -l | grep mysepolicy

Inspect and Adjust SELinux Policy Boolean Values

See:

SELinux Policy Booleans