SELinux Operations: Difference between revisions
Jump to navigation
Jump to search
| (25 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
=Internal= | =Internal= | ||
* [[selinux#Subjects|SELinux | * [[selinux#Subjects|SELinux]] | ||
= | =How to Find Out Whether SELinux is Enabled= | ||
<pre> | <pre> | ||
getenforce | |||
</pre> | </pre> | ||
If SELinux is enabled, the command will return "Enforcing". | |||
More details can be obtained with: | |||
<pre> | <pre> | ||
sestatus | |||
</pre> | </pre> | ||
=How to Disable Enforcement= | |||
Configure: | |||
SELINUX=disabled | |||
in the <code>/etc/selinux/config</code> file then reboot the system. | |||
==Configure Permissive Mode== | |||
To set SELinux in "permissive" mode at runtime, execute: | |||
setenforce Permissive | |||
but this setting won't survive reboot. | |||
=Get the SELinux Security Context for a Directory= | |||
ls -lZ <dir> | |||
=SELinux Policy Boolean Operations= | |||
==Listing SELinux Policy Booleans== | |||
getsebool -a | |||
==Changing SELinux Policy Booleans at Runtime== | |||
setsebool rsync_full_access=on | |||
Without specifying anything else, the change does not survive reboot. To make the change permanent across reboots, use -P, which writes all pending values to the policy file on disk. | |||
setsebool -P rsync_full_access=on | |||
< | =<span id='Diagnosing_and_Fixing_SELinux_Problems'></span>Troubleshooting, Diagnosing and Fixing SELinux Problems= | ||
</ | |||
If you have a suspicion that SELinux may be at the root of your problems, run: | |||
<font size=-1> | |||
tail -f /var/log/audit/audit.log | |||
</font> | |||
< | Useful SELinux problem messages can also be found in <code>/var/log/messages</code>: | ||
<font size=-1> | |||
</ | tail -f /var/log/messages | ||
</font> | |||
Then: | |||
<font size=-1> | |||
sealert -a /var/log/audit/audit.log | |||
</font> | |||
You may get an output similar to the following one, which helps diagnose the problem: | |||
<font size=-1> | |||
[...] | |||
SELinux is preventing /usr/sbin/httpd from write access on the file manager.node.nodes.lock. | |||
[...] | |||
</font> | |||
Then use <code>audit2allow</code> to parse the audit logs and generate the SELinux policy to allow a denied operation. | |||
<font size=-1> | |||
grep httpd /var/log/audit/audit.log | audit2allow | |||
#============= httpd_t ============== | |||
allow httpd_t httpd_log_t:file write; | |||
</font> | |||
After you see it, you can write the policy in a file: | After you see it, you can write the policy in a file: | ||
< | <font size=-1> | ||
grep httpd /var/log/audit/audit.log | audit2allow -M mysepolicy | grep httpd /var/log/audit/audit.log | audit2allow -M mysepolicy | ||
</ | </font> | ||
This will generate two files: a binary .pp file and a text .te file. | This will generate two files: a binary .pp file and a text .te file. The binary file thus generated can be installed as follows: | ||
<font size=-1> | |||
semodule -i mysepolicy.pp | |||
< | </font> | ||
semodule -i mysepolicy.pp | |||
</ | |||
The policy | The policy so applied survives a reboot. | ||
=Compile | ==Modify and Compile a Policy== | ||
The text (.te) file can be manually modified, compiled and installed, as follows. Assuming the text file is similar to: | |||
<pre> | <pre> | ||
module | module mysepolicy 1.0; | ||
require { | require { | ||
type httpd_log_t; | type httpd_log_t; | ||
type httpd_t; | type httpd_t; | ||
class file write; | type unreserved_port_t; | ||
class tcp_socket name_bind; | |||
class dir remove_name; | |||
class file { write unlink }; | |||
class udp_socket name_bind; | |||
} | } | ||
#============= httpd_t ============== | #============= httpd_t ============== | ||
allow httpd_t httpd_log_t:dir remove_name; | |||
allow httpd_t httpd_log_t:file unlink; | |||
allow httpd_t httpd_log_t:file write; | allow httpd_t httpd_log_t:file write; | ||
allow httpd_t unreserved_port_t:udp_socket name_bind; | |||
allow httpd_t unreserved_port_t:tcp_socket name_bind; | |||
</pre> | </pre> | ||
The policy can be compiled: | |||
checkmodule -M -m -o mysepolicy.mod mysepolicy.te | |||
Create the module package: | |||
semodule_package -o mysepolicy.pp -m mysepolicy.mod | |||
Install the policy: | |||
semodule -i mysepolicy.pp | |||
Verify that the policy was installed: | |||
semodule -l | grep mysepolicy | |||
==Inspect and Adjust SELinux Policy Boolean Values== | |||
See: {{Internal|SELinux_Concepts#SELinux_Policy_Booleans|SELinux Policy Booleans}} | |||
Latest revision as of 00:23, 1 January 2024
Internal
How to Find Out Whether SELinux is Enabled
getenforce
If SELinux is enabled, the command will return "Enforcing".
More details can be obtained with:
sestatus
How to Disable Enforcement
Configure:
SELINUX=disabled
in the /etc/selinux/config file then reboot the system.
Configure Permissive Mode
To set SELinux in "permissive" mode at runtime, execute:
setenforce Permissive
but this setting won't survive reboot.
Get the SELinux Security Context for a Directory
ls -lZ <dir>
SELinux Policy Boolean Operations
Listing SELinux Policy Booleans
getsebool -a
Changing SELinux Policy Booleans at Runtime
setsebool rsync_full_access=on
Without specifying anything else, the change does not survive reboot. To make the change permanent across reboots, use -P, which writes all pending values to the policy file on disk.
setsebool -P rsync_full_access=on
Troubleshooting, Diagnosing and Fixing SELinux Problems
If you have a suspicion that SELinux may be at the root of your problems, run:
tail -f /var/log/audit/audit.log
Useful SELinux problem messages can also be found in /var/log/messages:
tail -f /var/log/messages
Then:
sealert -a /var/log/audit/audit.log
You may get an output similar to the following one, which helps diagnose the problem:
[...] SELinux is preventing /usr/sbin/httpd from write access on the file manager.node.nodes.lock. [...]
Then use audit2allow to parse the audit logs and generate the SELinux policy to allow a denied operation.
grep httpd /var/log/audit/audit.log | audit2allow #============= httpd_t ============== allow httpd_t httpd_log_t:file write;
After you see it, you can write the policy in a file:
grep httpd /var/log/audit/audit.log | audit2allow -M mysepolicy
This will generate two files: a binary .pp file and a text .te file. The binary file thus generated can be installed as follows:
semodule -i mysepolicy.pp
The policy so applied survives a reboot.
Modify and Compile a Policy
The text (.te) file can be manually modified, compiled and installed, as follows. Assuming the text file is similar to:
module mysepolicy 1.0;
require {
type httpd_log_t;
type httpd_t;
type unreserved_port_t;
class tcp_socket name_bind;
class dir remove_name;
class file { write unlink };
class udp_socket name_bind;
}
#============= httpd_t ==============
allow httpd_t httpd_log_t:dir remove_name;
allow httpd_t httpd_log_t:file unlink;
allow httpd_t httpd_log_t:file write;
allow httpd_t unreserved_port_t:udp_socket name_bind;
allow httpd_t unreserved_port_t:tcp_socket name_bind;
The policy can be compiled:
checkmodule -M -m -o mysepolicy.mod mysepolicy.te
Create the module package:
semodule_package -o mysepolicy.pp -m mysepolicy.mod
Install the policy:
semodule -i mysepolicy.pp
Verify that the policy was installed:
semodule -l | grep mysepolicy
Inspect and Adjust SELinux Policy Boolean Values
See: