SELinux Operations

From NovaOrdis Knowledge Base
Jump to navigation Jump to search

Internal

How to Find Out Whether SELinux is Enabled

getenforce

If SELinux is enabled, the command will return "Enforcing".

More details can be obtained with:

sestatus

How to Disable Enforcement

Configure:

SELINUX=disabled

in the /etc/selinux/config file then reboot the system.

Configure Permissive Mode

To set SELinux in "permissive" mode at runtime, execute:

setenforce Permissive

but this setting won't survive reboot.

Get the SELinux Security Context for a Directory

ls -lZ <dir>

Troubleshooting, Diagnosing and Fixing SELinux Problems

If you have a suspicion that SELinux may be at the root of your problems, run:

sealert -a /var/log/audit/audit.log

or even

tail -f /var/log/audit/audit.log

You may get an output similar to the following one, which helps diagnose the problem:

[...]
SELinux is preventing /usr/sbin/httpd from write access on the file manager.node.nodes.lock.
[...]

Then use audit2allow to parse the audit logs and generate the SELinux policy to allow a denied operation.

grep httpd /var/log/audit/audit.log | audit2allow
#============= httpd_t ==============
allow httpd_t httpd_log_t:file write;

After you see it, you can write the policy in a file:

grep httpd /var/log/audit/audit.log | audit2allow -M mysepolicy

This will generate two files: a binary .pp file and a text .te file. The binary file thus generated can be installed as follows:

semodule -i mysepolicy.pp

The policy such applies survives a reboot.

Modify and Compile a Policy

The text (.te) file can be manually modified, compiled and installed, as follows. Assuming the text file is similar to:


module mysepolicy 1.0;

require {
        type httpd_log_t;
        type httpd_t;
        type unreserved_port_t;
        class tcp_socket name_bind;
        class dir remove_name;
        class file { write unlink };
        class udp_socket name_bind;
}

#============= httpd_t ==============
allow httpd_t httpd_log_t:dir remove_name;
allow httpd_t httpd_log_t:file unlink;
allow httpd_t httpd_log_t:file write;
allow httpd_t unreserved_port_t:udp_socket name_bind;
allow httpd_t unreserved_port_t:tcp_socket name_bind;

The policy can be compiled:

checkmodule -M -m -o mysepolicy.mod mysepolicy.te

Create the module package:

semodule_package -o  mysepolicy.pp -m mysepolicy.mod 

Install the policy:

semodule -i mysepolicy.pp

Verify that the policy was installed:

semodule -l | grep mysepolicy