SELinux Operations: Difference between revisions
| Line 16: | Line 16: | ||
sestatus | sestatus | ||
</pre> | </pre> | ||
=How to Disable Enforcement= | |||
Configure | |||
<pre> | |||
SELINUX=disabled | |||
</pre> | |||
in the <tt>/etc/selinux/config</tt> file then reboot the system. | |||
=Get the SELinux Security Context for a Directory= | =Get the SELinux Security Context for a Directory= | ||
Revision as of 20:00, 22 May 2017
Internal
How to Find Out Whether SELinux is Enabled
getenforce
If SELinux is enabled, the command will return "Enforcing".
More details can be obtained with:
sestatus
How to Disable Enforcement
Configure
SELINUX=disabled
in the /etc/selinux/config file then reboot the system.
Get the SELinux Security Context for a Directory
ls -lZ <dir>
Diagnosing and Fixing SELinux Problems
If you have a suspicion that SELinux may be at the root of your problems, run:
sealert -a /var/log/audit/audit.log
You may get an output similar to the following one, which helps diagnose the problem:
[...] SELinux is preventing /usr/sbin/httpd from write access on the file manager.node.nodes.lock. [...]
Then use audit2allow to parse the audit logs and generate the SELinux policy to allow a denied operation.
grep httpd /var/log/audit/audit.log | audit2allow
#============= httpd_t ============== allow httpd_t httpd_log_t:file write;
After you see it, you can write the policy in a file:
grep httpd /var/log/audit/audit.log | audit2allow -M mysepolicy
This will generate two files: a binary .pp file and a text .te file. The binary file thus generated can be installed as follows:
semodule -i mysepolicy.pp
The policy such applies survives a reboot.
Modify and Compile a Policy
The text (.te) file can be manually modified, compiled and installed, as follows. Assuming the text file is similar to:
module mysepolicy 1.0;
require {
type httpd_log_t;
type httpd_t;
type unreserved_port_t;
class tcp_socket name_bind;
class dir remove_name;
class file { write unlink };
class udp_socket name_bind;
}
#============= httpd_t ==============
allow httpd_t httpd_log_t:dir remove_name;
allow httpd_t httpd_log_t:file unlink;
allow httpd_t httpd_log_t:file write;
allow httpd_t unreserved_port_t:udp_socket name_bind;
allow httpd_t unreserved_port_t:tcp_socket name_bind;
The policy can be compiled:
checkmodule -M -m -o mysepolicy.mod mysepolicy.te
Create the module package:
semodule_package -o mysepolicy.pp -m mysepolicy.mod
Install the policy:
semodule -i mysepolicy.pp
Verify that the policy was installed:
semodule -l | grep mysepolicy