SELinux Operations

From NovaOrdis Knowledge Base
Revision as of 23:09, 8 January 2016 by Ovidiu (talk | contribs)
Jump to navigation Jump to search

Internal

Get the SELinux Security Context for a Directory

ls -lZ <dir>

Diagnosing and Fixing SELinux Problems

If you have a suspicion that SELinux may be at the root of your problems, run:

sealert -a /var/log/audit/audit.log

You may get an output similar to the following one, which helps diagnose the problem:

[...]
SELinux is preventing /usr/sbin/httpd from write access on the file manager.node.nodes.lock.
[...]

Then use audit2allow to parse the audit logs and generate the SELinux policy to allow a denied operation.

grep httpd /var/log/audit/audit.log | audit2allow
#============= httpd_t ==============
allow httpd_t httpd_log_t:file write;

After you see it, you can write the policy in a file:

grep httpd /var/log/audit/audit.log | audit2allow -M mysepolicy

This will generate two files: a binary .pp file and a text .te file.

Apply the policy with:

semodule -i mysepolicy.pp

The policy such applies survives a reboot.

Compile and Apply a Policy

Start from the text policy file. In our case mypolicy.te: