Selinux: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
No edit summary
No edit summary
 
(9 intermediate revisions by the same user not shown)
Line 1: Line 1:
=Internal=
=Internal=


* [[Linux 7 Security]]
* [[Linux Security]]


=Overview=
=Overview=
SELinux stands for Security-Enhanced Linux. It provides Mandatory Access Control (MAC) for Linux systems. Under the control of SELinux, all processes and files are given a ''type'', and their access on the system is limited by fine-grained controls of various types.


=Subjects=
=Subjects=


* [[SELinux Concepts]]
* [[SELinux Concepts|Concepts]]
 
* [[SELinux Operations|Operations]]
=How to Find Out Whether SELinux is Enabled=
 
<pre>
getenforce
</pre>
 
If SELinux is enabled, the command will return "Enforcing".


=Configuration=
=Configuration=
Line 33: Line 28:
=Troubleshooting=
=Troubleshooting=


==Get the SELinux Security Context==
Also see: {{Internal|SELinux_Operations#Troubleshooting.2C_Diagnosing_and_Fixing_SELinux_Problems|Troubleshooting, Diagnosing and Fixing SELinux Problems}}
 
<pre>
ls -lZ <dir>
</pre>
 
==Diagnosing and Fixing SELinux Problems==
 
If you have a suspicion that SELinux may be at the root of your problems, run:
 
<pre>
sealert -a /var/log/audit/audit.log
</pre>
 
You may get an output similar to the following one, which helps diagnose the problem:
 
<pre>
[...]
SELinux is preventing /usr/sbin/httpd from write access on the file manager.node.nodes.lock.
[...]
</pre>
 
Then use <tt>audit2allow</tt> to parse the audit logs and generate the SELinux policy to allow a denied operation.
 
<pre>
grep httpd /var/log/audit/audit.log | audit2allow
</pre>
 
<pre>
#============= httpd_t ==============
allow httpd_t httpd_log_t:file write;
</pre>
 
After you see it, you can write the policy in a file:
 
<pre>
grep httpd /var/log/audit/audit.log | audit2allow -M mysepolicy
</pre>
 
This will generate two files: a binary .pp file and a text .te file.
 
Apply the policy with:
 
<pre>
semodule -i mysepolicy.pp
</pre>
 
The policy such applies survives a reboot.


==Permission Denied when Trying to Write in a Directory==
==Permission Denied when Trying to Write in a Directory==


<font color=red>TODO, rationalize the following content: [[Media_Wiki_Installation#Fails_to_upload_images_with_.27Fatal_exception_of_type_.22MWException.22.27]].</font>
<font color=darkkhaki>TODO, rationalize the following content: [[Media_Wiki_Troubleshooting#Fails_to_upload_images_with_.27Fatal_exception_of_type_.22MWException.22.27]].</font>

Latest revision as of 20:00, 30 December 2023

Internal

Overview

SELinux stands for Security-Enhanced Linux. It provides Mandatory Access Control (MAC) for Linux systems. Under the control of SELinux, all processes and files are given a type, and their access on the system is limited by fine-grained controls of various types.

Subjects

Configuration

Install Management and Troubleshooting Tools

yum provides /usr/sbin/semanage
yum provides sealert

yum -y install policycoreutils-python
yum -y install setroubleshoot-server

Troubleshooting

Also see:

Troubleshooting, Diagnosing and Fixing SELinux Problems

Permission Denied when Trying to Write in a Directory

TODO, rationalize the following content: Media_Wiki_Troubleshooting#Fails_to_upload_images_with_.27Fatal_exception_of_type_.22MWException.22.27.

Retrieved from "https://kb.novaordis.com/index.php?title=Selinux&oldid=104945"