Selinux: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
No edit summary
No edit summary
Line 8: Line 8:


* [[SELinux Concepts]]
* [[SELinux Concepts]]
* [[SELinux Operations]]


=How to Find Out Whether SELinux is Enabled=
=How to Find Out Whether SELinux is Enabled=

Revision as of 23:06, 8 January 2016

Internal

Overview

Subjects

How to Find Out Whether SELinux is Enabled

getenforce

If SELinux is enabled, the command will return "Enforcing".

Configuration

Install Management and Troubleshooting Tools

yum provides /usr/sbin/semanage
yum provides sealert
yum -y install policycoreutils-python
yum -y install setroubleshoot-server

Troubleshooting

Get the SELinux Security Context

ls -lZ <dir>

Diagnosing and Fixing SELinux Problems

If you have a suspicion that SELinux may be at the root of your problems, run:

sealert -a /var/log/audit/audit.log

You may get an output similar to the following one, which helps diagnose the problem:

[...]
SELinux is preventing /usr/sbin/httpd from write access on the file manager.node.nodes.lock.
[...]

Then use audit2allow to parse the audit logs and generate the SELinux policy to allow a denied operation.

grep httpd /var/log/audit/audit.log | audit2allow
#============= httpd_t ==============
allow httpd_t httpd_log_t:file write;

After you see it, you can write the policy in a file:

grep httpd /var/log/audit/audit.log | audit2allow -M mysepolicy

This will generate two files: a binary .pp file and a text .te file.

Apply the policy with:

semodule -i mysepolicy.pp

The policy such applies survives a reboot.

Permission Denied when Trying to Write in a Directory

TODO, rationalize the following content: Media_Wiki_Installation#Fails_to_upload_images_with_.27Fatal_exception_of_type_.22MWException.22.27.