Wednesday, November 16, 2011

some selinux info

======================================
List and identify SELinux file and process context.
View SELinux contexts of processes:
# ps -eZ, ps -axZ, ps -Zc <process name>, etc.
View SELinux contexts of files and directories:
# ls -Zd /path/to/dir/, ls -Z /path/to/file, etc.
View SELinux contexts of users:
id -Z
Policy context rules are stored in
/etc/selinux/targeted/context/files/file_contexts and 
/etc/selinux/targeted/context/files/file_contexts.local
# semanage fcontext -[a|d|m] -f <ftype> -t <context> ‘<regex>’
e.g.: semanage fcontext -a -t virt_image_t “/virtstorage(/.*)?”
Restore default file contexts.
# restorecon -R -v /dir/ : note the last slash. -R = recursive (all child files and directories) -v = verbose.

Use boolean settings to modify system SELinux settings.
 - Booleans are plain text files located in /selinux/booleans
 - semanage boolean -l : List booleans with basic descriptions (very useful with grep)
 - setsebool [-P] <boolean_name> : set SE boolean, -P to make permanent (survive reboot)
 - Use the graphical tool: system-config-selinux
 - Diagnose and address routine SELinux policy violations.
Many targeted services have specialised man pages dealing with SELinux configuration.
Display these pages with:
# man -k ‘_selinux’
Installing setroubleshoot-server sends SELinux error messages to /var/log/messages. These can be further parsed with sealert.
audit2why and audit2allow can be used to parse the messages in /var/log/audit/audit.log and explain why access was denied, and how to modify your configuration to allow it.
# semanage port -l : list SELinux port settings.
SELinux Packages and utilities
coreutils : Always installed. Provides some default elements of SELinux.
policycoreutils : Provides restorecon, secon, setfiles, et al.
libselinux-utils : Provides getenforce, setenforce, getsebool, setsebool, et al.
policycoreutils-gui : Provides system-config-selinux and sepolgen, et al.
policycoreutils-python : Provides semanage, audit2allow, audit2why, et al.
setroubleshoot : Provides seapplet
setroubleshoot-server : Provides sealert, sedispatch, setroubleshootd, et al.

==========================
SET ENFORCING AND PERMISSIVE MODES FOR SELINUX
Persistent change:
/etc/selinux/config:
SELINUX=enforcing|permissiveCurrent session:
Non persistent change:
setenforce 1|0|enforcing|permissive

VIEW SELINUX STATUS:
Sestatus

LIST AND IDENTIFY SELINUX FILE AND PROCESS CONTEXT
ls -lZ
ps -efZ

RESTORE DEFAULT FILE CONTEXTS
restorecon -R*file

USE BOOLEAN SETTINGS TO MODIFY SYSTEM SELINUX SETTINGS
View booleans:
getsebool -a | grep keyword
OR*semanage boolean -l | grep keyword
Change booleans:
setsebool -P boolean on|off

DIAGNOSE AND ADDRESS ROUTINE SELINUX POLICY VIOLATIONS
Diagnose:
/var/log/audit/audit.log
/var/log/messages
view service logs
sealert
Fix:
audit2allow
setsebool -P boolean on|off

========================

No comments:

Post a Comment