Thursday, November 20, 2014

selinux on Redhat 7


2nd part
Lelinux
# ls -lZ
its hard to find the context level you want
# yum install -y httpd
# cd /var/www/html
# ls -Z
you will see webserver default se-context level
To manage context lavel
List all context level
# semanage fcontext -l | more
# semanage fcontext -l | grep http

its top
check current configuration
# ls -Z

man -k _selinux on old version
on redhat 7
# yum whatprovides */sepolicy
to generate the man page..
# yum -y install policycoreutils-devel

# sepolicy --help
# man sepolicy
# man sepolicy-manpage
where you want to put ur man page
# selpolicy manpage -a -p /usr/share/man/man8
wait for a while to generate the man page..

# man -k _selinux  # whill not show any...
Run mandb command to update the database
# mandb
# man httpd_selinux # to get selinux context level
# cd /var/www
# ls -lZ
# man semanage-fcontext  # only works on RHEL 7
check the example presented
# mkdir /apps
# cat >/apps/index.html
This is test

edit the /etc/httpd/conf/httpd.conf
locate DocumentRoot and change it to /apps
also change Directory location from /var/www to
<Directory "app>
check couple of places

# systemctl restart httpd
# yum -y install elinks
# elink http://localhost
#
# tail -f /var/log/audit/audit.log | grep AVC
# grep AVC /var/log/audit/audit.log

check the log and you will see the error
# semanage -a -t httpd_sys_content_t "/web(/.*)?"
now you apply the polocy and apply to filesystem
# restorecon -R -v /web
# elinks http://localhost

https://www.youtube.com/watch?v=jz_OrnjCR_M

3rd part
boolean =>
# getsebool -l  # currently available
# semanage boolean -l # show policy state
# man -k _selinux | grep ftp
# man ftpd_selinux # shows us inf about ftp boolean
#
# getsebool -a | grep ftp
#
# sesearch -b ftpd_anon_write -ACT
boolean can define a lot of information
transition rules
# sesearch -b ftpd_anon_write -ACT | grep -v type_transit
check for ftpd_t  public_content_WR_T
check for file or directory
source context
# sesearch -b ftpd_anon_write -ACT | grep -v type_transit
# setsebool -P ftpd_anon_write on
no longer blocks the write for anon user...

# sesearch -b ftpd_anon_write -ACT | grep -v type_transit
check for E for enabled on the first coloum
D for disabled
use -P for persistance , without
 

No comments:

Post a Comment