SELinux
Video Guide: Security-Enhanced Linux for mere mortals
- RedHat use SELinux by default
- Debian / Ubuntu use AppArmor by default
| - | - |
|---|---|
| Enforcing | apply policy |
| Permissive | log but do not apply policy |
Get SELinux status
getenforce
Status detail
sestatus [-v]
Set SELinux status
setenforce { Enforcing | Permissive | 1 | 0 }
View SELinux label
ls -Z
id -Z
ps -Z
ss -Z
netstat -Z
Troubleshoot
yum install setroubleshoot setroubleshoot-server
service auditd restart
# systemctl cannot restart, see https://bugzilla.redhat.com/show_bug.cgi?id=1026648
# systemctl restart auditd.service
View SELinux error and suggestion
journalctl
Set context to default
- moved (
mv) file will not change context - SELinux use config file
/etc/selinux/targeted/contexts/files/file_contextsto set default context
-r | -R | recursive |
-v | verbose, show changes in file labels |
restorecon [<options>] <path>
Add default context of a path
semanage fcontext -a -t <context type> <path RegExp>
Set /web default context to httpd_sys_content_t
semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
restorecon -v -R /web
Set default context of /web by reference
- SELinux will replace
/webby/var/www/htmlwhen set default context
semanage fcontext -a -e /var/www/html /web
restorecon -v -R /web
Change context by reference
chcon --reference <reference path> <path>
Create policy module for an app
Set mode to Permissive
setenforce 0
Run the app
Check the log
journalctl
Follow the suggestion
grep <app> /var/log/audit/audit.log | audit2allow -M <app>
semodule -i <app>.pp
Set mode to Enforcing
setenforce 1
Re-label the entire file system
Set mode to Permissive
setenforce 0
Create a empty file .autorelabel in the root directory
touch /.autorelabel
Reboot
reboot