Monday 25 April 2011

My SELinux Quick Reference

tested for RHEL/Centos 5

Check status of selinux

List security context of file and/or directories
ls -Z /dir

List security context of a/processes
ps axZ | proc

Change security context for a file/dir
chcon -Rv --type=proc_sys_content_t /dir (reboot persistent)
semanage fcontext -a -t proc_sys_content_t "/dir(/.*)?" (filesystem relable persistent)

Restore security contect of a file/dir
restorecon -Rv /dir/subdir

Allow access to a port, eg.
semanage port -a -t http_port_t -p tcp 81

Toggling SELinux policies with boolean commands;
see this wiki

When you are hitting a security restriction in your server that's being enforced by SELinux (in enforcing mode) You can troubleshoot such issues by first setting selinux to permissive and check the audited security context breaches.
setenforce 0

If SELinux (in permissive mode) is complaining about a specific process' access to files(/var/log/audit/audit.log), we can resolve these issues by reviewing what SELinux would have wanted inorder to allow access. e.g for snmpd:
grep snmpd_t /var/log/audit/audit.log | audit2allow -r

If the results look reasonable, then make custom policy module to allow the actions;
grep snmpd_t /var/log/audit/audit.log | audit2allow -M snmpdlocal

and then load the module
semodule -i snmpdlocal.pp

then check if module is loaded correctly
semodule -l

Monitor the audit.log to see if issue is resolved. If all looks ok, then revert your SELinux to enforcing
setenforce 1

No comments:

Post a Comment