Check status of selinux
sestatus
List security context of file and/or directories
ls -Z /dir
List security context of a/processes
ps axZ | proc
Change security context for a file/dir
chcon -Rv --type=proc_sys_content_t /dir (reboot persistent)
semanage fcontext -a -t proc_sys_content_t "/dir(/.*)?" (filesystem relable persistent)
Restore security contect of a file/dir
restorecon -Rv /dir/subdir
Allow access to a port, eg.
semanage port -a -t http_port_t -p tcp 81
Toggling SELinux policies with boolean commands;
see this wiki
When you are hitting a security restriction in your server that's being enforced by SELinux (in enforcing mode) You can troubleshoot such issues by first setting selinux to permissive and check the audited security context breaches.
setenforce 0
If SELinux (in permissive mode) is complaining about a specific process' access to files(/var/log/audit/audit.log), we can resolve these issues by reviewing what SELinux would have wanted inorder to allow access. e.g for snmpd:
grep snmpd_t /var/log/audit/audit.log | audit2allow -r
If the results look reasonable, then make custom policy module to allow the actions;
grep snmpd_t /var/log/audit/audit.log | audit2allow -M snmpdlocal
and then load the module
semodule -i snmpdlocal.pp
then check if module is loaded correctly
semodule -l
Monitor the audit.log to see if issue is resolved. If all looks ok, then revert your SELinux to enforcing
setenforce 1
No comments:
Post a Comment