Skip to content

Instantly share code, notes, and snippets.

@OtherDevOpsGene

OtherDevOpsGene/SELinux.md

Last active January 31, 2023 06:24
Show Gist options
  • Save OtherDevOpsGene/c73f8fc03c4fe4b6487a88de9cb0186c to your computer and use it in GitHub Desktop.
Save OtherDevOpsGene/c73f8fc03c4fe4b6487a88de9cb0186c to your computer and use it in GitHub Desktop.
Download ZIP
SELinux notes from Security-Enhanced Linux for mere mortals and SELinux For Dummies
Raw
SELinux.md

Troubleshooting SELinux

From Security-Enhanced Linux for mere mortals and SELinux For Dummies

All as root.

Install tools

yum -y install setroubleshoot setroubleshoot-server
service auditd restart

Look in journalctl

journalctl -b -0

Searching audit.log

SFD

ausearch -i -m AVC,USER_AVC -sv no -ts recent
  • -m type Access Vector Cache denials
  • -i interpret them
  • -sv no don't care about the positive
  • -ts recent last 5 minutes

Also

  • -se prelude_manager_t to search for type

Setting SELinux boolean

setsebool httpd_enable_homedirs 1 -P
  • httpd_enable_homedirs is the boolean to set
  • 1 is true
  • -P makes it permanent

See SELinux booleans

semanage boolean -l
getsebool -a

Add an additional port for http

SFD

semanage port -a -t http_port_t -p tcp 8080

See booleans that have been set

cat /etc/selinux/targeted/modules/active/boolean.local

Change context

chcon

chcon -u system_u -r object_r -t httpd_sys_content_t /var/www/html/index.html

In targeted, only -t matters.

Copy from known good file

chcon --reference /var/www/html/ /var/www/html/index.html

restorecon

Reset entire dir.

restorecon -vR /var/www/html/
  • -v verbose
  • -R recursively

Defaults come from /etc/selinux/targeted/contexts/files/file_contexts.

Tell SELinux about a new context default

E.g., add /foo/bar as a web DocumentRoot.

ls -ldZ /var/www/html/
semanage fcontext -a -t http_sys_content_r "/foo(/.*)?"
restorecon -vR /foo

or copy from known good

semanage fcontext -a -e /var/www/html /foo
restorecon -vR /foo

Policy modules

setenforce 0 to turn off enforcement but still log all the issues. Run the application through everything it needs to do.

Look at the alert:

sealert -l someguid

It will instruct that you should grep the audit log and create a policy for it:

grep httpd /var/audit/audit.log | audit2allow -M mypollocal
semodule -i mypollocal.pp
  • mypollocal.te is the file name for the readable policy
  • mypollocal.pp is the file name for the policy to apply

Compile policy into binary

SFD 1:07:40

ausearch -i -m AVC -sv no -ts recent -se nrpe_t | audit2allow -m drwho-nrpe > drwho-nrpe.te
checkmodule -M -m -o drwho-nrpe.mod drwho-nrpe.te
semodule_package -o drwho-nrpe.pp -m drwho-nrpe.mod
semodule -install drwho-nrpe.pp

Permissive domains

SFD 1:11:11

semanage permissive -a nrpe_t
semanage permissive -d nrpe_t
semanage permissive -l
  • -a to enable permissive domain
  • -d to disable (no more permissive)
  • -l to list

Turn on SELinux later

  • Set SLLINUX=permissive in /etc/selinux/config
  • touch /.autorelabel
  • Reboot
  • Set SELINUX=enforcing in /etc/selinux/config

Graphical tools

yum -y install xorg-x11-xauth policycoreutils-gui bitmap-fixed-fonts

Then SSH into the box

ssh -Y root@mybox
system-config-selinux

Look for unconfined daemons

SFD 1:15:18

ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{print $NF }'

More info

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment