From Security-Enhanced Linux for mere mortals and SELinux For Dummies
All as root
.
yum -y install setroubleshoot setroubleshoot-server
service auditd restart
journalctl -b -0
SFD
ausearch -i -m AVC,USER_AVC -sv no -ts recent
-m
type Access Vector Cache denials-i
interpret them-sv no
don't care about the positive-ts recent
last 5 minutes
Also
-se prelude_manager_t
to search for type
setsebool httpd_enable_homedirs 1 -P
httpd_enable_homedirs
is the boolean to set1
istrue
-P
makes it permanent
semanage boolean -l
getsebool -a
SFD
semanage port -a -t http_port_t -p tcp 8080
cat /etc/selinux/targeted/modules/active/boolean.local
chcon -u system_u -r object_r -t httpd_sys_content_t /var/www/html/index.html
In targeted
, only -t
matters.
chcon --reference /var/www/html/ /var/www/html/index.html
Reset entire dir.
restorecon -vR /var/www/html/
-v
verbose-R
recursively
Defaults come from /etc/selinux/targeted/contexts/files/file_contexts
.
E.g., add /foo/bar
as a web DocumentRoot.
ls -ldZ /var/www/html/
semanage fcontext -a -t http_sys_content_r "/foo(/.*)?"
restorecon -vR /foo
or copy from known good
semanage fcontext -a -e /var/www/html /foo
restorecon -vR /foo
setenforce 0
to turn off enforcement but still log all the issues.
Run the application through everything it needs to do.
Look at the alert:
sealert -l someguid
It will instruct that you should grep the audit log and create a policy for it:
grep httpd /var/audit/audit.log | audit2allow -M mypollocal
semodule -i mypollocal.pp
mypollocal.te
is the file name for the readable policymypollocal.pp
is the file name for the policy to apply
SFD 1:07:40
ausearch -i -m AVC -sv no -ts recent -se nrpe_t | audit2allow -m drwho-nrpe > drwho-nrpe.te
checkmodule -M -m -o drwho-nrpe.mod drwho-nrpe.te
semodule_package -o drwho-nrpe.pp -m drwho-nrpe.mod
semodule -install drwho-nrpe.pp
SFD 1:11:11
semanage permissive -a nrpe_t
semanage permissive -d nrpe_t
semanage permissive -l
-a
to enable permissive domain-d
to disable (no more permissive)-l
to list
- Set
SLLINUX=permissive
in/etc/selinux/config
touch /.autorelabel
- Reboot
- Set
SELINUX=enforcing
in/etc/selinux/config
yum -y install xorg-x11-xauth policycoreutils-gui bitmap-fixed-fonts
Then SSH into the box
ssh -Y root@mybox
system-config-selinux
SFD 1:15:18
ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{print $NF }'