linux perm/group/selinux notes

perms.txt

█▓▒░ PERMISSION THINGS ░▒▓█

chgrp pissgroup file                  | change file's group to pissgroup
chmod 755 directory                   | set r/w/execute for owner, r/execute for group and others on dir
chown username:groupname file         | change owner and group of file
getent group wheel                    | list all users of a group
gpasswd -a username piss              | add user to the group piss (alternative)
gpasswd -d username piss              | remove user from the group piss
groupadd piss                         | create a new group named piss
groupdel piss                         | delete the group named piss
groups username                       | list groups for user
usermod -a -G piss username           | add user to the group piss
usermod -aG wheel username            | add user to wheel group for sudo privileges

0 - no permissions
1 - execute
2 - write
3 - write and execute
4 - read
5 - read and execute
6 - read and write
7 - read, write, and execute

█▓▒░  SELINUX STUFF  ░▒▓█

getenforce   - check current SELinux mode
setenforce 0 - set SELinux into permissive mode (temporarily)
setenforce 1 - set SELinux back to enforcing mode

chcon -Rt httpd_sys_content_t /path/to/webcontent
    - change the SELinux type of web content files (temporary)

restorecon -Rv /home/user/public_html
    - apply SELinux context to file system

semanage fcontext -a -t httpd_sys_content_t '/home/user/public_html(/.*)?'
    - add SELinux context to serve files from home directory

ls -lZ $HOME/proj1
    display selinux context for files and dirs

ps -eZ | grep caddy
    show context under caddy process

█▓▒░ CADDY PERM EXAMPLE ░▒▓█

1. ensure jtm in caddy group
    usermod -a -G caddy jtm

2. set proj1 dir group to jtm or caddy if other users need access
    chgrp -R jtm $HOME/proj1

3. set dir perms for group access
    chmod 750 $HOME/proj1

4. files inside need read by group
    chmod 640 $HOME/proj1/*

5. adjust selinux for httpd service
    semanage fcontext -a -t httpd_sys_content_t "$HOME/proj1(/.*)?"
    restorecon -Rv $HOME/proj1

█▓▒░ GETENV OUTPUT ░▒▓█

$ getent group wheel
 ⮱  wheel:x:10:piss

    wheel - group name
        x - indicates group has password set and stored in a shadow file (/etc/gshadow)
       10 - the numerical group ID (GID) for the wheel group
     piss - The username of a member of the wheel group

 █▓▒░ LS SECURITY CONTEXT ░▒▓█

ls -lZ               | list files with SELinux contexts
ls -ldZ /path/to/dir | display attributes/SELinux context for specified dir only
 ⮱  drwxr-xr-x. 1 jtm jtm unconfined_u:object_r:container_file_t:s0:c537,c936 20 Sep 18 00:25 dir

    drwxr-xr-x.          => file permissions (d=directory, r=read, w=write, x=execute)
    1                    => Number of hard links to the file/directory
    jtm                  => Owner of the file/directory
    jtm                  => Group owner of the file/directory
    [security context, user:role:type:level]
        system_u         => User role in SELinux
        object_r         => Type role in SELinux
        container_file_t => Type for container files in SELinux
    [sensitivity level and category in SELinux Multi-Level Security (MLS)]
        s0:c537,c936
    size
    modification date/time
    crawl => name

    d | directory flag (absent for files)
    r | read permission
    w | write permission
    x | execute/search permission (directories)
    s | setuid/setgid bit (u/g position) + execute bit set; S if not executable.
    t | sticky bit + execute bit set; T if not executable.

    user   | SELinux user identity part of context.
    role   | Role field in context.
    type   | Type field indicating the type of object or domain.
    level  | Sensitivity level and categories for MLS.