SELinux
Security-Enhanced Linux (SELinux) is a security architecture integrated into the 2.6.x kernel using the Linux Security Modules (LSM).
SELinux File System Security / setenforice
# setenforce 0 SELinux enforcement to permissive # setenforce 1 enable # getenforce displays level of enforcement
THE AUDIT LOG is: /var/log/audit/audit.log
stock tools for
log analysis: audit2why and audit2allow
# cat /var/log/audit/audit.log # audit2why < /var/log/audit/audit.log
If the log contains "avc:denied" that means it is a SELinux policy denial.
Security context (or security label) of a file (stored as an extended file attribute) can be seen by typing:
# ls -Z filename
Security context is modfied with the command 'chcon' and security contexts will remain the same regardless of whether a file is moved or renamed.
Security context 4 fields...................................................... [user], [role], [type], and [level]
In targeted policy the user and role component is really not important.
The level field is usually s0
! Type Enforcement is the main permission control used in SELinux targeted policy. For the most part, SELinux users and roles can be ignored.
SELinux booleans enable runtime customization of the SELinux policy.
# getsebool -a command
change the value of a boolean at runtime using the 'setsebool' or 'togglesebool' command. pass -P paramater to make permanent (after reboot).
# setsebool -P httpd_enable_cgi=0
disable the ability for httpd web server to run cgi scripts. httpd_enable_cgi allows the httpd (Apache) web server to run cgi scripts if it is enabled.
# restorecon -rv /var/www/html ps -Al ps aux
namei -m /usr/local/apache2/htdocs/foo/bar.html
system-config-selinux
unconfined_u:object_r:home_root_t:s0 system_u:object_r:httpd_sys_content_t:s0
