Difference between revisions of "SELinux"

From Free Knowledge Base- The DUCK Project: information for everyone
Jump to: navigation, search
(Created page with " -------------------------------------------------------------------------------- SELinux File System Security / setenforice ---------------------------------------------------...")
 
Line 1: Line 1:
--------------------------------------------------------------------------------
+
--------------------------------------------------------------------------------<BR>
SELinux File System Security / setenforice
+
SELinux File System Security / setenforice<BR>
--------------------------------------------------------------------------------
+
--------------------------------------------------------------------------------
+
 
 
  # setenforce 0 SELinux enforcement to permissive
 
  # setenforce 0 SELinux enforcement to permissive
 
  # setenforce 1 enable
 
  # setenforce 1 enable
Line 36: Line 36:
 
  # setsebool -P httpd_enable_cgi=0
 
  # setsebool -P httpd_enable_cgi=0
 
disable the ability for httpd web server to run cgi scripts.    httpd_enable_cgi allows the httpd (Apache) web server to run cgi scripts if it is enabled.
 
disable the ability for httpd web server to run cgi scripts.    httpd_enable_cgi allows the httpd (Apache) web server to run cgi scripts if it is enabled.
 +
 +
# restorecon -rv /var/www/html
 +
ps -Al
 +
ps aux
 +
 +
namei -m /usr/local/apache2/htdocs/foo/bar.html
 +
 +
system-config-selinux
 +
 +
 +
unconfined_u:object_r:home_root_t:s0
 +
system_u:object_r:httpd_sys_content_t:s0
 +
 +
  
  

Revision as of 10:59, 22 January 2014



SELinux File System Security / setenforice


# setenforce 0		SELinux enforcement to permissive
# setenforce 1		enable

# getenforce		displays level of enforcement

THE AUDIT LOG is: /var/log/audit/audit.log

stock tools for

log analysis: audit2why and audit2allow

# cat /var/log/audit/audit.log
# audit2why < /var/log/audit/audit.log

If the log contains "avc:denied" that means it is a SELinux policy denial.

Security context (or security label) of a file (stored as an extended file attribute) can be seen by typing:

# ls -Z filename

Security context is modfied with the command 'chcon' and security contexts will remain the same regardless of whether a file is moved or renamed.

Security context 4 fields...................................................... [user], [role], [type], and [level]

In targeted policy the user and role component is really not important.

The level field is usually s0

! Type Enforcement is the main permission control used in SELinux targeted policy. For the most part, SELinux users and roles can be ignored.

SELinux booleans enable runtime customization of the SELinux policy.

# getsebool -a command

change the value of a boolean at runtime using the 'setsebool' or 'togglesebool' command. pass -P paramater to make permanent (after reboot).

# setsebool -P httpd_enable_cgi=0	

disable the ability for httpd web server to run cgi scripts. httpd_enable_cgi allows the httpd (Apache) web server to run cgi scripts if it is enabled.

# restorecon -rv /var/www/html
ps -Al
ps aux
namei -m /usr/local/apache2/htdocs/foo/bar.html

system-config-selinux


unconfined_u:object_r:home_root_t:s0 
system_u:object_r:httpd_sys_content_t:s0