Sunday 7 December 2014

SELINUX RHEL6 rhce/rchsa notes

What is it?
Add another layer of security to applications,files,processes and so on by denying or allowing access to those.
   
3 Modes

  • disabled: turned off
  • permissive: turned on but only logs selinux warnings without blocking action
  • enforcing : turned on and blocking selinux security violaitions
SELinux Context
Each files,directory and services have 3 contexts (labels) which are used in combination with booleans to permit action or service to run.
  • user:
    • unconfined_u : unprotected user
    • system_u : system user
    • normal_u : normal user
  • role :
    • object_r : file
    • system_r : users and processes
  • type(also called domain):
    • unconfined_r  : unprotected file or processes
  • multi-level (used in RHEL6 represents sensitivity level of an object:file/directory)
Changing file SeLinux Context
chcon -u <user context> <filename>
chcon -r <role context> <filename>
chcon -t <type context> <filename>

To keep the changes permanent even if the file system is relabeled.
#semanage fcontext -a -u <user context> -r <role context> -t <type context> <file>
#restorecon -R -v <file>|<directory>

Resetting file SeLinux Context
restorecon -F <filename>

View files/directories SeLinux context
  • ls -Z / ps -Z
Query SeLinux Boolean for a process
getsebool -a | grep <process>

Get a boolean description
semanage boolean -l | grep <process>

Getting and Setting Boolean status
getsebool <boolean name>
setsebool [-P(to set permanent)] <boolean name>

SELinux Troubleshooting
packages to install for troubleshooting
  # yum -y install policycoreutils* selinux-policy setroubleshoot-server

commands to look for errors
 # grep "is preventing" /var/log/messages
 # grep "denied" /var/log/audit/audit.log 
 # sealeart -a /var/log/audit/audit.log
get more details on errors by using the ID attached to them
 # sealert -l <ID in /var/log>
when a denial occurs on the system , you see an ID associated to service happens 

Other Commands
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

matchpathcon (tells you what the label of the file should be based on directory path label)
matchpathcon -V /etc/init.d/my-httpd 
/etc/init.d/my-httpd has context unconfined_u:object_r:initrc_exec_t:s0, should be system_u:object_r:httpd_initrc_exec_t:s0

$ restorecon -v -F /etc/init.d/my-httpd 
restorecon reset /etc/rc.d/init.d/my-httpd context unconfined_u:object_r:initrc_exec_t:s0->system_u:object_r:initrc_exec_t:s0

$ matchpathcon -V /etc/init.d/my-httpd 
/etc/init.d/my-httpd has context system_u:object_r:initrc_exec_t:s0, should be system_u:object_r:httpd_initrc_exec_t:s0
To get more commands about SELinux
apropos selinux


Thursday 6 November 2014

disable PXE boot on vSphere client's VM ( PXE ブートを無効にする方法 Vsphereクライアントで)

When You import your ISO file on the vSphere client and start booting the VM you see a PXE boot that fails and displays "system not found" . Here is a way to solve the issue.
vSphereでCDにISOをいれたらPXEブートで開始し、インストールが失敗します。それを解決する方法を紹介します。


Right Click on VM -> Edit Settings -> Hardware -> Click on CD/DVD -> power on startup
VMに右クリックし --> 設定の編集 --> ハードウエア --> CD/DVDドライブ1を選択 --> パワーオン時に接続