What is it?
Add another layer of security to applications,files,processes and so on by denying or allowing access to those.
3 Modes
Each files,directory and services have 3 contexts (labels) which are used in combination with booleans to permit action or service to run.
View files/directories SeLinux context
Add another layer of security to applications,files,processes and so on by denying or allowing access to those.
3 Modes
- disabled: turned off
- permissive: turned on but only logs selinux warnings without blocking action
- enforcing : turned on and blocking selinux security violaitions
Each files,directory and services have 3 contexts (labels) which are used in combination with booleans to permit action or service to run.
- user:
- unconfined_u : unprotected user
- system_u : system user
- normal_u : normal user
- role :
- object_r : file
- system_r : users and processes
- type(also called domain):
- unconfined_r : unprotected file or processes
- multi-level (used in RHEL6 represents sensitivity level of an object:file/directory)
Changing file SeLinux Context
chcon -u <user context> <filename>
chcon -r <role context> <filename>
chcon -t <type context> <filename>
To keep the changes permanent even if the file system is relabeled.
To keep the changes permanent even if the file system is relabeled.
#semanage fcontext -a -u <user context> -r <role context> -t <type context> <file>
#restorecon -R -v <file>|<directory>
#restorecon -R -v <file>|<directory>
Resetting file SeLinux Context
restorecon -F <filename>
- ls -Z / ps -Z
Query SeLinux Boolean for a process
getsebool -a | grep <process>
Get a boolean description
semanage boolean -l | grep <process>
Getting and Setting Boolean status
getsebool <boolean name>
setsebool [-P(to set permanent)] <boolean name>
SELinux Troubleshooting
packages to install for troubleshooting
# yum -y install policycoreutils* selinux-policy setroubleshoot-server
commands to look for errors
# grep "is preventing" /var/log/messages
# grep "denied" /var/log/audit/audit.log
# sealeart -a /var/log/audit/audit.log
get more details on errors by using the ID attached to them
# sealert -l <ID in /var/log>
when a denial occurs on the system , you see an ID associated to service happens
Other Commands
# sestatus
matchpathcon (tells you what the label of the file should be based on directory path label)
apropos selinux
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targetedmatchpathcon (tells you what the label of the file should be based on directory path label)
matchpathcon -V /etc/init.d/my-httpd
/etc/init.d/my-httpd has context unconfined_u:object_r:initrc_exec_t:s0, should be system_u:object_r:httpd_initrc_exec_t:s0
$ restorecon -v -F /etc/init.d/my-httpd
restorecon reset /etc/rc.d/init.d/my-httpd context unconfined_u:object_r:initrc_exec_t:s0->system_u:object_r:initrc_exec_t:s0
$ matchpathcon -V /etc/init.d/my-httpd
/etc/init.d/my-httpd has context system_u:object_r:initrc_exec_t:s0, should be system_u:object_r:httpd_initrc_exec_t:s0apropos selinux
