SELinux's basic config file
SELinux's basic configuration file is following. If you want to persistent after reboot, you should edit this file. (Temporary change is done with # setenforce=0 )
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
SELINUX=enforcing
Do Mandatory Access Control by SELinux with logging at "/var/log/audit/audit.log".
SELINUX=permissive
Do not deny even if allow rule does not exist but logging at "/var/log/audit/audit.log".
SELINUX=disabled
Do not Mandatory Access Control by SELinux. There is no context in files.
SELINUXTYPE=targeted
A lot of processes are defined in SELinux rules and are forced to limit the action.
SELINUXTYPE=minimum
A few processes are defined in SELinux rules and are forced to limit the action. Other many processes are not limited.
SELINUXTYPE=mls
Adding to the targeted rule, user's roles are also in Access Control Rules.(rarely used because of difficulty.)
Other SELinux settings are also in /etc/selinux directory.
Display policy settings
Install the package for SELinux settings
In order to display/add/delete SELinux setting, you first install the following package.
# yum -y install setools-console
List SELinux file context definition rules
The context set to new file/dir is determined by this definition rules and path where the file/dir is created.
The definition rules are displayed with following command.
Note that context allocated to a file is not necessarily matched with the rules. If you mv the file from somewhere, the context is not changed, and you can temporaly change context with "chcon" command.
yon can check the file's context with "ls -Z" command.
And, the command which restore the context out of the rules correctly is following.
List SELinux Access Vector policy
# sesearch --neverallow
# sesearch --auditallow
# sesearch --dontaudit
"allow" means "permit and do not log".
"neverallow" means "deny and log at audit.log".
"auditallow" means "permit and log at audit.log".
"dontaud" means "deny and do not log".
List SELinux boolean settings
boolean is the aggregation of poliy sets to achieve an purpose. the command displaying the booleans is following.
The boolean frequently used is "httpd_can_connec_network_connect". This boolean can allow WebApp to network connect like send mail, and ldap, and database with php/cgi, which is denied by default settings of SELinux.
Check the settings.
If you want to check the detail rules of this boolean, you can use following command.
List SELinux's Class and Permission
List SELinux's type defined
List SELinux's adding parameters (excluded module)
List file context rules
-a = add rule.
-t = select type
-f = select file type. "a" means all files.
you can check the settings you had done.
boolean -D login -D interface -D user -D port -D node -D fcontext -D module -D fcontext -a -f a -t httpd_user_content_t '/home/[^/]+/contents(/.*)?' [root@localhost ~]#
delete context define rules
Add port define setting
If you want to change ssh's tcp port 22 to 10022, you can add permit rule. But ordinary it is difficult. alternatively, you can add the definition with ssh_port_t type already defined.
Check the settings.
boolean -D login -D interface -D user -D port -D node -D fcontext -D module -D port -a -t ssh_port_t -p tcp 10022 [root@localhost ~]#
IT/インフラエンジニアの地位とスキル向上のために
あなたが成長の日々を歩めますように。
コメント