SELinux basic config, list Contexts and Rules, add and delete parameters. | SEの道標
SELinux

SELinux basic config, list Contexts and Rules, add and delete parameters.

SELinux's basic config file

SELinux's basic configuration file is following. If you want to persistent after reboot, you should edit this file. (Temporary change is done with # setenforce=0 )

# vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

SELINUX=enforcing

Do Mandatory Access Control by SELinux with logging at "/var/log/audit/audit.log".

SELINUX=permissive

Do not deny even if allow rule does not exist but logging at "/var/log/audit/audit.log".

SELINUX=disabled

Do not Mandatory Access Control by SELinux. There is no context in files.

SELINUXTYPE=targeted

A lot of processes are defined in SELinux rules and are forced to limit the action.

SELINUXTYPE=minimum

A few processes are defined in SELinux rules and are forced to limit the action. Other many processes are not limited.

SELINUXTYPE=mls

Adding to the targeted rule, user's roles are also in Access Control Rules.(rarely used because of difficulty.)

Other SELinux settings are also in /etc/selinux directory.

Display policy settings

Install the package for SELinux settings

In order to display/add/delete SELinux setting, you first install the following package.

# yum -y install policycoreutils-python
# yum -y install setools-console

List SELinux file context definition rules

The context set to new file/dir is determined by this definition rules and path where the file/dir is created.

The definition rules are displayed with following command.

# semanage fcontext -l

Note that context allocated to a file is not necessarily matched with the rules. If you mv the file from somewhere, the context is not changed, and you can temporaly change context with "chcon" command.

yon can check the file's context with "ls -Z" command.

And, the command which restore the context out of the rules correctly is following.

# restorecon -RFv

List SELinux Access Vector policy

# sesearch --allow
# sesearch --neverallow
# sesearch --auditallow
# sesearch --dontaudit

"allow" means "permit and do not log".

"neverallow" means "deny and log at audit.log".

"auditallow" means "permit and log at audit.log".

"dontaud" means "deny and do not log".

List SELinux boolean settings

boolean is the aggregation of poliy sets to achieve an purpose. the command displaying the booleans is following.

# getsebool -a

The boolean frequently used is "httpd_can_connec_network_connect". This boolean can allow WebApp to network connect like send mail, and ldap, and database with php/cgi, which is denied by default settings of SELinux.

# setsebool -P httpd_can_connec_network_connect on

Check the settings.

# getsebool httpd_can_network_connect

If you want to check the detail rules of this boolean, you can use following command.

# sesearch -b httpd_can_network_connect

List SELinux's Class and Permission

# seinfo -x -c

List SELinux's type defined

# seinfo -t

List SELinux's adding parameters (excluded module)

# semanage export

List file context rules

# semanage fcontext -a -t httpd_user_content_t -f a '/home/[^/]+/contents(/.*)?'

-a = add rule.

-t = select type

-f = select file type. "a" means all files.

you can check the settings you had done.

# semanage export
boolean -D
login -D
interface -D
user -D
port -D
node -D
fcontext -D
module -D
fcontext -a -f a -t httpd_user_content_t '/home/[^/]+/contents(/.*)?'
[root@localhost ~]#

delete context define rules

# semanage fcontext -d '/home/[^/]+/contents(/.*)?'

Add port define setting

If you want to change ssh's tcp port 22 to 10022, you can add permit rule. But ordinary it is difficult. alternatively, you can add the definition with ssh_port_t type already defined.

# semanage port -a -t ssh_port_t -p tcp 10022

Check the settings.

# semanage export
boolean -D
login -D
interface -D
user -D
port -D
node -D
fcontext -D
module -D
port -a -t ssh_port_t -p tcp 10022
[root@localhost ~]#

コメント

Copied title and URL