Lot of admin turn SELinux off because it looks complicated. Here is a cheat sheet to make your life easier
Two important documentations about Selinux can be found here:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/index.html
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined_Services/index.html
—————————————————————————–
If you work on Centos or Redhat, install the following packages on your system:
setroubleshoot.noarch : Helps troubleshoot SELinux problems
setroubleshoot-plugins.noarch : Analysis plugins for use with setroubleshoot
setroubleshoot-server.noarch : SELinux troubleshoot server
[root@client1 ~]# yum install setroubleshoot
Start the setroubleshootd daemon:
[root@client1 ~]#setroubleshootd
—————————————————————————–
Get the status of selinux:
[root@client1 ~]#sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
Check for permissive or enforcing mode:
[root@client1 ~]#getenforce
If you get back a 1 selinux is turned on if you get back a 0 its turned off.
Switch selinux modes from permissive to enforcing and back:
[root@client1 ~]#setenforce 1 (will set enforcing mode)
[root@client1 ~]#setenforce 0 (will set permissive mode)
—————————————————————————–
Selinux AVC Log files:
All selinux logs can be found in /var/log/audit/audit.log
SELinux logfiles looks very crytpy without the tool sealert. Here an extract of the log without and with the command sealert:
[root@client1 ~]#less /var/log/audit/audit.log
type=DAEMON_START msg=audit(1304542876.396:4843): auditd start, ver=1.7.18 format=raw kernel=2.6.18-238.el5 auid=4294967295 pid=2553 subj=system_u:system_r:auditd_t:s0 res=success
type=CONFIG_CHANGE msg=audit(1304542876.570:4): audit_enabled=1 old=0 by auid=4294967295 subj=system_u:system_r:auditd_t:s0 res=1
[root@client1 ~]# sealert -a /var/log/audit/audit.log | less
found 1 alerts in /var/log/audit/audit.log
——————————————————————————–
Summary:
SELinux is preventing nagios (nagios_t) “getattr” to /var/nagios/objects.cache
(var_t).
Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]
SELinux denied access requested by nagios. It is not expected that this access
is required by nagios and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /var/nagios/objects.cache,
restorecon -v ‘/var/nagios/objects.cache’
If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access – see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
—————————————————————————–
SELinux bool variables:
Each service has its own ruleset. The Selinux bools can be found with the command getsebool
Here and example for the httpd service
[root@client1 ~]# getsebool -a | grep httpd
allow_httpd_anon_write –> off
allow_httpd_sys_script_anon_write –> off
httpd_builtin_scripting –> on
httpd_can_network_connect –> off
httpd_can_network_connect_db –> off
httpd_can_network_relay –> off
httpd_can_sendmail –> on
If you would start the apache server you would not be able to connect to it, because the httpd_can_network_connect is turned off.
Set sebool to on:
[root@client1 ~]# setsebool -P httpd_can_network_connect =on
Now you are able to start the apache server and connect to it.
Selinux Manpage
[root@client1 ~]#man httpd_selinux
—————————————————————————–
Restore default security context of files or directories (File labeling):
Check filecontext:
[root@client1 ~]# ls -Z
drwxr-xr-x root root root:object_r:httpd_sys_content_t nagvis
drwxr-xr-x root root root:object_r:httpd_sys_content_t nconf
[root@client1 ~]# restorecon -v /var/www/html/index.html
[root@client1 ~]# restorecon -Rv /var/www/html/index.html
To check if a restore is needed:
[root@client1 ~]# restorecon -Rv -n /var/www/html
Set new security context not persistent:
[root@client1 ~]# chcon -Rv –type=httpd_sys_content_t /html
Set new security context not persistent:
[root@client1 ~]# semanage fcontext -a -t httpd_sys_content_t “/html(/.*)?”
—————————————————————————–
Open non standard ports for httpd service:
[root@client1 ~]# semanage port -a -t http_port_t – p tcp 81
List all the ports managed permitted by selinux
[root@client1 ~]# semanage port -l
—————————————————————————–
Create selinux rule:
[root@client1 ~]# grep security_context_t /var/log/audit/audit.log | audit2allow -m nagios1 > nagios.te
now review the rules in the .te file.
Create selinux module:
[root@client1 ~]# grep security_context_t /var/log/audit/audit.log | audit2allow -M nagios1
Install the module:
[root@client1 ~]# semodule -i nagios1.pp
REFERENCES
http://www.salsaunited.net/blog/?p=89
My Blog List
-
How to configure AWS SES with Postfix MTA on Debian Linux - [image: See all Amazon AWS web services related articles/faq] AWS SES (Amazon Simple Email Service) is a cloud-based email-sending service that is both rel...4 days ago
-
A Closer Look at Remote Peering: Technologies and Techniques - In the realm of digital communication, the significance of efficient internet traffic exchange has escalated with the surge in global cloud content. With...2 weeks ago
-
PaloAlto init-cfg.txt Bootstrap Config file Layout with Examples - When you install and configure the PaloAlto firewall, when the firewall boots up for the first time, it does the bootstrapping process. PaloAlto uses the s...1 year ago
-
Clusterssh – Administer multiple ssh or rsh shells simultaneously - Sponsored Link The command opens an administration console and an xterm to all specified hosts. Any text typed into the administration console is replicate...3 years ago
-
Web Application Vulnerability Scanning Tools - Web Application Vulnerability Scanning Tools Nessus http://www.tenable.com/products/nessus PortSwigger https://portswigger.net/ qualys https://www.qualys....5 years ago
-
What You Don’t Know About Linux Open Source Could Be Costing to More Than You Think - Guest post by Marc Fisher If you would like to test out Linux before completely switching it as your everyday driver, there are a number of means by which ...6 years ago
-
Resolving Sysprep problems with App-X packages (Part 1) - This is the first of two articles explaining how to fix systems that won't Sysprep if Windows Native/App-X applications have been removed and Windows patches.6 years ago
-
V2V Communications security considerations - The future of vehicles, road infrastructure and driving are changing. We are progressing with vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) ...6 years ago
-
10 UNIX / Linuz Size Command Examples for ObjectFiles - Linux size is part of GNU binutils. This utility is very helpful for programmers to analyze the data from the executable files (or object files). By defaul...9 years ago
-
Updating VMware Tools on Red Hat Enterprise/Scientific/CentOS Linux 6 for VMware ESXi 5 - In a previous post I discussed installing the open source VMware tools for Red Hat Enterprise/Scientific/CentOS Linux 6 from a yum package repository provi...12 years ago
