Basic Selinux Policy

#To see context
ls -Z

#To see selinux status
sestatus

#To switch Selinux into Permissive mode on the fly to debug
setenforce 0
#To switch Selinux into Enforcing mode on the fly to debug
setenforce 1

#To see selinux log
tail -f /var/log/audit/audit.log

#SELinux security context of the httpd process
codero1:/var/www/html# ps axZ |grep httpd
user_u:system_r:httpd_t          1033 ?        Ss     0:00 /usr/sbin/httpd

#
SELinux security context fields: user_u:system_r:httpd_t is based upon user:role:type:mls (mls is hidden)..
SELinux security context :type is important which is in our case httpd_t should match the contents in /var/www/html

#Relabeling Files with chcon
chcon -v –type=httpd_sys_content_t /var/www/html/index.html
or
chcon -Rv –type=httpd_sys_content_t /var/www/html

#Restore Default Security Contexts
restorecon -v /var/www/html/index.html

#Allowing access to apache to be able to bind on a Non-standard Port 8080
semanage port -a -t http_port_t -p tcp 8080

#List of ports that services are permitted to access by SELinux
semanage port -l

#Creating Custom SELinux Policy Modules with audit2allow
create httpdlocal file  using ‘audit2allow’ to generate policy rules in a file that would allow required actions
grep AVC /var/log/audit/audit.log | audit2allow -m httpdlocal > httpdlocal.te

#Make a module
grep smtpd_t /var/log/audit/audit.log | audit2allow -M httpdlocal

#To make this policy package active, execute:
semodule -i httpdlocal.pp

which will add our policy module to /etc/selinux/targeted/modules/active/modules/httpdlocal.pp

#Test if the module is loaded
semodule -l|grep httpdlocal

#Remove if any problem with the module
semodule -r httpdlocal

Twitter Digg Delicious Stumbleupon Technorati Facebook

Comments are closed.

Random Pages By Best Accounting Services