Opensource.

com: SELinux Commands Cheat Sheet PAGE 1 OF 2 BY ALEX CALLEJAS

Learn more in our sysadmin’s guide to SELinux, by Alex Callejas: https://red.ht/2zpWppY

CONCEPTS
SELinux = LABELING system Labeling → files, process, ports, etc. (system objects)

Every process, file, directory, system object has a LABEL. Type enforcement → Isolates processes from each other based on types

Policy rules control access between labeled processes and labeled

objects.

The kernel enforces these rules.

LABELING
Label format: user → identity known to the policy authorized for a specific set of roles and a specific MLS/MCS range

user:role:type:level (optional) role → attribute of RBAC, serves as an intermediary between domains and SELinux users

type → attribute of type enforcement, defines a domain for processes and a type for files

level → attribute of MLS/MCS, pair of levels, written as lowlevel-highlevel if the levels differ, or lowlevel if the
levels are identical

TYPE ENFORCEMENT
Targeted: Processes that are targeted run in a confined domain, and processes that are not targeted run in an unconfined domain
Multi-level security (mls): Control processes (domains) based on the level of the data they will be using
Multi-category security (mcs): Protects like processes from each other (like VMs, OpenShift Gears, SELinux sandboxes, containers, etc.)
SELINUX MODES @ BOOT
Kernel parameters: If you need to relabel the entire system:

enforcing=0 → boot in permissive mode # touch /.autorelabel

selinux=0 → kernel to not load any part of the SELinux infrastructure # reboot

autorelabel=1 → forces the system to relabel If the system labeling contains a large amount of errors, you might need to boot in permissive mode for the
autorelabel to succeed.

SELINUX STATES CHECK STATUS:

enforcing SELinux security policy is enforced Configuration file: Check if SELinux is enabled: # getenforce
permissive SELinux prints warnings instead of SELinux status tool: # sestatus
enforcing /etc/selinux/config
disabled No SELinux policy is loaded Enable/disable SELinux (temporarily): # setenforce [1|0]

opensource.com Twitter @opensourceway | facebook.com/opensourceway | CC BY-SA 4.0

Opensource.com: SELinux Commands Cheat Sheet PAGE 2 OF 2 BY ALEX CALLEJAS

EXAMPLE OF LABELING: APACHE WEB SERVER CHECK/CREATE/MODIFY SELINUX CONTEXTS/LABELS:

Binary /usr/sbin/httpd httpd_exec_t Many commands accept the argument -Z to view, create, and modify context:

- ls -Z
Configuration directory /etc/httpd httpd_config_t
- id -Z
Logfile directory /var/log/httpd httpd_log_t
- ps -Z
Content directory /var/www/html httpd_sys_content_t
- netstat -Z
Startup script /usr/lib/systemd/system/httpd.service httpd_unit_file_d - cp -Z
Process running /usr/sbin/httpd -DFOREGROUND httpd_t - mkdir -Z
Ports (netstat -tulpnZ) 80/tcp, 443/tcp httpd_t Contexts are set when files are created based on their parent directory’s
context (with a few exceptions). RPMs can set contexts as part of
Port type (semanage port -l) 80, 81, 443, 488, 8008, 8009, 8443, 9000 http_port_t installation.
TROUBLESHOOTING

SELinux tools: # yum -y install setroubleshoot setroubleshoot-server ← Reboot or restart auditd after you install

Logging: /var/log/messages /var/log/audit/audit.log /var/lib/setroubleshoot/setroubleshoot_database.xml

journalctl List all logs related to setroubleshoot:
List all logs related to a particular
SELinux label:
ausearch Look for SELinux errors in the audit log:
Search for SELinux AVC messages for a
particular service:
Edit/modify labels know the label:
(semanage)
know the file with the equivalent labeling:
Restore the context (for both cases):
Edit/modify labels (chcon) know the label:
know the file with the equivalent labeling:
Restore the context (for both cases):
Add new port to service: # semanage port -a -t http_port_t -p tcp 8585
Booleans Booleans allow parts of SELinux policy to be changed at runtime without any knowledge of SELinux policy writing.
To see all booleans: # getsebool -a
To set a boolean execute: # setsebool [boolean] [1|0]
# journalctl -t setroubleshoot --since=14:20
# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0
# ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today -i
# ausearch -m avc -c httpd -i
# semanage fcontext -a -t httpd_sys_content_t ‘/srv/myweb(/.*)?’
# semanage fcontext -a -e /srv/myweb /var/www
# restorecon -vR /srv/myweb
# chcon -t httpd_system_content_t /var/www/html/index.html
Note: If you move instead of copy
# chcon --reference /var/www/html/ /var/www/html/index.html a file, the file keeps its original
context.
# restorecon -vR /var/www/html/index.html
← SELinux needs to know
To see the description of each one: # semanage boolean -l
To configure it permanently, add -P: Example : # setseebol httpd_enable_ftp_server 1 -P

opensource.com Twitter @opensourceway | facebook.com/opensourceway | CC BY-SA 4.0