SELinux cheat sheet

General

• Config location @ /etc/selinux/config
• /usr/sbin/sestatus / /usr/sbin/getenforce
• -Z for ls, id, ps, netstat, … (SS in RHEL6/RHEL7 does not seem to support it :( , we must wait for a more recent procps )
• yum install setroubleshoot-server{,-server} ; reboot/auditd restart
• sealert -l [uuid]
• touch /.autorelabel

Booleans

• Get list via getsebool -a
• Set via setsebool [booleanname] [0|1] [-P] # -P for permanent
• /etc/selinux/targeted/modules/active/booleans.local < has locally modified booleans.

Labels

• Use chown/chmod –reference=.ref
• chcon -u system_u -r object_r -t httpd_sys_content_t /path/to/file
• chcon -t httpd_sys_content_t /path/to/file

Creating policies

• General process: set selinux to permissive [setenforce 0], catch ALL errors, gen module. Sealert output gives more information :).
• grep httpd /var/log/audit/audit.log | audit2allow -M local-newpolicyname # (TRY TE BE MORE SPECIFIC)
• Always check your module by investigating the .te
• semodule -i local-newpolicyname.pp
• setenforce 1 # ;)
• View active modules with semodule -l

Compiling modules

• checkmodule -M -m -o postfixlocal.mod postfixlocal.te
• semodule_package -o postfixlocal.pp -m postfixlocal.mod
• semodule -i postfixlocal.pp

Other

• restorecon -vR /var/www/html
• restorecon gets info from /etc/selinux/targeted/contexts/files/file_contexts ; to change:
• semanage fcontext -a -t httpd_sys_content_t “/foo(/.*)?” /foo/ # Steal regex from file above
• semanage fcontext -a -e /var/www/ /foo/ # Steal regex from file above

Disable dontaudit

• Disable dontaudit: semodule -DB
• Enable again: semodule -B