SELinux cheat sheet
General
- Config location @ /etc/selinux/config
- /usr/sbin/sestatus / /usr/sbin/getenforce
- -Z for ls, id, ps, netstat, … (SS in RHEL6/RHEL7 does not seem to support it :( , we must wait for a more recent procps )
- yum install setroubleshoot-server{,-server} ; reboot/auditd restart
- sealert -l [uuid]
- touch /.autorelabel
Booleans
- Get list via getsebool -a
- Set via setsebool [booleanname] [0|1] [-P] # -P for permanent
- /etc/selinux/targeted/modules/active/booleans.local < has locally modified booleans.
Labels
- Use chown/chmod –reference=.ref
- chcon -u system_u -r object_r -t httpd_sys_content_t /path/to/file
- chcon -t httpd_sys_content_t /path/to/file
Creating policies
- General process: set selinux to permissive [setenforce 0], catch ALL errors, gen module. Sealert output gives more information :).
- grep httpd /var/log/audit/audit.log | audit2allow -M local-newpolicyname # (TRY TE BE MORE SPECIFIC)
- Always check your module by investigating the .te
- semodule -i local-newpolicyname.pp
- setenforce 1 # ;)
- View active modules with semodule -l
Compiling modules
- checkmodule -M -m -o postfixlocal.mod postfixlocal.te
- semodule_package -o postfixlocal.pp -m postfixlocal.mod
- semodule -i postfixlocal.pp
Other
- restorecon -vR /var/www/html
- restorecon gets info from /etc/selinux/targeted/contexts/files/file_contexts ; to change:
- semanage fcontext -a -t httpd_sys_content_t “/foo(/.*)?” /foo/ # Steal regex from file above
- semanage fcontext -a -e /var/www/ /foo/ # Steal regex from file above
Disable dontaudit
- Disable dontaudit: semodule -DB
- Enable again: semodule -B