SELinux cheat sheet

 

General

  • Config location @ /etc/selinux/config
  • /usr/sbin/sestatus / /usr/sbin/getenforce
  • -Z for ls, id, ps, netstat, … (SS in RHEL6/RHEL7 does not seem to support it :( , we must wait for a more recent procps )
  • yum install setroubleshoot-server{,-server} ; reboot/auditd restart
  • sealert -l [uuid]
  • touch /.autorelabel

Booleans

  • Get list via getsebool -a
  • Set via setsebool [booleanname] [0|1] [-P] # -P for permanent
  • /etc/selinux/targeted/modules/active/booleans.local < has locally modified booleans.

Labels

  • Use chown/chmod –reference=.ref
  • chcon -u system_u -r object_r -t httpd_sys_content_t /path/to/file
  • chcon -t httpd_sys_content_t /path/to/file

Creating policies

  • General process: set selinux to permissive [setenforce 0], catch ALL errors, gen module. Sealert output gives more information :).
  • grep httpd /var/log/audit/audit.log | audit2allow -M local-newpolicyname # (TRY TE BE MORE SPECIFIC)
  • Always check your module by investigating the .te
  • semodule -i local-newpolicyname.pp
  • setenforce 1 # ;)
  • View active modules with semodule -l

Compiling modules

  • checkmodule -M -m -o postfixlocal.mod postfixlocal.te
  • semodule_package -o postfixlocal.pp -m postfixlocal.mod
  • semodule -i postfixlocal.pp

Other

  • restorecon -vR /var/www/html
  • restorecon gets info from /etc/selinux/targeted/contexts/files/file_contexts ; to change:
  • semanage fcontext -a -t httpd_sys_content_t “/foo(/.*)?” /foo/ # Steal regex from file above
  • semanage fcontext -a -e /var/www/ /foo/ # Steal regex from file above

Disable dontaudit

  • Disable dontaudit: semodule -DB
  • Enable again: semodule -B
 Posted by at 12:29