Hits :
2515
Security-Enhanced Linux :: Notes
ps -eZ
ls -Z file
Disable selinux (realtime)
# setenforce 0
&
# setenforce 1
to enable it
grep denied /var/log/audit/audit.log | tail -1 | audit2allow -a -M observium
semodule -i observium.pp
# Build a selinux module from selinux policy
mkdir -pv selinux.local/ebal
cd !$
vim ebal1.te
make -f /usr/share/selinux/devel/Makefile
semodule -i ebal1.pp
# List selinux booleans
semanage boolean -l
# Persistent change
setsebool -P ssh_chroot_rw_homedirs on
getsebool -a
restorecon /etc/ssh/sshd_config
semanage port -l | grep ssh
semanage port -a -t ssh_port_t -p tcp 2222
semanage fcontext -l
service sshd restart
lokkit -p 2222:tcp
# lokkit --update
lokkit -p 53:tcp
lokkit -p 53:udp
# Web
chcon -R -t httpd_sys_content_t /www/
# WebDav
chcon -R -t httpd_var_lib_t /opt/webdav/
# Openvpn
chcon -R -t openvpn_etc_t /etc/openvpn
# sestatus
# tail -f /var/log/audit/audit.log
# grep denied /var/log/audit/audit.log.1 | tail -1 | audit2allow
# grep denied /var/log/audit/audit.log.1 | tail -1 | audit2allow -M ebaltest1
# semodule -i ebaltest1.pp
# semanage boolean -l | grep http
# setsebool
# semanage boolean -l | grep poly
[root@ebalaskas conf]# setsebool -P httpd_enable_cgi off
[root@ebalaskas conf]# setsebool -P httpd_dbus_avahi off
[root@ebalaskas conf]# setsebool -P httpd_unified off
[root@ebalaskas conf]# setsebool -P httpd_tty_comm off
AVC: stands for Access Vector Cache
type=AVC msg=audit(1431012972.673:2907): avc: denied { search } for pid=4757 comm="httpd" name="pnp4nagios" dev=vda1 ino=144905 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1431012972.673:2907): arch=c000003e syscall=4 success=no exit=-13 a0=7f614a7febb8 a1=7fffec5c3ce0 a2=7fffec5c3ce0 a3=7f6147cfc110 items=0 ppid=4512 pid=4757 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)