Hits : 2085


Security-Enhanced Linux :: Notes


ps -eZ

ls -Z file


Disable selinux (realtime)

# setenforce 0

&

# setenforce 1

to enable it


grep denied /var/log/audit/audit.log | tail -1 | audit2allow -a -M observium
semodule -i observium.pp


# Build a selinux module from selinux policy
mkdir -pv selinux.local/ebal
cd !$

vim ebal1.te

make -f /usr/share/selinux/devel/Makefile

semodule -i ebal1.pp


# List selinux booleans
semanage boolean -l

# Persistent change 
setsebool -P ssh_chroot_rw_homedirs on


getsebool -a
 
restorecon /etc/ssh/sshd_config
 
semanage port -l | grep ssh  
semanage port -a -t ssh_port_t -p tcp 2222 
 
semanage fcontext -l
 
service sshd restart
 
lokkit -p 2222:tcp
 
# lokkit --update
 
lokkit -p 53:tcp
lokkit -p 53:udp
 
# Web  
chcon -R -t httpd_sys_content_t /www/
 
# WebDav
 
chcon -R -t httpd_var_lib_t /opt/webdav/
 
# Openvpn
 
chcon -R -t openvpn_etc_t /etc/openvpn

# sestatus

# tail -f /var/log/audit/audit.log

# grep denied /var/log/audit/audit.log.1 | tail -1 | audit2allow

# grep denied /var/log/audit/audit.log.1 | tail -1 | audit2allow -M ebaltest1

# semodule -i ebaltest1.pp

# semanage boolean -l | grep http

# setsebool

# semanage boolean -l | grep poly


[root@ebalaskas conf]# setsebool -P httpd_enable_cgi off
[root@ebalaskas conf]# setsebool -P httpd_dbus_avahi off
[root@ebalaskas conf]# setsebool -P httpd_unified off
[root@ebalaskas conf]# setsebool -P httpd_tty_comm off


AVC: stands for Access Vector Cache


type=AVC msg=audit(1431012972.673:2907): avc:  denied  { search } for  pid=4757 comm="httpd" name="pnp4nagios" dev=vda1 ino=144905 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_var_lib_t:s0 tclass=dir

type=SYSCALL msg=audit(1431012972.673:2907): arch=c000003e syscall=4 success=no exit=-13 a0=7f614a7febb8 a1=7fffec5c3ce0 a2=7fffec5c3ce0 a3=7f6147cfc110 items=0 ppid=4512 pid=4757 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)