Hits :
2086
Security-Enhanced Linux :: Notes
ps -eZ
ls -Z file
Disable selinux (realtime)
# setenforce 0
&
# setenforce 1
to enable it
grep denied /var/log/audit/audit.log | tail -1 | audit2allow -a -M observium
semodule -i observium.pp
# Build a selinux module from selinux policy
mkdir -pv selinux.local/ebal
cd !$
vim ebal1.te
make -f /usr/share/selinux/devel/Makefile
semodule -i ebal1.pp
# List selinux booleans
semanage boolean -l
# Persistent change
setsebool -P ssh_chroot_rw_homedirs on
Formatter "highlight/html" not found
# sestatus
# tail -f /var/log/audit/audit.log
# grep denied /var/log/audit/audit.log.1 | tail -1 | audit2allow
# grep denied /var/log/audit/audit.log.1 | tail -1 | audit2allow -M ebaltest1
# semodule -i ebaltest1.pp
# semanage boolean -l | grep http
# setsebool
# semanage boolean -l | grep poly
[root@ebalaskas conf]# setsebool -P httpd_enable_cgi off
[root@ebalaskas conf]# setsebool -P httpd_dbus_avahi off
[root@ebalaskas conf]# setsebool -P httpd_unified off
[root@ebalaskas conf]# setsebool -P httpd_tty_comm off
AVC: stands for Access Vector Cache
type=AVC msg=audit(1431012972.673:2907): avc: denied { search } for pid=4757 comm="httpd" name="pnp4nagios" dev=vda1 ino=144905 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1431012972.673:2907): arch=c000003e syscall=4 success=no exit=-13 a0=7f614a7febb8 a1=7fffec5c3ce0 a2=7fffec5c3ce0 a3=7f6147cfc110 items=0 ppid=4512 pid=4757 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)