Security-Enhanced Linux :: Notes
ps -eZ ls -Z file
Disable selinux (realtime) # setenforce 0 & # setenforce 1 to enable it
grep denied /var/log/audit/audit.log | tail -1 | audit2allow -a -M observium semodule -i observium.pp
# Build a selinux module from selinux policy mkdir -pv selinux.local/ebal cd !$ vim ebal1.te make -f /usr/share/selinux/devel/Makefile semodule -i ebal1.pp
# List selinux booleans semanage boolean -l # Persistent change setsebool -P ssh_chroot_rw_homedirs on
getsebool -a restorecon /etc/ssh/sshd_config semanage port -l | grep ssh semanage port -a -t ssh_port_t -p tcp 2222 semanage fcontext -l service sshd restart lokkit -p 2222:tcp # lokkit --update lokkit -p 53:tcp lokkit -p 53:udp # Web chcon -R -t httpd_sys_content_t /www/ # WebDav chcon -R -t httpd_var_lib_t /opt/webdav/ # Openvpn chcon -R -t openvpn_etc_t /etc/openvpn
# sestatus # tail -f /var/log/audit/audit.log # grep denied /var/log/audit/audit.log.1 | tail -1 | audit2allow # grep denied /var/log/audit/audit.log.1 | tail -1 | audit2allow -M ebaltest1 # semodule -i ebaltest1.pp # semanage boolean -l | grep http # setsebool # semanage boolean -l | grep poly
[root@ebalaskas conf]# setsebool -P httpd_enable_cgi off [root@ebalaskas conf]# setsebool -P httpd_dbus_avahi off [root@ebalaskas conf]# setsebool -P httpd_unified off [root@ebalaskas conf]# setsebool -P httpd_tty_comm off
AVC: stands for Access Vector Cache
type=AVC msg=audit(1431012972.673:2907): avc: denied { search } for pid=4757 comm="httpd" name="pnp4nagios" dev=vda1 ino=144905 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1431012972.673:2907): arch=c000003e syscall=4 success=no exit=-13 a0=7f614a7febb8 a1=7fffec5c3ce0 a2=7fffec5c3ce0 a3=7f6147cfc110 items=0 ppid=4512 pid=4757 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)