nano /etc/selinux/config
#SELINUX=enforcing
SELINUX=permissive
allow any denied actions that have occurred since the first boot with SELinux using the audit2allow tool
doas audit2allow -a -l -M firstboot
The firstboot.te file is the SELinux policy,
The firstboot.pp file is the compiled SELinux policy
we can load this policy using semodule -i firstboot.pp
doas semodule -i firstboot.pp
doas usermod kai -Z user_u
Different groups such as user_u, staff_u, sysadm_u, system_u, and more are available.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/managing-confined-and-unconfined-users_using-selinux
doas dnf install setools-console
seinfo -u
Users: 8
guest_u
root
staff_u
sysadm_u
system_u
unconfined_u
user_u
xguest_u
doas semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
kai staff_u s0-s0:c0.c1023 *
root unconfined_u s0-s0:c0.c1023 *
id -Z
useradd -Z staff_u example.user
sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
run fixfiles -F onboot command as root to create the /.autorelabel file
containing the -F option to ensure that files are relabeled upon next reboot.
set enforcing=0 as boot parm or
#SELINUX=enforcing in /etc/selinux/config
package neededselinux-policy-targeted
,libselinux-utils
, andpolicycoreutils
getenforce
Permissive
search denied selinx
ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts today
Alternatively, with the setroubleshoot-server
package installed, enter:
grep "SELinux is preventing" /var/log/messages
If SELinux is active and the Audit daemon (auditd
) is not running on your system,
dmesg | grep -i -e type=1300 -e type=1400
warn
File-system objects created while SELinux is disabled are not labeled at
all. This behavior causes problems when changing to enforcing mode
because SELinux relies on correct labels of file-system objects.
Before rebooting the system for relabeling, make sure the system will boot in permissive mode,
for example by using the enforcing=0 kernel option.
This prevents the system from failing to boot in case the system contains unlabeled files
required by systemd before launching the selinux-autorelabel service.
kernel parameters
- enforcing=0
- selinux=0
policycoreutils-python-utils
and setroubleshoot-server
systemctl status httpd
semanage port -l | grep http
Change the SELinux type of port 3131 to match port 80:
semanage port -a -t http_port_t -p tcp 3131
dnf install setroubleshoot-server
python3-six
sealert -l "*"
relabel /var
restorecon -Rv /var/
-
The
semanage(8)
,matchpathcon(8)
, andsealert(8)
man pages.
getsebool -a
semanage-boolean(8)
,sepolicy-booleans(8)
,getsebool(8)
,setsebool(8)
,booleans(5)
, andbooleans(8)
man pages
selinux logs location
/var/log/audit/audit.log
. Because the SELinux decisions, such as allowing or disallowing access, are cached and this cache is known as the Access Vector Cache (AVC), use theAVC
andUSER_AVC
values for the message type parameter, for example:
# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent
To temporarily disable dontaudit
rules, allowing all denials to be logged:
# semodule -DB
After re-running your denied scenario and finding denial messages using the previous steps, the following command enables dontaudit
rules in the policy again:
# semodule -B
policycoreutils-python-utils
andsetroubleshoot-server
sealert -l "*"
Enable full-path auditing to see full paths to accessed objects and to make additional Linux Audit event fields visible:
# auditctl -w /etc/shadow -p w -k shadow-write
Clear the
setroubleshoot
cache:# rm -f /var/lib/setroubleshoot/setroubleshoot.xml
- Reproduce the problem.
Repeat step 1.
After you finish the process, disable full-path auditing:
# auditctl -W /etc/shadow -p w -k shadow-write
Writing a custom SELinux policy
Each SELinux policy rule describes an interaction between a process and a system resource:
ALLOW apache_process apache_log:FILE READ;
apache_process
and apache_log
are labels.
SELinux labels are stored as extended attributes of file systems, such as ext2
ls -Z /etc/passwd
system_u:object_r:passwd_file_t:s0 /etc/passwd
Wheresystem_u
is an SELinux user,object_r
is an example of the SELinux role,
and passwd_file_t
is an SELinux domain.
selinux-policy packages has default policies
ps -efZ | grep mydaemon
sepolicy generate --init /usr/local/bin/mydaemon
ausearch -m AVC -ts recent | audit2allow -R
grep -r "logging_write_generic_logs" /usr/share/selinux/devel/include/ | grep .if
/usr/share/selinux/devel/include/system/logging.if:interface(`logging_write_generic_logs',`
https://willgu.es/?p=21
dnf install sudo
visudo
%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL
Comments
Post a Comment