Short notes about base SELinux commands.
The SELinux technology allow you to improve security level of your system. You can restrict access to the ports, files, directories, process and so on. There are a lot of tools involved in this process and I will try to make little overview about most of they.
setenforce uses to set SELinux mode. There are two basic mode: Enforcing and Permissive. First mode makes SELinux turn on. Another one is turn off SELinux.
!!! Caution this tools doesn’t make changes at /etc/selinux/config file. Its means that SELinux will back to previous mode after reboot. To make permanent change of mode edit /etc/selinux/config directly.
The management mechanism of SELinuxfs (/selinux mount point by default) a slightly alike to the procfs. You can easily change any parameter just put bool value into the file. It’s an alternative way to change different options of SELinux. As example use echo to change SELinux mode:
[root@node2 ~]# getenforce Enforcing [root@node2 ~]# echo 0 > /selinux/enforce [root@node2 ~]# getenforce Permissive
getenforce – check current SELinux mode.
sestatus – output current SELinux status.
setroubleshootd – is located in setroubleshoot* rpm’s which is not installed by default. Use yum to install it:
yum install setroubleshoot
This daemon running with system from /etc/init.d/setroubleshoot and put all SELinux messages into the log file.
secon – allow to see SELinux attributes for object(file, directory, process and so on).
chcon – changes SELinux attributes for object
sealert – It’s GUI tool which works in co-operation with setroubleshootd. It’s display all SELinux message and give some explanation concerning its.
restorecon – restore defaults attribute for given object.
setsebool – allow to set bool variable. Use with option “-P” to make change permanently. Ex. :
setsebool -P allow_ftpd_anon_write 1
This command allow anonymous user write into the ftp directory which open for write.
getsebool – with option “-a” get all possible variables with current value for each.
semanage – most powerful tools which can configure any element without policy sources recompilation.
Also SELinux writes messages into the
/var/log/messages
.
SELinux also update coreutils and add to this utils option “-Z”. For example we use ordinary coreutils tool ls to check SELinux attribtes for files:
[root@node2 ~]# ls -Z -rw------- root root system_u:object_r:user_home_t anaconda-ks.cfg -rw-r--r-- root root root:object_r:user_home_t install.log.syslog .....
Every user in SELinux has at least one role. To list all SELinux roles, run :
semanage user -l
To make copy of existing file with new SELinux attributes, use ls:
cp -Z user:role:type old_file new_file
To find difference between current attributes and defaults one for an object:
matchpathcon -V [object]
To show current user attributes, type .
id -Z
To create user with attributes:
useradd -Z ..
in case user is already exist:
semanage login -a -s user_roles user
To change directory attributes:
semanage fcontext -a -t httpd_sys_content_t /www restorecon -R -v /www/
To list all port restriction, run
semanage port -l
if you want your service listen on non-ordinary port. First, check if the port is not already declared by SELinux. The command described above in cooperation with
grep
can help you:
semanage port -l | grep
If nothing is appear you can skip next step. Otherwise, delete port from existing group:
semanage port -d -p tcp 9050
and put it into your service’s group:
semanage port -a -t httpd_port_t -p tcp 9050
, where httpd_port_t – your service’s group and 9050 you port.
