SELinux Comprehensive Daquan

SELinux Related commands

SELinux current state of the 1.sestatus query system
#sestatus-V

2. Does selinux support for selinuxenabled query system be enabled
3.setenforce and Getenforce setting/display SELinux operating state

4.getsebool Lists all selinux bool Value list and contents
5.setsebool setting selinux bool Value content

6.restorecon Restore the default security context for the archive directory (-R can be used for recursive repair of the entire directory)
7.chcon Change Archive Directory security context
8.fixfiles fixed the default security context for the archive directory
9.secon View the SELinux context of the itinerary, archives, etc.

10.semanage Seliux Policy Management Program
11.audit2why View selinux Audit message content
12.sealert SELinux Message Diagnostics user-side program

SELinux configuration directory and related files:/etc/selinux/config after restart, SELinux does not fail to change the permissive to enforce

SELinux Log Components Setroubleshoot, Setroubleshoot.plugins.noarch, Setroubleshoot-server package, can be used with Yum list installed | grep setroubleshoot a look.

Normal work often encountered selinux problems, the first check is the log.

SELinux logs: Logs with the AVC keyword in/var/log/audit.log to allow them to be filtered out of other information.

#grep AVC Audit.log | Tail-l

can also be displayed sealert-b non-graphical interface
Sealert-a/var/log/audit/audit.log >/tmp/sealert.txt View

*************************************************************************************************************** *****

Chcon Usage Example (RPM)

Chcon command: Modifies the security context of an object (file). For example: User: Role: Type: Security level.
Command format:

Chcon[options ...] CONTEXT FILES .....

Chcon[options...]–reference=pef_files FILES ...

Description

Context for the security context to be set

Files Object (file)

--reference objects referenced by

Pef_files referencing a file context

Files Apply the reference file context to my context.

OPTIONS are as follows:

-F Forced execution

-R recursively modifies the security context of an object

-rrole Modifying the configuration of the security context role

-ttype Modifying the configuration of the security context type

-u user modifies the configuration of the security context user

-V Displays verbose information

-L,--Range=range to modify the security level in the security context

Example:

1. FTP

If you want to share files anonymously< if you want to share this to anonymous, you need to open the following >
Chcon-r-T Public_content_t/var/ftp

If you want to setup a directory where you canupload files
If you want to set the FTP directory can upload files, SELinux need to set the
Chcon-t public_content_rw_t/var/ftp/incoming

must also turn on the Booleanallow_ftpd_anon_write < allow anonymous user write access
Setsebool-p allow_ftpd_anon_write=1

If you're setting up this machine as a ftpdserver and wish to allow users to access their homedirectorories< if you want your f TP users can access their home directory, you need to open >
Setsebool-p Ftp_home_dir 1

If you want to run FTPD as adaemon< need to turn on > If you want to run the VSFTPD in daemon mode
Setsebool-p Ftpd_is_daemon 1

You can disable SELinux protection for the ftpddaemon< to let SELinux stop protecting vsftpd daemon way to move >
Setsebool-p Ftpd_disable_trans 1

2, httpd
If you want a particular domainto write to the public_content_rw_t domain
< If you want a specific doman to have write permission, you need to set >
Setsebool-p allow_httpd_anon_write=1
Or
Setsebool-p allow_httpd_sys__anon_write=1

HTTPD can setup to let CGI s to beexecuted Setsebool-p httpd_enable_cgi 1

If you want to enable access to users homedirectories< allows users HHTP access to their home directory, this setting is limited to the user's home directory home page >
Setsebool-p Httpd_enable_homedirs 1
Chcon-r-T httpd_sys_content_t ~user/public_html

HTTPD is allowed access to the controlingterminal< allows httpd access to the terminal >
Setsebool-p Httpd_tty_comm 1

such that one httpd service can not interferewith another
Setsebool-p httpd_unified 0

Loadable modules run under the same context ashttpd
Setsebool-p httpd_builtin_ing 0

httpd S is allowed to connect off to Thenetwork
Setsebool-p Httpd_can_network_connect 1

You can disable suEXEC transition
Setsebool-p Httpd_suexec_disable_trans 1

You can disable SELinux protection for THEHTTPD daemon by executing< turn off SELinux protection for httpd daemon >
Setsebool-p Httpd_disable_trans 1
Service httpd Restart

3, named

If you want to the named update the master Zone files< about named,master update SELinux settings >
Setsebool-p Named_write_master_zones 1

You can disable SELinux protection for thenamed daemon by executing
< turn off the process daemon protection for named >
Setsebool-p Named_disable_trans 1
Service named restart

4. NFS

If you want to the share NFS partitions readonly
<selinux set the NFS share of this machine to read-only >
Setsebool-p Nfs_export_all_ro 1

If you want to share filesread/write<selinux the native NFS share is set to readable and writable >
Setsebool-p NFS_EXPORT_ALL_RW 1

If you want to use a remote NFS server for Thehome directories on
If you want to share the remote NFS home directory to this machine, you need to turn on >
Setsebool-p Use_nfs_home_dirs 1

5. Samba

If you want to share files other than home Directorie
< If you want to share the directory with other users, you need to set up >
Chcon-t samba_share_t/directory

If you want to share files with Multipledomains
If the Samba server shares directories to multiple domains, you need to:
Setsebool-p allow_smbd_anon_write=1

If You is setting up this machine as a sambaserver and wish to share the home directories
When a samba server wants to share a home directory:
Setsebool-p Samba_enable_home_dirs 1

If you want to use a remote Samba server forthe home directories on the This machine
If you need to use the home directory of a remote samba server on this computer
Setsebool-p Use_samba_home_dirs 1

You can disable SELinux protection for Thesamba daemon by executing
Turn off SELinux protection for samba's process daemon
Setsebool-p Smbd_disable_trans 1
Service SMB Restart

6. rsync

If you want to share files using the rsync daemon
When sharing the Rsync directory:
Chcon-t public_content_t/directories

If you want to share files with Multipledomains
Allow other users to write
Setsebool-p allow_rsync_anon_write=1

You can disable SELinux protection for Thersync daemon by executing
Stop Rsync's process protection
Setsebool-p Rsync_disable_trans 1

7. Kerberos

Allow your system to work properly in a kerberosenvironment
Allow system to use Kerberos
Setsebool-p Allow_kerberos 1

If you are running Kerberos daemons kadmind ORKRB5KDC
Setsebool-p Krb5kdc_disable_trans 1
Service KRB5KDC Restart
Setsebool-p Kadmind_disable_trans 1
Service Kadmind Restart

8. Nis

Allow your system to work properly in a NIS environment
When the system is working in an NIS environment
Setsebool-p Allow_ypbind 1

SELinux Comprehensive Daquan