HackMD
SELinux
tags: IBM Linux Tools
Troubleshooting
yum install setroubleshoot
# 檢視錯誤訊息
journalctl -t setroubleshoot --since=today
# 檢視修正建議作法
sealert -a /var/log/audit/audit.log
Type Enforcement
- Only focus on type of security context user:role:type:level.
- unconfined_t use Linux DAC (Discretionary Access Control).
# 安裝semanage
yum install policycoreutils-python
# 列出所有受type管制的port
semanage port -l
# 列出所有受type管制的file
semanage fcontext -l
# 印出檔案type
ls -Z
# 印出程序type
ps -efZ
- 修改 policy
# 為某port新增type
semanage port -a -t <PORT_TYPE> -p tcp <PORT_NUMBER>
# 為某檔案新增type
semanage fcontext -a -t <FILE_TYPE> '<FILE_PATH>'
restorecon -Rv <FILE or DIR>
# 為某檔案刪除type
semanage fcontext -d -t <FILE_TYPE> '<FILE_PATH>'
restorecon -Rv <FILE or DIR>
- restorecon - 會依照 semanage fcontext -l 所列出的 type ,去重設所有目標資料夾與檔案的標籤。
-R:將路徑裡所有的檔案、資料夾都一起修改。
Policy
- selinux-policy-<version>.rpm is a policy database
- SELINUXTYPE=targeted is a macro of policies
cat /etc/selinux/config
- 檢查白話文的 policy
sestatus -b
- 修改 policy
# 寫入硬碟,重新開機才會修正
setsebool -P httpd_can_network_connect on
# on-demand修正,重新開機不會修正
setsebool httpd_can_network_connect on
Mode
-
Enforcing
This is the default. In enforcing mode, if something happens on the system that is against the defined policy, the action will be both blocked and logged. -
Permissive
This mode will not actually block or deny anything from happening, however it will log anything that would have normally been blocked in enforcing mode. -
Disabled
Disabled is completely turned off, nothing is logged at all.
# 開機決定模式依據設定檔
$ vi /etc/selinux/config
SELINUX=enforcing
$ reboot
$ getenforce
Enforcing
# On Demand 設定模式
$ setenforce 0
$ getenforce
Permissive
$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
