SELinux - HackMD

SELinux === ###### tags: `IBM` `Linux Tools` # Troubleshooting ``` yum install setroubleshoot # 檢視錯誤訊息 journalctl -t setroubleshoot --since=today # 檢視修正建議作法 sealert -a /var/log/audit/audit.log ``` --- # Type Enforcement * Only focus on *type* of security context *user:role:type:level*. * *unconfined_t* use Linux DAC (Discretionary Access Control). ``` # 安裝semanage yum install policycoreutils-python # 列出所有受type管制的port semanage port -l # 列出所有受type管制的file semanage fcontext -l # 印出檔案type ls -Z # 印出程序type ps -efZ ``` * 修改 policy ``` # 為某port新增type semanage port -a -t <PORT_TYPE> -p tcp <PORT_NUMBER> # 為某檔案新增type semanage fcontext -a -t <FILE_TYPE> '<FILE_PATH>' restorecon -Rv <FILE or DIR> # 為某檔案刪除type semanage fcontext -d -t <FILE_TYPE> '<FILE_PATH>' restorecon -Rv <FILE or DIR> ``` :::info * restorecon - 會依照 semanage fcontext -l 所列出的 type ，去重設所有目標資料夾與檔案的標籤。 -R：將路徑裡所有的檔案、資料夾都一起修改。 ::: --- # Policy * selinux-policy-<version>.rpm is a policy database * SELINUXTYPE=targeted is a macro of policies ``` cat /etc/selinux/config ``` * 檢查白話文的 policy ``` sestatus -b ``` * 修改 policy ``` # 寫入硬碟，重新開機才會修正 setsebool -P httpd_can_network_connect on # on-demand修正，重新開機不會修正 setsebool httpd_can_network_connect on ``` --- # Mode * Enforcing This is the default. In enforcing mode, if something happens on the system that is against the defined policy, the action will be both blocked and logged. * Permissive This mode will not actually block or deny anything from happening, however it will log anything that would have normally been blocked in enforcing mode. * Disabled Disabled is completely turned off, nothing is logged at all. ``` # 開機決定模式依據設定檔 $ vi /etc/selinux/config SELINUX=enforcing $ reboot $ getenforce Enforcing # On Demand 設定模式 $ setenforce 0 $ getenforce Permissive $ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 31 ``` --- # Reference - [SELinux 教學與設定](https://notes.wadeism.net/linux/1070/)