Try   HackMD

SELinux

tags: IBM Linux Tools

Troubleshooting

yum install setroubleshoot
# 檢視錯誤訊息
journalctl -t setroubleshoot --since=today
# 檢視修正建議作法
sealert -a /var/log/audit/audit.log

Type Enforcement

  • Only focus on type of security context user:role:type:level.
  • unconfined_t use Linux DAC (Discretionary Access Control).
# 安裝semanage
yum install policycoreutils-python

# 列出所有受type管制的port
semanage port -l

# 列出所有受type管制的file
semanage fcontext -l

# 印出檔案type
ls -Z

# 印出程序type
ps -efZ
  • 修改 policy
# 為某port新增type
semanage port -a -t <PORT_TYPE> -p tcp <PORT_NUMBER>

# 為某檔案新增type
semanage fcontext -a -t <FILE_TYPE> '<FILE_PATH>'
restorecon -Rv <FILE or DIR>

# 為某檔案刪除type
semanage fcontext -d -t <FILE_TYPE> '<FILE_PATH>'
restorecon -Rv <FILE or DIR>
  • restorecon - 會依照 semanage fcontext -l 所列出的 type ,去重設所有目標資料夾與檔案的標籤。
    -R:將路徑裡所有的檔案、資料夾都一起修改。

Policy

  • selinux-policy-<version>.rpm is a policy database
  • SELINUXTYPE=targeted is a macro of policies
cat /etc/selinux/config
  • 檢查白話文的 policy
sestatus -b
  • 修改 policy
# 寫入硬碟,重新開機才會修正
setsebool -P httpd_can_network_connect on
# on-demand修正,重新開機不會修正
setsebool httpd_can_network_connect on

Mode

  • Enforcing
    This is the default. In enforcing mode, if something happens on the system that is against the defined policy, the action will be both blocked and logged.

  • Permissive
    This mode will not actually block or deny anything from happening, however it will log anything that would have normally been blocked in enforcing mode.

  • Disabled
    Disabled is completely turned off, nothing is logged at all.

# 開機決定模式依據設定檔
$ vi /etc/selinux/config
SELINUX=enforcing
$ reboot
$ getenforce
Enforcing

# On Demand 設定模式
$ setenforce 0
$ getenforce
Permissive
$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31

Reference

Last changed by 
Yu Tzu Wu
0
186

Read more

A Tradecraft Primer

A CIA Tradecraft

Apr 12, 2025
Operational Security

參考:https://drive.google.com/file/d/1DHRYQZ-pvnKQZuMCHVhmeGqM-p7eyl90/view

Apr 5, 2025
Digital Footprint

Digital Footprint

Mar 25, 2025
惡意軟體

惡意軟體

Feb 20, 2025
Read more from Yu Tzu Wu
Published on HackMD