Here is a very short 'Quick Reference' guide to manipulating some settings things with SELinux.
CHANGING SELINUX BOOLEANS
getsebool : Get's the values for various SELinux booleans.
Try:
This should return the status of that particular variable, for example:
httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
Of course you can specify the boolean directly without using grep if you know it's name:
setsebool Use this command to change the value of a SELinux boolean variable. Example, the following will allow the httpd process to connect to a remote database server.
The -P option stands for "persistent," meaning the changes will persist after a reboot.
ENABLING OR DISABLING SELINUX
getenforce : will return the current status for SELinux
setenforce : will temporarily enable/disable SELinux
In Fedora/Redhat modify the /etc/selinux/config file to make the changes to the enforcement policy permanent.
MODIFYING SELINUX CONTEXTS TEMPORARILY
It's easy to manipulate SELinux contexts with the chcon command. For example if a process running as a particular user is not able to modify a file, check the context of that file by issuing the following command:
The Z option shows the SELinux context information for the files listed by the ls command.
For example, on Fedora / RedHat you might see the following contexts for the /var/log/httpd folder:
drwxr-xr-x root root user_u:object_r:var_log_t .
...
...
I created a new httpd log folder to increase the disk space available for logging; the SELinux context was by default set to:
drwxr-xr-x root root system_u:object_r:file_t
Therefore the httpd process was unable to write new log files in this folder. The context type was not set correctly to allow changes. Changing the context type required issuing the following command to ensure it matched the old httpd directories' settings.
UPDATE (2017-08-23) (The -c option has been removed and is no longer required: http://lists.gnu.org/archive/html/bug-coreutils/2008-10/msg00076.html)
This will relabel the file and the process will now be able to access it directly as needed.
NOTE: This is a temporary measure and only labels the file until the next reboot. Read on for a permanent solution.
MODIFYING SELINUX CONTEXTS PERMANENTLY
To make persistant modifications to SELinux contexts you must add an entry to the SELinux file context database: /etc/selinux/targeted/contexts/files/file_contexts.local. The semanage command will do just that. The next step is to apply the change by running the restorecon command against the file to be modified.
First, add a new record for the file /var/log/httpd with the command:
-a adds the file to /etc/selinux/targeted/contexts/files/file_contexts.local
-s specifies the SELinux user
-t specifies the SELinux type
This change has not yet been applied to the file and will only occur during the next reboot when the filesystem is relabeled. However to execute the change now use the restorecon command:
CHANGING SELINUX BOOLEANS
getsebool : Get's the values for various SELinux booleans.
Try:
| |
This should return the status of that particular variable, for example:
httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
Of course you can specify the boolean directly without using grep if you know it's name:
| |
setsebool Use this command to change the value of a SELinux boolean variable. Example, the following will allow the httpd process to connect to a remote database server.
| |
The -P option stands for "persistent," meaning the changes will persist after a reboot.
ENABLING OR DISABLING SELINUX
getenforce : will return the current status for SELinux
setenforce : will temporarily enable/disable SELinux
In Fedora/Redhat modify the /etc/selinux/config file to make the changes to the enforcement policy permanent.
MODIFYING SELINUX CONTEXTS TEMPORARILY
It's easy to manipulate SELinux contexts with the chcon command. For example if a process running as a particular user is not able to modify a file, check the context of that file by issuing the following command:
| |
The Z option shows the SELinux context information for the files listed by the ls command.
For example, on Fedora / RedHat you might see the following contexts for the /var/log/httpd folder:
| |
drwxr-xr-x root root user_u:object_r:var_log_t .
...
...
I created a new httpd log folder to increase the disk space available for logging; the SELinux context was by default set to:
drwxr-xr-x root root system_u:object_r:file_t
Therefore the httpd process was unable to write new log files in this folder. The context type was not set correctly to allow changes. Changing the context type required issuing the following command to ensure it matched the old httpd directories' settings.
| |
UPDATE (2017-08-23) (The -c option has been removed and is no longer required: http://lists.gnu.org/archive/html/bug-coreutils/2008-10/msg00076.html)
This will relabel the file and the process will now be able to access it directly as needed.
NOTE: This is a temporary measure and only labels the file until the next reboot. Read on for a permanent solution.
MODIFYING SELINUX CONTEXTS PERMANENTLY
To make persistant modifications to SELinux contexts you must add an entry to the SELinux file context database: /etc/selinux/targeted/contexts/files/file_contexts.local. The semanage command will do just that. The next step is to apply the change by running the restorecon command against the file to be modified.
First, add a new record for the file /var/log/httpd with the command:
| |
-a adds the file to /etc/selinux/targeted/contexts/files/file_contexts.local
-s specifies the SELinux user
-t specifies the SELinux type
This change has not yet been applied to the file and will only occur during the next reboot when the filesystem is relabeled. However to execute the change now use the restorecon command:
| |
No comments:
Post a Comment