Selinux: diferència entre les revisions
Salta a la navegació
Salta a la cerca
mCap resum de modificació |
|||
| Línia 3: | Línia 3: | ||
==Troubleshooting== | ==Troubleshooting== | ||
===List blocked things from | ===List blocked things from SElinux=== | ||
grep AVC /var/log/audit/audit.log | grep AVC /var/log/audit/audit.log | ||
===List problems that can be solved using booleans=== | |||
audit2allow -w -a |grep -C 10 setsebool | |||
Examples applied: | |||
setsebool -P httpd_builtin_scripting=1 | |||
setsebool -P httpd_enable_cgi=1 | |||
setsebool -P httpd_can_network_memcache 1 | |||
setsebool -P named_write_master_zones 1 | |||
setsebool -P nis_enabled 1 | |||
setsebool -P httpd_can_network_connect 1 | |||
setsebool -P httpd_setrlimit 1 | |||
setsebool -P httpd_unified 1 | |||
List the boolean list: | |||
getsebool -a | |||
===List problems=== | |||
Explain the problems: | |||
audit2allow -w -a | |||
Show the policy list required to correct the problems: | |||
audit2allow -a | |||
It may be that a policy is already added and the problem is already solved. In this case a message similar to | |||
#!!!! This avc is allowed in the current policy | |||
will be displayed. | |||
List the problems for only ssh: | |||
grep ssh /var/log/audit/audit.log.* | audit2allow -a | |||
Generate policy list: | |||
grep ssh /var/log/audit/audit.log.* | audit2allow -a -M selinux-marti-ssh | |||
Add the generated policy list: | |||
semodule -i selinux-marti-ssh.pp | |||
==Add new port to service== | ==Add new port to service== | ||
Revisió del 13:49, 8 abr 2015
Troubleshooting
List blocked things from SElinux
grep AVC /var/log/audit/audit.log
List problems that can be solved using booleans
audit2allow -w -a |grep -C 10 setsebool
Examples applied:
setsebool -P httpd_builtin_scripting=1 setsebool -P httpd_enable_cgi=1 setsebool -P httpd_can_network_memcache 1 setsebool -P named_write_master_zones 1 setsebool -P nis_enabled 1 setsebool -P httpd_can_network_connect 1 setsebool -P httpd_setrlimit 1 setsebool -P httpd_unified 1
List the boolean list:
getsebool -a
List problems
Explain the problems:
audit2allow -w -a
Show the policy list required to correct the problems:
audit2allow -a
It may be that a policy is already added and the problem is already solved. In this case a message similar to
#!!!! This avc is allowed in the current policy
will be displayed.
List the problems for only ssh:
grep ssh /var/log/audit/audit.log.* | audit2allow -a
Generate policy list:
grep ssh /var/log/audit/audit.log.* | audit2allow -a -M selinux-marti-ssh
Add the generated policy list:
semodule -i selinux-marti-ssh.pp
Add new port to service
List ports assigned
semanage port -l | grep ssh
Add a new port that is already used
semanage port -a -t ssh_port_t -p tcp 2222
Add a port that is already used
(m=modify)
semanage port -m -t ssh_port_t -p tcp 23