Selinux

Tutorial

• https://www.digitalocean.com/community/tutorials/an-introduction-to-selinux-on-centos-7-part-1-basic-concepts
• https://www.digitalocean.com/community/tutorials/an-introduction-to-selinux-on-centos-7-part-2-files-and-processes
• https://www.digitalocean.com/community/tutorials/an-introduction-to-selinux-on-centos-7-part-3-users

Troubleshooting

List blocked things from SElinux

grep AVC /var/log/audit/audit.log

List problems that can be solved using booleans

audit2allow -w -a |grep -C 10 setsebool

Examples applied:

setsebool -P httpd_builtin_scripting=1
setsebool -P httpd_enable_cgi=1
setsebool -P httpd_can_network_memcache 1
setsebool -P named_write_master_zones 1
setsebool -P nis_enabled 1
setsebool -P httpd_can_network_connect 1
setsebool -P httpd_setrlimit 1
setsebool -P httpd_unified 1

List the boolean list:

getsebool -a

List problems

Explain the problems:

audit2allow -w -a

Show the policy list required to correct the problems:

audit2allow -a

It may be that a policy is already added and the problem is already solved. In this case a message similar to

#!!!! This avc is allowed in the current policy

will be displayed.

List the problems for only ssh:

grep ssh /var/log/audit/audit.log.* | audit2allow -a

Generate policy list:

grep ssh /var/log/audit/audit.log.* | audit2allow -a -M selinux-marti-ssh

Add the generated policy list:

semodule -i selinux-marti-ssh.pp

Add new port to service

List ports assigned

semanage port -l | grep ssh 

Add a new port that is already used

semanage port -a -t ssh_port_t -p tcp 2222

Add a port that is already used

(m=modify)

semanage port -m -t ssh_port_t -p tcp 23

Files contexts

List contexts:

ls -Z

cp adopts the destination context
mv keeps the original context

Change context of file:

chcon -t named_conf_t named.conf

Display only if any file has been changed from the default:

restorecon -Rv -n /etc/httpd

Actually change to the default context:

restorecon -Rv  /etc/httpd