Mighty SELinux cheat sheet

October 14, 2016
selinux-penguin-new_medium

Cheat sheet for SELinux( Security-Enhanced Linux ) . More information about the project at https://selinuxproject.org/. All commands tested on CentOS release 6.8 (Final).

Logs

Everything:

$ less /var/log/audit/audit.log

Human readable:

$ less /var/log/messages

Commands:

Status

$ sestatus

Permissive/Enforcing

$ setenforce 0/1

More information about sealert (these are in /var/log/messages)

$ sealert -l IDHERE

Show all booleans

$ getsebool -a

List all stuffs which are in permissive

$ semodule -l|grep "permissive"

Check file/directory context

$ ls -Z

Check process context

$ ps aux -Z

Check network related information

$ netstat -Z
$ netstat -atZ

List audits to allow(based on selinux alerts)

$ audit2allow -a

Create policy based on audits to allow list

$ audit2allow -a -M fancypolicynameofyourchoice

Activate the policy

$ semodule -i fancypolicynameofyourchoice.pp

Set something to Permissive/Enforcing(httpd in this example)

$ semanage permissive -a httpd_t
$ semanage permissive -d httpd_t

Copy context to file/directory from existing file/directory

$ chcon -R --reference /source /destination

Creating your own policy (te -> pp)

$ checkmodule -M -m -o fancypolicynameofyourchoice.mod fancypolicynameofyourchoice.te
$ semodule_package -o fancypolicynameofyourchoice.pp -m fancypolicynameofyourchoice.mod

Activate your own policy

$ semodule -i fancypolicynameofyourchoice.pp

Example of a basic custom module

This module will allow httpd to open files in tmp context(/tmp)

module fancy_example_policy 1.0;

require {
type httpd_t;
type tmp_t;
class file { open };
}

allow httpd_t tmp_t:file open;

Remove activated policy

$ semodule -r fancy_example_policy

Learn

http://www.linuxtopia.org/online_books/getting_started_with_SELinux/SELinux_overview.html
http://danwalsh.livejournal.com/

Leave a Reply