Cheat sheet for SELinux( Security-Enhanced Linux ) . More information about the project at https://selinuxproject.org/. All commands tested on CentOS release 6.8 (Final).
Logs
Everything:
$ less /var/log/audit/audit.log
Human readable:
$ less /var/log/messages
Commands:
Status
$ sestatus
Permissive/Enforcing
$ setenforce 0/1
More information about sealert (these are in /var/log/messages)
$ sealert -l IDHERE
Show all booleans
$ getsebool -a
List all stuffs which are in permissive
$ semodule -l|grep "permissive"
Check file/directory context
$ ls -Z
Check process context
$ ps aux -Z
Check network related information
$ netstat -Z
$ netstat -atZ
List audits to allow(based on selinux alerts)
$ audit2allow -a
Create policy based on audits to allow list
$ audit2allow -a -M fancypolicynameofyourchoice
Activate the policy
$ semodule -i fancypolicynameofyourchoice.pp
Set something to Permissive/Enforcing(httpd in this example)
$ semanage permissive -a httpd_t
$ semanage permissive -d httpd_t
Copy context to file/directory from existing file/directory
$ chcon -R --reference /source /destination
Creating your own policy (te -> pp)
$ checkmodule -M -m -o fancypolicynameofyourchoice.mod fancypolicynameofyourchoice.te
$ semodule_package -o fancypolicynameofyourchoice.pp -m fancypolicynameofyourchoice.mod
Activate your own policy
$ semodule -i fancypolicynameofyourchoice.pp
Example of a basic custom module
This module will allow httpd to open files in tmp context(/tmp)
module fancy_example_policy 1.0;
require {
type httpd_t;
type tmp_t;
class file { open };
}
allow httpd_t tmp_t:file open;
Remove activated policy
$ semodule -r fancy_example_policy
Learn
http://www.linuxtopia.org/online_books/getting_started_with_SELinux/SELinux_overview.html
http://danwalsh.livejournal.com/