selinux¶

Security Enhanced Linux

Notes¶

• Tutorial Video: https://www.youtube.com/watch?v=MxjenQ31b70
• CentOS HowTo: http://wiki.centos.org/HowTos/SELinux
• Labels are in user:role:type:level(optional)
• Logs go in /var/log/audit/audit.log and /var/log/messages

• Additional tools:

• semanage and more are included in CentOS package policycoreutils

• setroubleshoot has a bunch of tools included. Lots of prerequisites
• setroubleshoot-server has a bunch of tools included. Lots of prerequisites

Examples¶

Show status of selinux¶

sestatus
getenforce

Disable without rebooting¶

echo 0 >/selinux/enforce

or...

setenforce 0

List selinux contexts for processes¶

ps auxZ

List selinux contexts for processes that have open sockets¶

lsof -i -Z # See `man lsof` for more specific selinux syntaxes

List selinux contexts for the current user¶

id -Z

List selinux contexts for files¶

ls -lZ

Recursively set a context type¶

chcon -R -t httpd_sys_content_t sole

Copy the selinux context from another file or directory¶

chcon --reference /file/or/dir/to/reference /target/file

Restore default contexts¶

This command restores the contexts as referenced in /etc/selinux/targeted/contexts/files/file_contexts

restorecon /path/to/broken/file
restorecon -vR /path/to/broken/dir

Restore defaults context automatically at system reboot¶

This should take roughly the same amount of time as a fsck would.

touch /.autorelabel

Define a default context for a directory¶

semanage fcontext -a /z5/sole

Define a default context for a directory, using a reference from the original policy¶

semanage fcontext -a -e /var/www /z5/sole
cat /etc/selinux/targeted/contexts/files/file_contexts.subs # view the result

List policies¶

semanage port -l
semanage user -l

Show selinux booleans¶

getsebool -a

Permanetnly set an selinux boolean¶

setsebool -P booleanname 1