SELinux: Difference between revisions
Jump to navigation
Jump to search
Created page with "* https://en.wikipedia.org/wiki/Security-Enhanced_Linux * https://people.redhat.com/duffy/selinux/selinux-coloring-book_A4-Stapled.pdf learning.oreilly.com : * https://learni..." |
No edit summary |
||
(7 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
* https://en.wikipedia.org/wiki/Security-Enhanced_Linux | * https://en.wikipedia.org/wiki/Security-Enhanced_Linux | ||
* https://people.redhat.com/duffy/selinux/selinux-coloring-book_A4-Stapled.pdf | * https://people.redhat.com/duffy/selinux/selinux-coloring-book_A4-Stapled.pdf | ||
* http://www.freekb.net/Article?id=1418 – SELinux - Change context of a file or directory (chcon restorecon semanage) !!!!! | |||
* http://www.freekb.net/Article?id=1169 – SELinux - Determine context of a file or directory | |||
* https://www.man7.org/linux/man-pages/man8/semanage.8.html | |||
* https://www.man7.org/linux/man-pages/man8/semanage-fcontext.8.html | |||
* https://www.man7.org/linux/man-pages/man8/restorecon.8.html | |||
learning.oreilly.com : | learning.oreilly.com : | ||
Line 13: | Line 19: | ||
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index#selinux-states-and-modes_getting-started-with-selinux | * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index#selinux-states-and-modes_getting-started-with-selinux | ||
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index#changing-selinux-states-and-modes_using-selinux | * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index#changing-selinux-states-and-modes_using-selinux | ||
== setenforce / getenforce == | |||
* https://www.man7.org/linux/man-pages/man8/setenforce.8.html | |||
* https://www.man7.org/linux/man-pages/man8/getenforce.8.html | |||
<pre> | |||
root@… $ setenforce [Enforcing|Permissive|1|0] | |||
root@… $ getenforce | |||
root@… $ sestatus | |||
</pre> | |||
== context of a file == | |||
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-working_with_selinux-selinux_contexts_labeling_files | |||
* https://www.man7.org/linux/man-pages/man8/semanage.8.html | |||
* https://www.man7.org/linux/man-pages/man8/semanage-fcontext.8.html | |||
* http://www.freekb.net/Article?id=1418 !!!!! | |||
* https://www.gnu.org/software/coreutils/manual/html_node/chcon-invocation.html – Change SELinux context of file | |||
So far my usual approach for getting the SELinux context of a file right is: | |||
<pre> | |||
# find a file with the right context! ("FILE_WITH_RIGHT_CONTEXT") | |||
$ ll --context FILE_WITH_RIGHT_CONTEXT | |||
# rename the file, whose context isn't right, to FILE- or so! | |||
$ mv FILE FILE- | |||
# … | |||
$ cp --arch FILE_WITH_RIGHT_CONTEXT FILE | |||
# … | |||
cat FILE- > FILE | |||
# … | |||
$ rm FILE- | |||
… | |||
</pre> | |||
What "ll -Z" (resp. "ll --context") in addition to what "ll" usually displays, is called: | |||
* a SELinux_USER_CONTEXT (unconfined_u) -> "semanage fcontext --modify --seuser" | |||
* a ROLE (object_r) | |||
* a TYPE_CONTEXT (user_home_t) -> "semanage fcontext --modify --type" | |||
* a level AKA RANGE (s0) -> "semanage fcontext " | |||
CAVEAT: chcon does not work well with restorecon. restorecon effectively restores the old context. | |||
<pre> | |||
root@… $ semanage fcontext --add/--modify --seuser SELinux_USER_CONTEXT --role ROLE --type TYPE_CONTEXT /usr/local/foo.txt | |||
root@… $ chcon --no-dereference --user SELinux_USER_CONTEXT --role ROLE --type TYPE_CONTEXT --range RANGE /usr/local/foo.txt | |||
root@… $ restorecon -vF /usr/local/foo.txt # -v for ''verbose'', -F for ''force reset'' | |||
</pre> | |||
So usually for a systemd service file you would execute these 2 resp.3 command lines: | |||
<pre> | |||
root@… $ semanage fcontext --add/--modify --seuser system_u --role object_ --type systemd_unit_file_t /usr/lib/systemd/system/tomcat.service | |||
root@… $ chcon --no-dereference --user system_u --role object_r --type systemd_unit_file_t --range s0 /usr/lib/systemd/system/tomcat.service | |||
root@… $ restorecon -vF /usr/lib/systemd/system/tomcat.service | |||
</pre> | |||
More examples: | |||
<pre> | |||
… | |||
</pre> |
Latest revision as of 15:14, 27 September 2022
- https://en.wikipedia.org/wiki/Security-Enhanced_Linux
- https://people.redhat.com/duffy/selinux/selinux-coloring-book_A4-Stapled.pdf
- http://www.freekb.net/Article?id=1418 – SELinux - Change context of a file or directory (chcon restorecon semanage) !!!!!
- http://www.freekb.net/Article?id=1169 – SELinux - Determine context of a file or directory
- https://www.man7.org/linux/man-pages/man8/semanage.8.html
- https://www.man7.org/linux/man-pages/man8/semanage-fcontext.8.html
- https://www.man7.org/linux/man-pages/man8/restorecon.8.html
learning.oreilly.com :
- https://learning.oreilly.com/topics/selinux/
- https://learning.oreilly.com/library/view/selinux-system-administration/9781800201477/
- https://learning.oreilly.com/library/view/selinux-cookbook/9781783989669/
access.redhat.com :
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/changing-selinux-states-and-modes_using-selinux
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index#selinux-states-and-modes_getting-started-with-selinux
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index#changing-selinux-states-and-modes_using-selinux
setenforce / getenforce
[edit | edit source]- https://www.man7.org/linux/man-pages/man8/setenforce.8.html
- https://www.man7.org/linux/man-pages/man8/getenforce.8.html
root@… $ setenforce [Enforcing|Permissive|1|0] root@… $ getenforce root@… $ sestatus
context of a file
[edit | edit source]- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-working_with_selinux-selinux_contexts_labeling_files
- https://www.man7.org/linux/man-pages/man8/semanage.8.html
- https://www.man7.org/linux/man-pages/man8/semanage-fcontext.8.html
- http://www.freekb.net/Article?id=1418 !!!!!
- https://www.gnu.org/software/coreutils/manual/html_node/chcon-invocation.html – Change SELinux context of file
So far my usual approach for getting the SELinux context of a file right is:
# find a file with the right context! ("FILE_WITH_RIGHT_CONTEXT") $ ll --context FILE_WITH_RIGHT_CONTEXT # rename the file, whose context isn't right, to FILE- or so! $ mv FILE FILE- # … $ cp --arch FILE_WITH_RIGHT_CONTEXT FILE # … cat FILE- > FILE # … $ rm FILE- …
What "ll -Z" (resp. "ll --context") in addition to what "ll" usually displays, is called:
- a SELinux_USER_CONTEXT (unconfined_u) -> "semanage fcontext --modify --seuser"
- a ROLE (object_r)
- a TYPE_CONTEXT (user_home_t) -> "semanage fcontext --modify --type"
- a level AKA RANGE (s0) -> "semanage fcontext "
CAVEAT: chcon does not work well with restorecon. restorecon effectively restores the old context.
root@… $ semanage fcontext --add/--modify --seuser SELinux_USER_CONTEXT --role ROLE --type TYPE_CONTEXT /usr/local/foo.txt root@… $ chcon --no-dereference --user SELinux_USER_CONTEXT --role ROLE --type TYPE_CONTEXT --range RANGE /usr/local/foo.txt root@… $ restorecon -vF /usr/local/foo.txt # -v for ''verbose'', -F for ''force reset''
So usually for a systemd service file you would execute these 2 resp.3 command lines:
root@… $ semanage fcontext --add/--modify --seuser system_u --role object_ --type systemd_unit_file_t /usr/lib/systemd/system/tomcat.service root@… $ chcon --no-dereference --user system_u --role object_r --type systemd_unit_file_t --range s0 /usr/lib/systemd/system/tomcat.service root@… $ restorecon -vF /usr/lib/systemd/system/tomcat.service
More examples:
…