SELinux: Difference between revisions

From wiki
Jump to navigation Jump to search
No edit summary
No edit summary
 
(3 intermediate revisions by the same user not shown)
Line 19: Line 19:
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index#selinux-states-and-modes_getting-started-with-selinux
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index#selinux-states-and-modes_getting-started-with-selinux
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index#changing-selinux-states-and-modes_using-selinux
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index#changing-selinux-states-and-modes_using-selinux
== setenforce / getenforce ==
* https://www.man7.org/linux/man-pages/man8/setenforce.8.html
* https://www.man7.org/linux/man-pages/man8/getenforce.8.html
<pre>
root@… $ setenforce [Enforcing|Permissive|1|0]
root@… $ getenforce
root@… $ sestatus
</pre>


== context of a file ==
== context of a file ==
Line 45: Line 56:
What "ll -Z" (resp. "ll --context") in addition to what "ll" usually displays, is called:
What "ll -Z" (resp. "ll --context") in addition to what "ll" usually displays, is called:
* a SELinux_USER_CONTEXT (unconfined_u) -> "semanage fcontext --modify --seuser"
* a SELinux_USER_CONTEXT (unconfined_u) -> "semanage fcontext --modify --seuser"
* a role (object_r)
* a ROLE (object_r)
* a TYPE_CONTEXT (user_home_t) -> "semanage fcontext --modify --type"
* a TYPE_CONTEXT (user_home_t) -> "semanage fcontext --modify --type"
* a level AKA RANGE (s0) -> "semanage fcontext "
* a level AKA RANGE (s0) -> "semanage fcontext "
CAVEAT: chcon does not work well with restorecon. restorecon effectively restores the old context.


<pre>
<pre>
root@… $ semanage fcontext --add/--modify --seuser SELinux_USER_CONTEXT --role ROLE --type TYPE_CONTEXT /usr/local/foo.txt
root@… $ chcon --no-dereference --user SELinux_USER_CONTEXT --role ROLE --type TYPE_CONTEXT --range RANGE /usr/local/foo.txt
root@… $ chcon --no-dereference --user SELinux_USER_CONTEXT --role ROLE --type TYPE_CONTEXT --range RANGE /usr/local/foo.txt
root@… $ semanage fcontext --add/--modify --seuser SELinux_USER_CONTEXT --type TYPE_CONTEXT --range RANGE /usr/local/foo.txt


root@… $ restorecon -vF /usr/local/foo.txt    # -v for ''verbose'', -F for ''force reset''
root@… $ restorecon -vF /usr/local/foo.txt    # -v for ''verbose'', -F for ''force reset''
</pre>
</pre>


So usually for a systemd service file you would execute these 2 command lines:
So usually for a systemd service file you would execute these 2 resp.3 command lines:


<pre>
<pre>
root@… $ semanage fcontext --add/--modify --seuser system_u --role object_ --type systemd_unit_file_t /usr/lib/systemd/system/tomcat.service
root@… $ chcon --no-dereference --user system_u --role object_r --type systemd_unit_file_t --range s0 /usr/lib/systemd/system/tomcat.service
root@… $ chcon --no-dereference --user system_u --role object_r --type systemd_unit_file_t --range s0 /usr/lib/systemd/system/tomcat.service
root@… $ semanage fcontext --add/--modify --seuser system_u --type systemd_unit_file_t --range s0 /usr/lib/systemd/system/tomcat.service


root@… $ restorecon -vF /usr/lib/systemd/system/tomcat.service
root@… $ restorecon -vF /usr/lib/systemd/system/tomcat.service

Latest revision as of 16:14, 27 September 2022

learning.oreilly.com :

access.redhat.com :

setenforce / getenforce[edit]

root@… $ setenforce [Enforcing|Permissive|1|0]
root@… $ getenforce
root@… $ sestatus

context of a file[edit]

So far my usual approach for getting the SELinux context of a file right is:

# find a file with the right context! ("FILE_WITH_RIGHT_CONTEXT")
$ ll --context FILE_WITH_RIGHT_CONTEXT
# rename the file, whose context isn't right, to FILE- or so!
$ mv FILE FILE-
# …
$ cp --arch FILE_WITH_RIGHT_CONTEXT FILE
# …
cat FILE- > FILE
# …
$ rm FILE-
…

What "ll -Z" (resp. "ll --context") in addition to what "ll" usually displays, is called:

  • a SELinux_USER_CONTEXT (unconfined_u) -> "semanage fcontext --modify --seuser"
  • a ROLE (object_r)
  • a TYPE_CONTEXT (user_home_t) -> "semanage fcontext --modify --type"
  • a level AKA RANGE (s0) -> "semanage fcontext "

CAVEAT: chcon does not work well with restorecon. restorecon effectively restores the old context.

root@… $ semanage fcontext --add/--modify --seuser SELinux_USER_CONTEXT --role ROLE --type TYPE_CONTEXT /usr/local/foo.txt
root@… $ chcon --no-dereference --user SELinux_USER_CONTEXT --role ROLE --type TYPE_CONTEXT --range RANGE /usr/local/foo.txt

root@… $ restorecon -vF /usr/local/foo.txt     # -v for ''verbose'', -F for ''force reset''

So usually for a systemd service file you would execute these 2 resp.3 command lines:

root@… $ semanage fcontext --add/--modify --seuser system_u --role object_ --type systemd_unit_file_t /usr/lib/systemd/system/tomcat.service
root@… $ chcon --no-dereference --user system_u --role object_r --type systemd_unit_file_t --range s0 /usr/lib/systemd/system/tomcat.service

root@… $ restorecon -vF /usr/lib/systemd/system/tomcat.service

More examples: