SELinux and Apparmor Flashcards
Conf file where policies are defined (SELINUX mode and SELINUXTYPE)
/etc/selinux/config
View current SELinux mode
getenforce
se status
Set SELinux mode
setenforce enforcing= setenforce 1
setenforce permissive= setenforce 0
Relable files on a system with SELinux labeling
touch /.autorelabel
and reboot the PC
Labels, SELinux context
ls -Z
netstat -lZ
ps -auxZ
user _u
role _r
type _t
Change SELinux context
- chcon -t httpd_sys_content_t /var/www/html/index.html
Note, chcon will not survive a relabeling process - If we are not sure what type should be, we can reference to a good known file and copy its context:
chcon –reference /var/www/html /var/www/html/index.html - semanage fcontext -a -t httpd_sys_content_t /var/www/html/index.html
+
restorecon -v httpd_sys_content_t /var/www/html/index.html
Restore context to default type
restorecon -vR /var/www/html
R-recursive
v-verbose
List all SE booleans
List booleans with descriptions
getsebool -a
semanage boolean -l
getsebool -a | grep httpd
Enable/Disable SE booleans
setsebool -P
-P-Persistent
setsebool -P ftpd_anon_write on
setsebool -P ftpd_anon_write off
Generate a report with SELinux issues
Troubleshooting SE with journalctl
- sealert -a /var/log/audit/audit.log
- journalctl -xe
- x-add explanation text
- e- jump to the end
View mapping of Linux to SELinux users
semanage login -l
Map existing Linux user to SELinux user
semanage login -a -s [SELinux user] [Linux User]
-a- add
-m -modify
semanage login -a -s “staff_u” cloud_user
semanage login -m -S targeted -s “user_u” -r s) __default__
Identify Linux user mapped to SELinux user
id -Z
Delete SELinux user
semanage login -d [SELinux user]
-d -delete
semanage login -d cloud_user
Check SE users configured
semanage user -l
