selinux

Question 1

How do you list the ports allowed for http ?

Answer 1

semanage port -l | grep http

Question 2

Where are the audit logs for selinux?

Answer 2

/var/log/audit/audit.log

Question 3

How do you get the status of selinux?

Answer 3

getenforce

Question 4

What is the context attibuted to nginx by selinux?

Answer 4

httpd

Question 5

How do you authorize another port for httpd context? For instance, port 5000?

Answer 5

semanage port -m -t http_port_t -p tcp 5000

Question 6

What is the wider alternative to allow nginx to network and how can you set it and remove it?

Answer 6

To enable:
setsebool -P httpd_can_network_connect 1
To disable:
setsebool -P httpd_can_network_connect 0

Question 7

If you have an error in the selinux log how can investigate the error and understand why it’s happening? Let’s say the id is:
1694301099.423:104

Answer 7

grep 1694301099.423:104 /var/log/audit/audit.log | audit2why

Question 8

How can you investigate errors related to the httpd context?

Answer 8

By putting the context in permissive mode:
semanage permissive -a httpd_t
This will log the errors instead of blocking them.

Question 9

How can you set the context for httpd to permissive mode?

Answer 9

semanage permissive -a httpd_t

Question 10

How do you remove the permissive mode for httpd if it’s enabled?

Answer 10

semanage permissive -d httpd_t

Question 11

Where is the selinux config?

Answer 11

/etc/sysconfig/selinux

Question 12

Create a command using grep to find the nginx denied error

Answer 12

grep nginx /var/log/audit/audit.log | \
grep denied