Each file, directory, and service on your system has a context that is used to prevent or allow actions
To show context of file
#ls -Z /home/user1
SELinux uses three different contexts to enforce security: user, role, and domain
User:
unconfined_u Unprotected user
system_u System user
user_u Normal user
Role:
object_r File
system_r Users and processes
Domain:
unconfined_r Unprotected file or process
----------------------------------------------------------------------------------------------------------
Query the Boolean options available for the httpd service (Apache):
# getsebool -a | grep http
The semanage command can provide you with a description of each Boolean. It is also very useful if you need a specific setting changed. View the descriptions for the httpd service (Apache):
# semanage boolean -l | grep http
Change the value to disable protection of this particular option:
# setsebool -P httpd_enable_homedirs=1
------------------------------------------------------------------------------------------------------
SELinux Troubleshooting
# yum install –y policycoreutils-python policycoreutils selinux-policy setroubleshoot-server
Two common commands you can use to hunt for error messages include
# grep “SELinux is preventing” /var/log/messages
# grep “denied” /var/log/audit/audit.log
/var/log/audit/audit.log Logs SELinux denials
/var/log/messages
To list all the Booleans with their current values and a brief description, use the following:
# semanage boolean -l |grep ftp
To show context of file
#ls -Z /home/user1
SELinux uses three different contexts to enforce security: user, role, and domain
User:
unconfined_u Unprotected user
system_u System user
user_u Normal user
Role:
object_r File
system_r Users and processes
Domain:
unconfined_r Unprotected file or process
----------------------------------------------------------------------------------------------------------
Query the Boolean options available for the httpd service (Apache):
# getsebool -a | grep http
The semanage command can provide you with a description of each Boolean. It is also very useful if you need a specific setting changed. View the descriptions for the httpd service (Apache):
# semanage boolean -l | grep http
Change the value to disable protection of this particular option:
# setsebool -P httpd_enable_homedirs=1
------------------------------------------------------------------------------------------------------
SELinux Troubleshooting
# yum install –y policycoreutils-python policycoreutils selinux-policy setroubleshoot-server
Two common commands you can use to hunt for error messages include
# grep “SELinux is preventing” /var/log/messages
# grep “denied” /var/log/audit/audit.log
/var/log/audit/audit.log Logs SELinux denials
/var/log/messages
To list all the Booleans with their current values and a brief description, use the following:
# semanage boolean -l |grep ftp
No comments:
Post a Comment