SELinux configuration basics
SELinux Configuration Basics
In Fedora 12 SELinux comes enabled by default and using it we can improve the security of system. When we use SELinux all files, users and process have a SELinux context. SELinux context consists of 'user:role:type:sensitivity:category'. Here 'user' refers to user who logged into system. After we login even if we use 'su -' to change our privilege level, the SELinux user remains same. 'role' is 'object_r' for files and 'system_r' for users and processes. 'type' is the actual type of object in question using which SELinux rules are enforced.
SELinux file context
Seeing current SELinux context
To see current SELinux context we can use 'ls -Zl' command. (In case of directory we can add '-d' option).
Changing SELinux context
We can change SELinux context of directory or files recursively using
chcon -R <new_context> <files> <directories>
Verify with 'ls -lZ' after changing context.
If we only want to change type of context and not entire context then we can use something like
chcon -R -t <new_type> <files> <directories>
We can also use some file as reference whose context is correct to set similar context on destination file. So we can use
chcon -R --reference=<file_with_correct_context> <files> <directories>
Disabling SELinux during troubleshooting
We can disable SELinux during troubleshooting so that we can find out whether problem is caused by SELinux or not. To disable SELinux we can use
setenforce 0
To enable it again we can use
setenforce 1
Seeing SELinux context of process
To see SELinux context of process we can use '-Z' switch in ps command, for example to see SELinux context of apache running with executable name 'httpd' we can use
ps -ZC httpd
SELinux booleans
See value of all SELinux booleans
To see value of alll SELinux boolean parameters we can use
getsebool -a
We can also use 'ls /selinux/booleans' to see the names of boolean variables.
Setting value of SELinux booleans
To set some value for SELinux boolean we can use
setsebool -P <boolean_name> (1|0)
Here, -P is to make change permanent and persist even after reboot. If we want the change only till we reboot the system then do not use '-P' option, so that only running copy is affected.
SELinux ports
See SELinux context of ports
To see SELinux context of ports we can use
semanage port -l
Add port to SELinux port context
To add port to SELinux port context we can use
semanage port -a -t <selinux_context_type> -p <protocol> <port_number>
Here, -a is to indicate port addition.
Delete port from SELinux port context
To delete port from SELinux type we can use
semanage port -d -t <selinux_context_type> -p <protocol> <port_number>
Here, -d is to indicate port deletion.
SELinux file-context policy
Seeing current file-context policy
To see current file-context policy use
semanage fcontext -l
Checking context against policy
We can check context against policy and if required change the context to conform to current SELinux policy. To check context of files and directories we can use
restorecon -nvr <path>
Here -n is so that changes are not performed, -v is for verbose and -r is for recursive checking.
Changing context to conform to policy
If we want to change context so that it conforms to SELinux policy then we can use
restorecon -vr <path>
Here -r is for recursion and -v for verbose so that we know the names of files whose context has been changed and their older and new context.
Changing policy to define file-context based on path
restorecon uses policy to check and restore context of files based on their path. We can modify restorecon so that desired policy is restored on path and not the default ones. To add file-context for a particular path pattern use
semanage fcontext -a -t <desired_type> "<regular expression matching path>"
Here -a is to add this rule to policy. Very good example which is given in man page is 'semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"'. Note how '(/.*)?' pattern is used to indicate subdirectories and safely avoiding things with name like '/webabc'.
