Level<\/li>\n<\/ul>\nIf we take example of a Apache web service, the httpd process usually access the folders “\/var\/ww\/html”, “\/var\/tmp”, “\/tmp”, etc.<\/p>\n
The Type<\/em> context associated with httpd service is httpd_t<\/strong>. The Type context associated with the folder “\/var\/ww\/html” is “httpd_sys_content_t<\/strong>“, the port is “http_port_t<\/strong>“, etc.<\/p>\nThe SELinux context can be displayed when using commands such as ps, ls, cp, mkdir. etc by using the “-Z<\/strong>” switch. For example:<\/p>\n[root@shiju-test ~]# ps -axZ | grep http<\/strong>
\nsystem_u:system_r:httpd_t:s0 11675 ? Ss 0:00 \/usr\/sbin\/httpd -DFOREGROUND<\/em>
\nsystem_u:system_r:httpd_t:s0 11676 ? S 0:00 \/usr\/sbin\/httpd -DFOREGROUND<\/em><\/p>\n[root@shiju-test ~]# ls -Z \/var\/www<\/strong>
\ndrwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 cgi-bin<\/em>
\ndrwxr-xr-x. root root system_u:object_r:httpd_sys_content_t<\/strong>:s0 html<\/em><\/p>\nCopying and Moving files<\/span><\/strong><\/p>\nWhen moving a file or folder, the SELinux context is\u00a0preserved<\/strong> by default.<\/p>\n[root@shiju-test ~]#\u00a0<\/strong>mv \/tmp\/shiju.txt \/var\/www\/html<\/p>\nWhen copying a file or folder, the SELinux is NOT preserved by default. The switch “-p” is required to carry the SELinux context.<\/p>\n
[root@shiju-test ~]# <\/strong>cp\u00a0\/tmp\/shiju.txt \/var\/www\/html<\/p>\n[root@shiju-test ~]#\u00a0<\/strong>ls -Z \/var\/www\/html<\/p>\n[root@shiju-test ~]#\u00a0<\/strong>cp =p \/tmp\/shiju.txt \/var\/www\/html<\/p>\nSELinux configuration file<\/strong><\/span><\/p>\nConfiguration file for SELinux is “\/etc\/selinux\/config<\/em>”<\/p>\nSELinux can be configured in three modes:<\/p>\n
\n- Enforced :<\/strong> Policies are enforced and logging is enabled<\/li>\n
- Permissive :<\/strong> Policies are actually disabled but logging is enabled as the policies are enabled<\/li>\n
- Disabled :<\/strong> Policies are disabled and logging is also not enabled.<\/li>\n<\/ul>\n
Command to verify the mode in which SELinux is running:
\n[root@shiju-test ~]#\u00a0<\/strong>getenforce<\/p>\nCommand to switch to disabled mode:
\n[root@shiju-test ~]#\u00a0<\/strong>setenforce 0<\/p>\nCommand to switch to permissive mode:
\n[root@shiju-test ~]#\u00a0<\/strong>setenforce 1<\/p>\n <\/p>\n
In RHEL, the SElinux can be fully disabled during the boot process itself if needed. To do that, enter the grub prompt during the bootup, and in the Kernel parameter add one of the below value:<\/p>\n
\n- selinux=0<\/li>\n
- enforcing=0<\/li>\n
- enforcing=1<\/li>\n<\/ul>\n
Save changes and procced with the booting process.<\/p>\n
SELinux Logs<\/strong><\/span><\/p>\nSELinux logs useful information such as info about access denied, etc. The default log file is:
\n\/var\/log\/audit\/audit.log<\/em><\/p>\nAn example to understand SELinux context<\/strong><\/span><\/p>\n\n- Use a system in which SELinux is enabled. The command “getenforce” will show the present SELinux setting.<\/li>\n
- Install httpd\u00a0server and ensure firewalld is disabled in the host .<\/li>\n
- Create an html file name index.html<\/strong> displaying a line “Hello World – var – html<\/em>“<\/li>\n
- Allow everyone to access the page by issuing the command:\n
\n- chmod 755 \/var\/www\/html\/index.html<\/li>\n<\/ul>\n<\/li>\n
- Verify if everyone can see the web page by accessing the server via a web browser. It should work while selinux is also enabled.<\/li>\n<\/ul>\n
\n- Create a new folder named “\/virtual”<\/strong><\/li>\n
- Create an html file name \/virtual\/index.html<\/strong> displaying a line “Hello World – virtual – html<\/em>“.<\/li>\n
- Add the following lines in your apache webserver’s configuration file httpd.conf:<\/li>\n<\/ul>\n
<Directory “\/virtual”><\/p>\n
AllowOverride None
\n# Allow open access:
\nRequire all granted<\/p>\n
<\/Directory><\/p>\n
\n- In the httpd.conf<\/strong> file, edit the line that starts with “DocumentRoot<\/strong>” so that it looks like:
\nDocumentRoot “\/virtual”<\/strong><\/li>\n- Restart apache by running the command “systemctl restart httpd”<\/li>\n
- The service may fail<\/li>\n<\/ul>\n
<\/p>\n
You may not be able to see the web page is accessed via browser since SELinux may be blocking access to “\/virtual\/index.html<\/strong>”<\/p>\nCheck the log file “\/var\/log\/audit\/audit.log<\/strong>” for any entry related to it like:<\/p>\n\n- type=AVC msg=audit(1523351308.296:598): avc: denied { getattr } for pid=1247 comm=”httpd” path=”\/virtual\/index.html” dev=”xvda2″ ino=25270803 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file<\/li>\n<\/ul>\n
If you disable SELinux temporarily by issuing the command “setenforce 0<\/strong>” or permanently by editing the file “\/etc\/selinux\/config<\/strong>” you will see that the file gets displayed.<\/p>\nHow to get the new page displayed with SELinux?<\/span><\/strong><\/p>\nWe can change the context of a file by using either:<\/p>\n
\n- Temporary method\n
\n- chcon<\/li>\n<\/ul>\n<\/li>\n
- Permanent method\n
\n- fcontext<\/li>\n
- restorecon<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n
To make the webpage “\/virtual\/index.html<\/em>” accessible by http server while SELinux is enforced, run the following command:<\/p>\n[root@shiju-test ~]#\u00a0<\/strong>chcon -R -t httpd_sys_content_t \/virtual\/<\/p>\nCheck the result by running the following command:<\/p>\n
[root@shiju-test ~]#\u00a0<\/strong>ls -Z \/virtual<\/p>\n-rwxr-xr-x. 1 root root system_u:object_r:httpd_sys_content_t<\/strong>:s0 43 Feb 12 19:59 index.html<\/p>\nNow the new webpage should get displayed via the browser<\/p>\n
The set of files that holds the default context of files and folder are located in “\/etc\/selinux\/targeted\/contexts\/files\/<\/strong>”<\/p>\nAs the chcon command is a temporary way to change context permission, restarting the node or issuing the\u00a0restorecon<\/strong> command will revert context attached to a file to the value mentioned in the above files.<\/p>\nTo restore the context to default settings as mentioned in SELinux policy use the following command:<\/p>\n
root@shiju-test ~]#\u00a0<\/strong>restorecon -Rv \/virtual\/
\nRelabeled \/virtual from system_u:object_r:httpd_sys_content_t:s0 to system_u:object_r:default_t:s0
\nRelabeled \/virtual\/index.html from system_u:object_r:httpd_sys_content_t:s0 to system_u:object_r:default_t:s0<\/p>\nCommand to view the default SELinux policy settings is as below. You may use “grep” function to display selective results<\/p>\n
root@shiju-test ~]#\u00a0<\/strong>ls -lZ \/virtual\/
\n-rwxr-xr-x. 1 root root system_u:object_r:default_t:s0 43 Feb 12 19:59 index.html<\/p>\nSemanage commands<\/strong><\/span><\/p>\nThe below command lists all context policies that will be read by default<\/p>\n
[root@shiju-test ~]#\u00a0semanage fcontext -l<\/strong><\/p>\nWe can add an SELinux Policy by using semanage fcontext<\/strong> commands so that the same can be used when “restorecon<\/strong>” command is used.<\/p>\nMentioned below command changes the context of all files in “\/virtual” folder<\/p>\n
[root@shiju-test ~]#\u00a0<\/strong>semanage fcontext -a -t httpd_sys_content_t ‘\/virtual(\/.*)?’<\/p>\nroot@shiju-test ~]#\u00a0<\/strong>restorecon -Rv \/virtual\/<\/p>\nListening ports associated with a service<\/strong><\/span><\/p>\nTroubleshooting SELinux is easy by using the “setroubleshoot-server” that can be installed using the command “yum install setroubleshoot-server”<\/p>\n","protected":false},"excerpt":{"rendered":"
SELinux is a set of security rules using which we can control the processes\/application that can access specific files, folders and ports. These processes, files, […]<\/a><\/p>\n<\/div>","protected":false},"author":1,"featured_media":252,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,31,30,14],"tags":[],"class_list":["post-895","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","category-rhel-4","category-rhel-9","category-security"],"_links":{"self":[{"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=\/wp\/v2\/posts\/895","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=895"}],"version-history":[{"count":23,"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=\/wp\/v2\/posts\/895\/revisions"}],"predecessor-version":[{"id":1572,"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=\/wp\/v2\/posts\/895\/revisions\/1572"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=\/wp\/v2\/media\/252"}],"wp:attachment":[{"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=895"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=895"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=895"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"SElinux\"](\"http:\/\/shijuvarghese.com\/wp-content\/uploads\/2019\/10\/SElinux.jpg\")
<\/a><\/p>\n