SELinux

From Dogtag
Jump to: navigation, search

Checking SELinux mode

$ getenforce
Enforcing

Changing SELinux mode

$ setenforce 0

Listing SELinux Contexts

$ semanage fcontext -l
SELinux fcontext                                   type               Context

/                                                  directory          system_u:object_r:root_t:s0
/.*                                                all files          system_u:object_r:default_t:s0
...
/etc/pki/instance(/.*)?                          all files          system_u:object_r:pki_tomcat_etc_rw_t:s0
/etc/pki/instance/alias(/.*)?                    all files          system_u:object_r:pki_tomcat_cert_t:s0
/usr/lib/systemd/system/pki-tomcat.*               all files          system_u:object_r:pki_tomcat_unit_file_t:s0
/var/lib/pki/instance(/.*)?                      all files          system_u:object_r:pki_tomcat_var_lib_t:s0
/var/log/pki/instance(/.*)?                      all files          system_u:object_r:pki_tomcat_log_t:s0

Creating SELinux Contexts

$ semanage fcontext -a -t pki_tomcat_etc_rw_t -r s0 "/etc/pki/instance(/.*)?"
$ semanage fcontext -a -t pki_tomcat_cert_t -r s0 "/etc/pki/instance/alias(/.*)?"
$ semanage fcontext -a -t pki_tomcat_var_lib_t -r s0 "/var/lib/pki/instance(/.*)?"
$ semanage fcontext -a -t pki_tomcat_log_t -r s0 "/var/log/pki/instance(/.*)?"

Python SELinux is available from the following libraries:

  • libselinux-python
  • policycoreutils-python
import selinux
import seobject

if not selinux.is_selinux_enabled() or not seobject:
    return

trans = seobject.semanageRecords("targeted")
trans.start()

fcon = seobject.fcontextRecords()
fcon.add("/var/lib/pki/pki-tomcat(/.*)?", "pki_tomcat_var_lib_t", "", "s0", "")
fcon.add("/var/log/pki/pki-tomcat(/.*)?", "pki_tomcat_log_t", "", "s0", "")
fcon.add("/etc/pki/pki-tomcat(/.*)?", "pki_tomcat_etc_rw_t", "", "s0", "")
fcon.add("/etc/pki/pki-tomcat/alias(/.*)?", "pki_tomcat_cert_t", "", "s0", "")

port_records = seobject.portRecords()
port_records.add(port, "tcp", "s0", "http_port_t")

trans.finish()

Deleting SELinux Contexts

$ semanage fcontext -d "/etc/pki/instance(/.*)?"
$ semanage fcontext -d "/etc/pki/instance/alias(/.*)?"
$ semanage fcontext -d "/var/lib/pki/instance(/.*)?"
$ semanage fcontext -d "/var/log/pki/instance(/.*)?"

Displaying SELinux Contexts

$ ls -lZ /var/lib/pki/instance
lrwxrwxrwx. 1 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0   25 Jul 26 14:28 alias -> /etc/pki/instance/alias
lrwxrwxrwx. 1 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0   21 Jul 26 14:28 bin -> /usr/share/tomcat/bin
drwxrwx---. 5 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0  104 Jul 26 14:28 ca
lrwxrwxrwx. 1 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0   28 Jul 26 14:28 common -> /usr/share/pki/server/common
lrwxrwxrwx. 1 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0   19 Jul 26 14:28 conf -> /etc/pki/instance
drwxrwx---. 2 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0 4096 Jul 26 14:28 lib
lrwxrwxrwx. 1 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0   23 Jul 26 14:28 logs -> /var/log/pki/instance
lrwxrwxrwx. 1 root    root    system_u:object_r:pki_tomcat_var_lib_t:s0   16 Jul 26 14:28 instance -> /usr/sbin/tomcat
drwxrwx---. 2 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0    6 Jul 26 14:28 temp
drwxr-xr-x. 2 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0    6 Jul 26 14:28 webapps
drwxrwx---. 3 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0   22 Jul 26 14:28 work

Restoring SELinux Contexts

$ restorecon -FR /var/lib/pki/pki-tomcat

Listing SELinux Ports

$ semanage port -l

Adding SELinux Port

To add SELinux port:

$ semanage port -a -t <label> -p tcp <port>

To add HTTP port:

$ semanage port -a -t http_port_t -p tcp <port>

To add LDAP port:

$ semanage port -a -t ldap_port_t -p tcp <port>

Deleting SELinux Port

To remove SELinux port:

$ semanage port -d -t <label> -p tcp <port>

To delete HTTP port:

$ semanage port -d -t http_port_t -p tcp <port>

To delete LDAP port:

$ semanage port -d -t ldap_port_t -p tcp <port>

Verification

Reset the audit log:

$ cat /dev/null > /var/log/audit/audit.log

Switch to permissive mode:

$ setenforce 0

Run the tests, then check the AVCs in the audit log:

$ audit2allow -i /var/log/audit/audit.log

Switch to enforcing mode:

$ setenforce 1

Run the tests again to make sure it works.

Listing AVC Messages

$ ausearch -m AVC

Issues

Running Java under HTTPD

AVC denial:

type=AVC msg=audit(1571779838.122:1337): avc:  denied  { execmem } for  pid=108666 comm="java" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0

Possible solution:

$ setsebool -P httpd_execmem 1

References