Checking SELinux mode

$ getenforce
Enforcing

Changing SELinux mode

$ setenforce 0

Listing SELinux Contexts

$ semanage fcontext -l

SELinux fcontext                                   type               Context

/                                                  directory          system_u:object_r:root_t:s0

/.*                                                all files          system_u:object_r:default_t:s0

...

/etc/pki/instance(/.*)?                          all files          system_u:object_r:pki_tomcat_etc_rw_t:s0

/etc/pki/instance/alias(/.*)?                    all files          system_u:object_r:pki_tomcat_cert_t:s0

/usr/lib/systemd/system/pki-tomcat.*               all files          system_u:object_r:pki_tomcat_unit_file_t:s0

/var/lib/pki/instance(/.*)?                      all files          system_u:object_r:pki_tomcat_var_lib_t:s0

/var/log/pki/instance(/.*)?                      all files          system_u:object_r:pki_tomcat_log_t:s0

Creating SELinux Contexts

• Creating SELinux Contexts with CLI

• Creating SELinux Contexts with Python API

Removing SELinux Contexts

• Removing SELinux Contexts with CLI

• Removing SELinux Contexts with Python API

Displaying SELinux Contexts

$ ls -lZ /var/lib/pki/instance

lrwxrwxrwx. 1 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0   25 Jul 26 14:28 alias -> /etc/pki/instance/alias

lrwxrwxrwx. 1 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0   21 Jul 26 14:28 bin -> /usr/share/tomcat/bin

drwxrwx---. 5 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0  104 Jul 26 14:28 ca

lrwxrwxrwx. 1 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0   28 Jul 26 14:28 common -> /usr/share/pki/server/common

lrwxrwxrwx. 1 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0   19 Jul 26 14:28 conf -> /etc/pki/instance

drwxrwx---. 2 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0 4096 Jul 26 14:28 lib

lrwxrwxrwx. 1 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0   23 Jul 26 14:28 logs -> /var/log/pki/instance

lrwxrwxrwx. 1 root    root    system_u:object_r:pki_tomcat_var_lib_t:s0   16 Jul 26 14:28 ``\ ``instance`` -> /usr/sbin/tomcat``

drwxrwx---. 2 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0    6 Jul 26 14:28 temp

drwxr-xr-x. 2 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0    6 Jul 26 14:28 webapps

drwxrwx---. 3 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0   22 Jul 26 14:28 work

Restoring SELinux Contexts

$ restorecon -FR /var/lib/pki/pki-tomcat

Listing SELinux Ports

$ semanage port -l

Verification

Reset the audit log:

$ cat /dev/null > /var/log/audit/audit.log

Switch to permissive mode:

$ setenforce 0

Run the tests, then check the AVCs in the audit log:

$ audit2allow -i /var/log/audit/audit.log

Switch to enforcing mode:

$ setenforce 1

Run the tests again to make sure it works.

Listing AVC Messages

$ ausearch -m AVC

Issues

Running Java under HTTPD

AVC denial:

type=AVC msg=audit(1571779838.122:1337): avc:  denied  { execmem } for  pid=108666 comm="java" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0

Possible solution:

$ setsebool -P httpd_execmem 1

References

• SELinux

• RHEL 7 SELinux User’s and Administrator’s Guide

• Basic SELinux Troubleshooting in CLI

• How to install and configure “setroubleshootd” on CentOS/RHEL