Table of Contents
Manage SElinux
SELinux (Security-Enhanced Linux) has two major components on your system. There's the kernel mechanism which is enforcing a bunch of access rules which apply to processes and files. And secondly, there's file labels : every file on your system has extra labels attached to it which tie-in with those access rules. Run ls -Z and you'll see what I mean.
http://www.crypt.gen.nz/selinux/disable_selinux.html
http://doc.fedora-fr.org/wiki/SELinux#Interface_graphique_:_system-config-selinux
List SElinux status
[root@localhost ~]# getenforce Enforcing [root@localhost ~]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: disabled Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 [root@localhost ~]# setenforce 0 [root@localhost ~]# sestatus sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: disabled Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28
List all components affected by SElinux
[root@localhost ~]# semanage boolean -l SELinux boolean State Default Description ftp_home_dir (off , off) Allow ftp to home dir smartmon_3ware (off , off) Allow smartmon to 3ware mpd_enable_homedirs (off , off) Allow mpd to enable homedirs xdm_sysadm_login (off , off) Allow xdm to sysadm login xen_use_nfs (off , off) Allow xen to use nfs mozilla_read_content (off , off) Allow mozilla to read content ssh_chroot_rw_homedirs (off , off) Allow ssh to chroot rw homedirs mount_anyfile (on , on) Allow mount to anyfile icecast_use_any_tcp_ports (off , off) Allow icecast to use any tcp ports openvpn_can_network_connect (on , on) Allow openvpn to can network connect httpd_can_network_relay (off , off) Allow httpd to can network relay httpd_can_connect_mythtv (off , off) Allow httpd to can connect mythtv httpd_can_network_connect_db (off , off) Allow httpd to can network connect db httpd_use_gpg (off , off) Allow httpd to use gpg httpd_dbus_sssd (off , off) Allow httpd to dbus sssd httpd_enable_cgi (on , on) Allow httpd to enable cgi httpd_verify_dns (off , off) Allow httpd to verify dns ....
The same using getsebool command:
[root@localhost ~]# /usr/sbin/getsebool -a | grep httpd allow_httpd_anon_write --> off allow_httpd_bugzilla_script_anon_write --> off allow_httpd_mod_auth_pam --> off allow_httpd_nagios_script_anon_write --> off allow_httpd_squid_script_anon_write --> off allow_httpd_sys_script_anon_write --> off httpd_builtin_scripting --> on ...
You can manage SElinux components using graphical interface : system-config-selinux (install the policycoreutils-gui), or with command line like this:
[root@localhost ~]# setsebool -P httpd_can_network_connect on
Disable SElinux
In Fedora Core and RedHat Enterprise, edit /etc/selinux/config and you will see some lines like this, change SELINUX to disabled, and reboot your server:
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted
Debug / Troubleshoot SElinux
When SElinux is enable.
First install the setroubleshoot package
[root@centos7 ~]# yum install setroubleshoot-server -y
Now check what happening with SElinux
[root@centos7 ~]# sealert -a /var/log/audit/audit.log -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/index.html. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /var/www/html/index.html default label should be httpd_sys_content_t.
This is essentially saying that Apache is not able to access the index.html file as it has the incorrect SELinux context. The SELinux context of the file is shown below with the -Z option from ‘ls’.
[root@centos7 ~]# ls -laZ /var/www/html/ drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 . drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 .. -rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 index.html
Then you can run restorecon.
# /sbin/restorecon -v /var/www/html/index.html
