SELinux Flashcards
What options are available in SELinux?
Enforcing = Enabled (Enabled by default)
Permissive = Disabled but logs the activity
Disabled = Disabled and does not log any activity
How can you check the status of SELinux?
sestatus or getenforce
How can you enable and disable SELinux?
setenforce 0 = permissive/disabled
setenforce 1 = enabled
Where is the SELinux config file located and how can you modify the config for permanent setting?
/etc/selinux/config
SELINUX=enforcing
SELINUX=disabled
What should you do before modifying the SELinux config file?
Take a snapshot of your VM
Before rebooting to apply SELinux changes what file should you create?
./autorelabel
touch ./autorelabel
What are the two main concepts of SELinux?
Labeling -> user:role:type:level
Type enforcement
Note: Type is the main focus
How can you list the label of a file?
ls -lz /usr/sbin/httpd
Output:
-rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd
How can you list the label of a directory?
ls -dz /etc/httpd
Output:
drwxr-xr-x. root root systemu:object_r:httpd_config_t:s0 /etc/httpd
How can you find the label of a process?
ps axZ | grep httpd
How can you view a label at the socket level?
netstat -tnlpZ | grep http
labeled as http_t in memory
What is the command to manage SELinux setting? Bonus: What are the available options?
semanage
Bonus:
login
user
port
interface
module
node
file context
boolean
permissive state
dontaudit
What is boolean?
The On/Off switch
What command can you use to get a list of all booleans?
getsebool -a (for all)
semanage boolean -l (for list)
Both options have the same result
What command can you use to turn on a boolean?
setsebool -P boolean_name on
On for on, Off for off
What command can you use to check error messages related to SELinux?
journalctl
What command can you use to change the type in a label?
chcon -t httpd_syscontent_t FILENAME
semanage -t httpd_syscontent_t FILENAME
