SELinux Flashcards
What is SELinux?
mandatory access control
Components of a label
user
role
type
sensitivity
category
How are components of the label called
context
How to determine your SELInux context?
id -Z
How to determine the SELinux context of a set of file
ls -lZ /etc/shadow
How to determine the SELinux context of processes
ps -Z
Determine the selinux context of a port
semanage port -l
Three different selinux operation modes
1) Enforcing
2) Permissive
3) Disabled
Determine current selinux mode of operation
getenforce
Explain enforcing mode
The rules may not be broken
where is selinux configuration stored?
/etc/selinux/config
Set selinux in permissive mode
setenforce 0
Similarity between permissive and disabled mode
In both cases SELinux is not enforcing rules
Diff between permissive and disabled mode
permissive: selinux is monitoring and logging
disable: no monitoring and no logging
What are the columns of the selinux database?
files (fcontext)
port
boolean
I create a new file. How is its context determined?
from its parent
I copy a file from one dir to another. How is its context determined?
from its new parent
I move a file from one dir to another. How is its context determined?
keeps its original context
Run previous command after appending “–permanent “ to it
!! –permanent
With grep, show two lines after the regex is found
grep -A2 volvo cars.txt
Show two lines before the first occurence of the regex match
grep -B2 volvo cars.txt
Change selinux context of file /website to httpd_sys_content_t
Transient Solution:
chcon -R -t httpd_sys_content_t /website
Permanent solution:
semanage fcontext -a -t httpd_sys_content_t /website'(/.*)?'
restorecon -Rv /website
Show my selinux customization
semanage fcontext -l -C
Show all boolean values from selinux database
1) semanage boolean -l
2) getsebool -a
In semanage boolean context, there are two values. what are they?
The first is the current state of the boolean and the second is the persistent value.
Set an selinux boolean value
setsebool -P httpd_use_nfs on
Check the value of selinux boolean value httpd_use_nfs
getsebool httpd_use_nfs
Where do you check if selinux rejected an access request?
/var/log/audit/audit.log
or
grep sealert /var/log/messages
nginx document root folder
/usr/share/nginx/html
Structure of a zone file
Apache conf file location
/etc/httpd/conf/httpd.conf
How do you change apache root doc folder?
In /etc/httpd/conf/httpd.conf change:
<DocumentRoot /var/www/html> <Directory /var/www/html>
What is userdir used for in apache
Allow users to make a ~/public_html folder accessible through apache
where is the userdir conf file located?
/etc/httpd/conf.d/userdir.conf
What are steps to configure userdir?
1) Enable UserDir in /etc/httpd/conf.d/userdir.conf
2) Uncomment UserDir public_html in /etc/httpd/conf.d/userdir.conf
3) chmod 711 ~
4) setsebool -P httpd_enable_homedirs on
Where are selinux error messages logged?
/var/log/audit/audit.log
Search for selinux error messages
grep AVC /var/log/audit/audit.log
AVC
Access vector Cache logs represents the decision-making process of SELinux regarding access control
How does SE troubleshoot daemon work?
Listen to AVC summaries in /var/log/audit/audit.log and summarizes them in /var/log/messages
How do you find SE troubleshoot messages?
grep sealert /var/log/messages
