SELinux Flashcards
What is SELinux?
mandatory access control
Components of a label
user
role
type
sensitivity
category
How are components of the label called
context
How to determine your SELInux context?
id -Z
How to determine the SELinux context of a set of file
ls -lZ /etc/shadow
How to determine the SELinux context of processes
ps -Z
Determine the selinux context of a port
semanage port -l
Three different selinux operation modes
1) Enforcing
2) Permissive
3) Disabled
Determine current selinux mode of operation
getenforce
Explain enforcing mode
The rules may not be broken
where is selinux configuration stored?
/etc/selinux/config
Set selinux in permissive mode
setenforce 0
Similarity between permissive and disabled mode
In both cases SELinux is not enforcing rules
Diff between permissive and disabled mode
permissive: selinux is monitoring and logging
disable: no monitoring and no logging
What are the columns of the selinux database?
files (fcontext)
port
boolean
I create a new file. How is its context determined?
from its parent
I copy a file from one dir to another. How is its context determined?
from its new parent
I move a file from one dir to another. How is its context determined?
keeps its original context
Run previous command after appending “–permanent “ to it
!! –permanent
With grep, show two lines after the regex is found
grep -A2 volvo cars.txt
Show two lines before the first occurence of the regex match
grep -B2 volvo cars.txt
Change selinux context of file /website to httpd_sys_content_t
Transient Solution:
chcon -R -t httpd_sys_content_t /website
Permanent solution:
semanage fcontext -a -t httpd_sys_content_t /website'(/.*)?'
restorecon -Rv /website
Show my selinux customization
semanage fcontext -l -C
Show all boolean values from selinux database
1) semanage boolean -l
2) getsebool -a