Wiki

User Tools

Site Tools

Trace: virtual_hosts harden_apache file_handling curl_to_facebook
help:selinux

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
help:selinux [2020/07/19 11:56] – old revision restored (2016/07/11 11:31) 173.212.242.224help:selinux [2020/07/19 20:09] (current) – old revision restored (2016/07/11 11:59) 192.99.4.140
Line 5: Line 5:
 SELinux enforces the idea that programs should be limited in what files they can access and what actions they can take. SELinux enforces the idea that programs should be limited in what files they can access and what actions they can take.
  
-SELinux is a kernel security extension, which can be used to guard against misconfigured or compromised programs.  It comes with Mandatory Access Control (MAC) system that improves the traditional UNIX/Linux DAC (Discretionary Access Control) model. SELinux can be any one of the following state:+SELinux is a kernel security extension, which can be used to guard against misconfigured or compromised programs.  It comes with Mandatory Access Control (MAC) system that improves the traditional UNIX/Linux DAC (Discretionary Access Control) model.  
 + 
 +SELinux can be any one of the following state:
  
   * enforcing – SELinux security policy is enforced.   * enforcing – SELinux security policy is enforced.
Line 11: Line 13:
   * disabled – SELinux is fully disabled.   * disabled – SELinux is fully disabled.
  
 +[[SELinux:Allow access to an HTTP network port|Allow access to an HTTP network port]]
  
 [[SELinux:Change the SELinux mode|Change the SELinux mode]] [[SELinux:Change the SELinux mode|Change the SELinux mode]]
  
-[[SELinux:Check SELinux Status|Check SELinux Status]]+[[SELinux:Check that SELinux is not denying actions|Check that SELinux is not denying actions]]
  
-[[SELinux:Install SELinux|Install SELinux]]+[[SELinux:Check that SELinux is Properly Enabled|Check that SELinux is Properly Enabled]]
  
 +[[SELinux:Check SELinux Status|Check SELinux Status]]
  
-===== Install additional SELinux packages =====+[[SELinux:Confine users|Confine users]]
  
-Type the following command:+[[SELinux:Find Unprotected Services|Find Unprotected Services]]
  
-<code bash> +[[SELinux:Get List Of Allowed Network Ports|Get List Of Allowed Network Ports]]
-apt-get install policycoreutils setroubleshoot +
-</code>+
  
 +[[SELinux:Install SELinux|Install SELinux]]
  
-===== Run SELinux in permissive mode =====+[[SELinux:Run SELinux in enforcing mode|Run SELinux in enforcing mode]]
  
-Edit /etc/selinux/config file, run:+[[SELinux:Run SELinux in permissive mode|Run SELinux in permissive mode]]
  
-<code bash> +[[SELinux:Temporarily Switch Off SELinux Enforcement|Temporarily Switch Off SELinux Enforcement]]
-vi /etc/selinux/config +
-</code>+
  
-Update the configuration file as follows:+[[SELinux:Temporarily Switch On SELinux Enforcement|Temporarily Switch On SELinux Enforcement]]
  
-<file bash /etc/selinux/config> +[[SELinux:Troubleshooting SELinux Policy Errors|Troubleshooting SELinux Policy Errors]]
-SELINUX=permissive +
-SELINUXTYPE=targeted +
-</file>+
  
-Save and close the file.+[[SELinux:Turn off SELinux|Turn off SELinux]]
  
-Reboot the server:+[[SELinux:Understanding SELinux Configuration|Understanding SELinux Configuration]]
  
-<code bash> 
-reboot 
-</code> 
  
  
-===== Make sure SELinux did not deny actions ===== 
  
-Type the following command to confirm that SELinux did not deny actions during the reboot: 
  
-<code bash> 
-grep "SELinux is preventing" /var/log/messages 
-</code> 
  
-If you get any output/error, try using the **chcon** command.  It can be used to change SELinux security context of a file.  However, it is recommended that you relabel the complete filesystem.  Type the following command to restore default security contexts for /home: 
- 
-<code bash> 
-restorecon -Rv -n /home 
-</code> 
- 
-You can run this on root (/) file system too: 
- 
-<code bash> 
-restorecon -Rv -n / 
-</code> 
- 
-Do not skip this step.  Type the following commands: 
- 
-<code bash> 
-# touch /.autorelabel 
-# reboot 
-</code> 
- 
-It will take some time to relabel the complete filesystem.  If you get any errors or common services mysqld or sshd failed, try the following solution (go to a single user mode): 
- 
-<code bash> 
-# init 1 
-# genhomedircon 
-# touch /.autorelabel 
-# reboot 
-</code> 
- 
- 
-===== Set SELINUX to enforcing mode ===== 
- 
-Edit /etc/selinux/config, enter: 
- 
-<code bash> 
-vi /etc/selinux/config 
-</code> 
- 
-Update the configuration file as follows: 
- 
-<file bash /etc/selinux/config> 
-SELINUX=enforcing 
-SELINUXTYPE=targeted 
-</file> 
- 
-===== Understanding SELinux Configuration ===== 
- 
-  * SELINUX=enforcing : Enforcing is the default mode which will enable and enforce the SELinux security policy on the Linux.  It will also deny unauthorized access and log actions in a log file. 
-  * SELINUXTYPE=targeted : Only targeted network daemons (such as DNS, Apache and others) are protected. 
- 
-Save and close the file.  Make sure SELinux is not disabled using Grub boot loader.  Search /boot/grub/grub.conf file using grep and make sure the following line DO NOT appears: 
- 
-<code bash> 
-egrep -i 'selinux=0|enforcing=0' /boot/grub/grub.conf 
-</code> 
- 
-If you found lines with selinux=0 or enforcing=0, remove them and save the changes. 
- 
-Reboot the server: 
- 
-<code bash> 
-reboot 
-</code> 
- 
- 
-===== Make Sure SELinux is Properly Enabled ===== 
- 
-Type the following command: 
- 
- 
-<code bash> 
-sestatus 
-</code> 
- 
-Sample outputs: 
- 
-<code> 
-SELinux status:                 enabled 
-SELinuxfs mount:                /selinux 
-Current mode:                   enforcing 
-Mode from config file:          enforcing 
-Policy version:                 24 
-Policy from config file:        targeted 
-</code> 
- 
- 
-===== Print Full List Of Allowed Network Ports ===== 
- 
-Type the following commands: 
- 
-<code bash> 
-semanage port -l 
-semanage port -l | less 
-#### look for port 80 #### 
-semanage port -l | grep -w 80  
-</code> 
- 
- 
-===== Allow Lighttpd / Apache / Nginx At Port 8181 ===== 
- 
-By default SELinux will block access to many ports including 8181.  You need to allow access to a port # 8181 so that it can bind and listen for incoming requests on non privileged ports.  You need to use the **semanage** command as follows: 
- 
-<code bash> 
-semanage port -a -t http_port_t -p tcp 8181 
-</code> 
- 
- 
-===== Find Unprotected Services ===== 
- 
-Type the following command: 
- 
-<code bash> 
-ps -eZ | egrep "initrc" | egrep -vw "ps|tr|egrep|awk|bash" | tr ':' ' ' | awk '{ print $NF }' 
-</code> 
  
-You should not see any output on fully configured SELinux systems. 
  
  
Line 195: Line 71:
 </code> </code>
  
- 
-===== Troubleshooting SELinux Policy Errors ===== 
- 
-SELinux is pretty complicated kernel software.  It takes time to fix errors.  Use the following tools to find and debug SELinux policy problems (refer to your local man pages): 
- 
-  * ps -Z -p PID 
-  * ls -Z fileName 
-  * ausearch 
-  * restorecon 
-  * semodule 
-  * audit2allow 
-  * Log files: /var/log/audit/audit.log and /var/log/setroubleshoot/setroubleshootd.log 
- 
-Recommended readings: 
- 
-  * Introduction to the Red Hat SELinux Guide [https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/index.html] 
  
  
Line 229: Line 89:
  
  
-===== Temporarily Switch Off SELinux Enforcement ===== 
  
-Type the following command as root user: 
  
-<code bash> 
-echo 0 >/selinux/enforce 
-</code> 
  
-Type the following command to see current status, enter: 
- 
-<code bash> 
-sestatus 
-</code> 
- 
-Sample outputs: 
- 
-<code> 
-SELinux status:                 enabled 
-SELinuxfs mount:                /selinux 
-Current mode:                   permissive 
-Mode from config file:          enforcing 
-Policy version:                 24 
-Policy from config file:        targeted 
-</code> 
- 
- 
-===== Temporarily switch on SELinux enforcement ===== 
- 
-Type the following command as root user: 
- 
-<code bash> 
-echo 1 >/selinux/enforce 
-</code> 
- 
-Type the following command to see current status, enter: 
- 
-<code bash> 
-sestatus 
-</code> 
- 
-Sample outputs: 
- 
-<code bash> 
-SELinux status:                 enabled 
-SELinuxfs mount:                /selinux 
-Current mode:                   enforcing 
-Mode from config file:          enforcing 
-Policy version:                 24 
-Policy from config file:        targeted 
-</code> 
- 
- 
- 
-===== Turn off SELinux ===== 
- 
-Type the following command: 
- 
-<code bash> 
-echo 0 >/selinux/enforce 
-</code> 
- 
-You can also use the setenforce command to effectively disable it, enter: 
- 
-<code bash> 
-setenforce Permissive 
-</code> 
- 
-OR 
- 
-<code bash> 
-setenforce 0 
-</code> 
- 
-The above commands will switch off SELinux enforcement temporarily until the machine is rebooted.  If you would like to make it permanently, edit /etc/sysconfig/selinux, enter: 
- 
-<code bash> 
-vi /etc/sysconfig/selinux 
-</code> 
- 
-And set / update it as follows: 
- 
-<file bash /etc/sysconfig/selinux> 
-SELINUX=disabled 
-</file> 
- 
-Save and close the file.  The above will only work in CentOS, Fedora and RedHat Enterprise Linux systems.  For all other Linux distros edit your boot loader config file (LILO or GRUB boot loader config file such as /boot/grub/grub.conf).  Find the kernel line, append enforcing=0 at the end: 
- 
-<file /boot/grub/grub.conf> 
-title Red Hat Enterprise Linux Server (2.6.18-194.26.1.el5) 
-        root (hd0,0) 
-        kernel /vmlinuz-2.6.18-194.26.1.el5 ro root=LABEL=/ console=tty0 console=ttyS1,19200n8 enforcing=0 
-        initrd /initrd-2.6.18-194.26.1.el5.img 
-</file> 
- 
-Finally, reboot the system: 
- 
-<code bash> 
-reboot 
-</code> 
- 
- 
- 
-[[SELinux:Confine users|Confine users]] 
  
  
  
  
help/selinux.1595159804.txt.gz · Last modified: 2020/07/19 11:56 by 173.212.242.224
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki