Home > Uncategorized > Quick Primer: SELinux

Quick Primer: SELinux

Before you do whatever, see the troubleshooting section at the end of this article:

Use audit2why to identify the file that is causing the access problem.

Then use restorecon -v [filename, or wildcard] to adjust relabel the file to the type that SElinux thinks is correct by its rule set.

If this doesn’t work, then go about relabeling the files and creating a rule as detailed.  The above method (restorecon -v) is much safer then adjusting policies.


The following is a good explanation on SELinux, what it does and how to modify it: http://www.crypt.gen.nz/selinux/disable_selinux.html

Troubleshooting SELinux:

echo 1 > /selinux/enforce
service httpd stop
echo > /var/log/audit/audit.log
service httpd start #here do the thing that SElinux stops
cat /var/log/audit/audit.log | audit2why
cat /var/log/audit/audit.log | audit2allow

Changing the SELinux policies to reflect proper access for httpd to the files

Referring to the SELinux write up provided by CentOS, we’ll be looking into an example of changing SELinux policy.

ls -Z /var/www/redmine/

The files have been tagged with the following security context:

admin_home_t

So only precess with that have access to the admin_home_t context can access them.

What is httpd’s context?

service httpd start
ps axZ | grep httpd

Looks to be:

httpd_t

So, admin_home_t is not a context type that the “super-context type” httpd_t can access.

What context type can a process with httpd_t access?

touch /var/www/html/index.html
ls -Z /var/www/html/

Thanks, SElinux, for labeling our files with your super intellect.

httpd_sys_content_t is a context type that a process running with httpd_t context can access.

Let’s change the context of the files and directories below /var/www/redmine/ so that we can actually allow the process httpd to access them:

Change it to reflect now:

chcon -Rv --type=httpd_sys_content_t /var/www/redmine/

Create an SELinux policy so that it maintains the security context, even after relabeling by our friendly SELinux:

yum -y install policycoreutils-python # this takes a bit, policycoreutils should include the binary semanage, but apparently not
semanage fcontext -a -t httpd_sys_content_t "/redmine(/.*)?" # this also takes a bit

Now httpd should be able to access the files without an issue:

service httpd restart
#error free!

This is also a good page with reference to sealert and setroubleshoot.

Quick reference:

list booleans:

getsebool -a #from libselinux-utils package

list contexts:

seinfo -t #from setools-console package

list current permanent file context tagging:

semanage fcontext -l #from policycoreutils-python package
Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: