version 1.0.0, 2014-07-08 : Initial version
SElinux cheatsheet
This is my personnal cheatsheet about SELinux.1. Basics
Main SELinux configuration file: /etc/selinux/config
. Changing values in that
file requires a reboot.
-
disabled
→ SELinux is fully disabled -
permissive
→ Logs warnings and actions that would be done by enforcing but do not block anything. -
enforcing
→ SELinux policies are fully applied
-
Users:
-
unconfined_u
→ unprotected user -
system_u
→ system user -
user_u
→ normal user
-
-
Role:
-
object_r
→ file -
system_r
→ users and processes -
unconfined_r
→ unprotected file or process
-
-
Domain:
-
unconfined_t
→ unprotected file or process (most common) -
etc_t
→ for files in /etc directory -
plenty of other domains are available
-
-
/var/log/audit/audit.log
→ main log file -
/var/log/messages
→ Should normally also contain SELinux denials
2. Usefull commands
-
sestatus
→ Shows selinux status -
getenforce
→ Shows the current enforcing level -
setenforce
→ Temporarly changes selinux enforcing level (do not touches /etc/selinux/config file -
ls -Z
→ Shows security context of the files -
ps -ZC atd
→ Shows security context of the atd process -
chcon -vu user_u install.log
→ Changes the security context of the install.log file to users_u user context -
restorecon -Rv /tftpboot
→ Resets the original context of the /tftpboot directory (or set it correctly when you change the tftpboot service directory) -
matchpathcon /my/path
→ Gets the default SELinux security context for the specified path from the file contexts configuration -
sestatus -b
orgetsebool -a
→ Shows all boolean options for services -
semanage boolean -l
→ Provides the same info as previos command but with a description (provided by the policycoreutils-python package) -
setsebool -P tftp_use_nfs=1
→ Enables permanently this boolean -
sealert
is also a very usefull command when it comes to troubleshooting. -
ausearch -ts 16:00 | grep AVC
→ Lists all access violations since 16h the one that is in the previous 24 hours -
ausearch -ts this-month | grep denied
→ Lists all deactions denied by SELinux during the current month. You can put a date there, but be careful of your locale which it will depend on.
3. Port labeling
Port labeling in SELinux is to allow services to use non standard ports. For example, by default, ssh will need to be on port 22 to work correctly with SELinux. Now let’s say that you configured ssh to listen on port 2222 instead. You’ll have to issue the following command to make it work:
semanage port -a -t ssh_port_t -p tcp 2222
The semanage port -l
command will show the currently configured port labels.
4. From GRUB
To disable selinux from grub, add selinux=0
to the kernel line.
To let selinux be loaded, but setting enforcing to permissive, add
enforcing=0
to the kernel line.
5. Troubleshooting
The best way to troubleshoot is to install the setroubleshoot-server
and
setroubleshoot-plugins
. Then, each time SELinux blocks something, an alert
will be created in /var/log/messages
with the instructions to help you solving
hte issue and the id to use with sealert
.
If you are running a graphical environment, you may to consider installing also
the setroubleshoot
package which provides a GUI to troubleshoot even more
easily.
For some really interesting topics about SELinux, consider having a look to the Dan Walsh’s blog: