Thursday, 22 November 2012

SELinux - Security Enhanced Linux

Linux use DACs discretionary access controls

ls -l
permissions links DACs      size timpstamp     filename
-rwxr-xr-x.   1      root root 53   Nov 21 23:30 index.html

Selinux use MACs mandatory access controls to monitor/controls users/process interation using AVC Advance Vector Cache in kernel
 

ls -lZ
permissions DAC        MAC                                           filename
-rwxr-xr-x.   root root unconfined_u:object_r:httpd_sys_content_t:s0  index.html
 

'/etc/sysconfig/selinux'    - config file

'/etc/selinux/config'    - config file

'/selinux'    - proc type file system of selinux
 

'sestatus -v' - to check the status of selinux

'setenfoce 0|1'  - (0 for permissive|1 for enforcing)

'setsebool'    - set selinux Boolean value for selinux

-Z    - to list details of selinx for that object like ls -Z

## To avail files in selinux
1. copy a file will change selinux context automatically
2. move a file will not change selinux context. so to change context follow below steps

1. 'restorecon -R /var/www/html'    - to restore contexts of files after moving
or
2. 'setenforce 0'    - set selinux to permissive mode

##if http cannot connect to db then follow below
getsebool -a | grep http

setsebool httpd_can_network_connect_db off|on

##to relable the full filesystem

touch /.autorelable && reboot



## To allow custom port for a vhost (Httpd start error of SELinux)
'service httpd start'
Permission denied: make_sock: could not bind to address [:::]:4443

semanage port -l | grep http
http_port_t    tcp    80,443,488,8008,8443

NOTE: there is no port 4443 for that reason http can not bind it

## to add port 4443 

service httpd stop
semanage port -a -t http_port_t -p tcp 4443

-a (to add)
-t (object type)
-p (protocol)


NOTE: to delete 4443 port
semanage port -d -t http_port_t -p tcp 4443
-d (to delete)



semanage port -l | grep http
http_port_t    tcp    4443,80,443,488,8008,8443

service httpd start
[OK]


NOTE: if have any issue then common sense is the easy solution...

No comments:

Post a Comment