Linux use DACs discretionary access controls
ls -l
permissions links DACs size timpstamp filename
-rwxr-xr-x. 1 root root 53 Nov 21 23:30 index.html
Selinux use MACs mandatory access controls to monitor/controls users/process interation using AVC Advance Vector Cache in kernel
ls -lZ
permissions DAC MAC filename
-rwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html
'/etc/sysconfig/selinux' - config file
'/etc/selinux/config' - config file
'/selinux' - proc type file system of selinux
'sestatus -v' - to check the status of selinux
'setenfoce 0|1' - (0 for permissive|1 for enforcing)
'setsebool' - set selinux Boolean value for selinux
-Z - to list details of selinx for that object like ls -Z
## To avail files in selinux
1. copy a file will change selinux context automatically
2. move a file will not change selinux context. so to change context follow below steps
1. 'restorecon -R /var/www/html' - to restore contexts of files after moving
or
2. 'setenforce 0' - set selinux to permissive mode
##if http cannot connect to db then follow below
getsebool -a | grep http
setsebool httpd_can_network_connect_db off|on
##to relable the full filesystem
touch /.autorelable && reboot
## To allow custom port for a vhost (Httpd start error of SELinux)
'service httpd start'
Permission denied: make_sock: could not bind to address [:::]:4443
semanage port -l | grep http
http_port_t tcp 80,443,488,8008,8443
NOTE: there is no port 4443 for that reason http can not bind it
## to add port 4443
service httpd stop
semanage port -a -t http_port_t -p tcp 4443
-a (to add)
-t (object type)
-p (protocol)
NOTE: to delete 4443 port
semanage port -d -t http_port_t -p tcp 4443
-d (to delete)
semanage port -l | grep http
http_port_t tcp 4443,80,443,488,8008,8443
service httpd start
[OK]
NOTE: if have any issue then common sense is the easy solution...
ls -l
permissions links DACs size timpstamp filename
-rwxr-xr-x. 1 root root 53 Nov 21 23:30 index.html
Selinux use MACs mandatory access controls to monitor/controls users/process interation using AVC Advance Vector Cache in kernel
ls -lZ
permissions DAC MAC filename
-rwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html
'/etc/sysconfig/selinux' - config file
'/etc/selinux/config' - config file
'/selinux' - proc type file system of selinux
'sestatus -v' - to check the status of selinux
'setenfoce 0|1' - (0 for permissive|1 for enforcing)
'setsebool' - set selinux Boolean value for selinux
-Z - to list details of selinx for that object like ls -Z
## To avail files in selinux
1. copy a file will change selinux context automatically
2. move a file will not change selinux context. so to change context follow below steps
1. 'restorecon -R /var/www/html' - to restore contexts of files after moving
or
2. 'setenforce 0' - set selinux to permissive mode
##if http cannot connect to db then follow below
getsebool -a | grep http
setsebool httpd_can_network_connect_db off|on
##to relable the full filesystem
touch /.autorelable && reboot
## To allow custom port for a vhost (Httpd start error of SELinux)
'service httpd start'
Permission denied: make_sock: could not bind to address [:::]:4443
semanage port -l | grep http
http_port_t tcp 80,443,488,8008,8443
NOTE: there is no port 4443 for that reason http can not bind it
## to add port 4443
service httpd stop
semanage port -a -t http_port_t -p tcp 4443
-a (to add)
-t (object type)
-p (protocol)
NOTE: to delete 4443 port
semanage port -d -t http_port_t -p tcp 4443
-d (to delete)
semanage port -l | grep http
http_port_t tcp 4443,80,443,488,8008,8443
service httpd start
[OK]
NOTE: if have any issue then common sense is the easy solution...
No comments:
Post a Comment