SELinux Notes


SELinux context contains a user, role and context type

Contexts are stored in /etc/selinux/targeted/contexts/files/file_contexts

Assign the context name_log_t to the logs directory

$ semanage fcontext -a -t named_log_t ‘/var/named/chroot/logs(/.*)?’

Assign the dns_port_t context to TCP port 12345.

$ semanage port -a -t dns_port_t -p tcp 12345

Change the context of a file based on another file (not persistent)

$ chcon –reference /var/www/html /var/www/html2

Set the files to their default context

$ restorecon -Rv /var/www/html

List booleans on a system

$ getsebool -a

List boolean values with descriptions

$ semanage boolean -l

Change a boolean value (“-P” makes this persistent)

$ setsebool -P ftpd_anon_write on

Report SELinux violations by analyzing the audit log file

$ sealert -a /var/log/audit/audit.log

You can remedy violations with auti2allow. The output from sealert

shows the commands you need to run.

List system user to SELinux mappings

$ semanage login -l

Change the defaul user mapping to user_u instead of default

$ semanage login -s -S targeted -s “user_u” -r so default

Map the user ollie to the SELinux user staff_u

$ semanage login -a -s staff_u ollie

THe SELinux roles sysadm_r and staff_r are the only roles allowed to use sudo

THIS INFORMATION IS PROVIDED UNDER A GPLV2 LICENSE
THE GPLV2 LICENSE CAN BE VIEWED HERE