December 8, 2017

SELinux

------------
What is SELinux Boolean?
------------
"Booleans allow parts of SELinux policy to be changed at runtime, without any knowledge of 
SELinux policy writing. This allows changes, such as allowing services access to NFS volumes, 
without reloading or recompiling SELinux policy." 
[https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/
Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html]

------------
Install semanage
------------

# yum install policycoreutils-python

------------
Working with SELinux boolean
------------

Previously you could get all SELinux Boolean with

# getsebool -a

But with RHEL 6, there is a better way, that also returns a comment for each boolean

# semanage boolean -l

To permently change a SELinux boolean

# setsebool -P httpd_can_network_connect on

------------
Reference 
------------
http://wiki.centos.org/TipsAndTricks/SelinuxBooleans

SELinux te policy file
http://oss.tresys.com/repos/refpolicy/archive/strict/domains/program/unused/nrpe.te

============
SELinux Process
============

# ps auxZ | grep nrpe
unconfined_u:system_r:nrpe_t:s0 nrpe 1234 0.0 0.0 41320 1340 ? Ss Jan13 0:14 /usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -d

============
SELinux Files
============
# chcon -v --type=httpd_sys_content_t /html/index.html
context of /html/index.html changed to user_u:object_r:httpd_sys_content_t

Test

Make persistent

# semanage fcontext -a -t httpd_sys_content_t "/html(/.*)?" 


# touch /.autorelabel
# reboot 

============
SELinux Ports
============
5.4. Allowing Access to a Port

We may want a service such as Apache to be allowed to bind and listen for incoming 
connections on a non-standard port. By default, the SELinux policy will only allow 
services access to recognized ports associated with those services. If we wanted to 
allow Apache to listen on tcp port 81, we can add a rule to allow that using the 'semanage' command:

# semanage port -a -t http_port_t -p tcp 81 

A full list of ports that services are permitted access by SELinux can be obtained with:

# semanage port -l 

No comments: