------------
What is SELinux Boolean?
------------
"Booleans allow parts of SELinux policy to be changed at runtime, without any knowledge of
SELinux policy writing. This allows changes, such as allowing services access to NFS volumes,
without reloading or recompiling SELinux policy."
[https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/
Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html]
------------
Install semanage
------------
# yum install policycoreutils-python
------------
Working with SELinux boolean
------------
Previously you could get all SELinux Boolean with
# getsebool -a
But with RHEL 6, there is a better way, that also returns a comment for each boolean
# semanage boolean -l
To permently change a SELinux boolean
# setsebool -P httpd_can_network_connect on
------------
Reference
------------
http://wiki.centos.org/TipsAndTricks/SelinuxBooleans
SELinux te policy file
http://oss.tresys.com/repos/refpolicy/archive/strict/domains/program/unused/nrpe.te
============
SELinux Process
============
# ps auxZ | grep nrpe
unconfined_u:system_r:nrpe_t:s0 nrpe 1234 0.0 0.0 41320 1340 ? Ss Jan13 0:14 /usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -d
============
SELinux Files
============
# chcon -v --type=httpd_sys_content_t /html/index.html
context of /html/index.html changed to user_u:object_r:httpd_sys_content_t
Test
Make persistent
# semanage fcontext -a -t httpd_sys_content_t "/html(/.*)?"
# touch /.autorelabel
# reboot
============
SELinux Ports
============
5.4. Allowing Access to a Port
We may want a service such as Apache to be allowed to bind and listen for incoming
connections on a non-standard port. By default, the SELinux policy will only allow
services access to recognized ports associated with those services. If we wanted to
allow Apache to listen on tcp port 81, we can add a rule to allow that using the 'semanage' command:
# semanage port -a -t http_port_t -p tcp 81
A full list of ports that services are permitted access by SELinux can be obtained with:
# semanage port -l
I'm dedicated agile security architect/system architect/developer with specialty of open source framework.
December 8, 2017
SELinux
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment