SELinux Policies

Understanding SELinux policies

  • Check the active policy on the system using sestatus:
 # sestatus | grep
"Loaded policy name" 
  • Get
    an overview of SELinux booleans using the semanage command with the boolean
    option:
# semanage boolean -l |
grep policyload
secure_mode_policyload   (off, off)
  • Use getsebool for same purpose:
# getsebool
secure_mode_policyload
secure_mode_policyload --> off
  • If
    the name of the boolean is not exactly known, get booleans using filter :
# getsebool -a | grep
policy
secure_mode_policyload --> off
  • Use
    the sepolicy
    booleans command:
 # sepolicy booleans -b secure_mode_policyload

This command does
not show the current value of the boolean.

  • Navigate
    /sys/fs/selinux file system to fetch
    the value of a boolean:
# cat /sys/fs/selinux/booleans/secure_mode_policyload
0
  • Change the value of a boolean using the setsebool command:
# setsebool
httpd_can_sendmail on
  • In order to keep the changes permanently, add the -P option to setsebool:
# setsebool -P httpd_can_sendmail
on
  • Another
    way to change and persist the boolean settings is to use semanage boolean:
# semanage boolean -m --on
httpd_can_sendmail

Inspecting the impact of a boolean

  • To show information in detail, we use the -b option (for the boolean), -A option (show allow rules), and -C option (to show conditional rules):
[root@localhost ~]#
sesearch -b httpd_can_sendmail -AC
Found 50 semantic av rules:
DT allow httpd_sys_script_t bin_t : lnk_file { read
getattr } ; [ httpd_can_sendmail ]
DT allow mta_user_agent httpd_suexec_t : fd use ; [
httpd_can_sendmail ]

DT - state of the boolean in the policy
(first character) and when the SELinux rule is enabled (second character).

  • Check the rules applicable between the web server domain (httpd_t) and user content type (user_home_t):
[root@localhost ~]# sesearch -s httpd_t -t user_home_t
–AC
Found 9 semantic av rules:   
allow daemon user_home_t : file { getattr
append } ;   
allow httpd_t file_type : filesystem getattr
;   
DT allow httpd_t user_home_type : dir {
getattr search open } ; [ httpd_read_user_content ] 

  • List currently loaded SELinux policy modules:
# semodule -l
abrt       1.4.1
accountsd  1.1.0
...
  • Modules can be loaded with a higher priority, overriding previous modules, or with lower priority:
# semodule
--list-modules=full
400 also        pp
400 android     pp
...
  • Generate SELinux policy allow rules by piping the denials through the audit2allow application (investigate audit.log to find a policy denial before attempting this command. This is sample output):
# grep setkey
/var/log/audit/audit.log | audit2allow
 
#============= setkey_t ==============
allow setkey_t newrole_t:fd use;
allow setkey_t var_t:dir search;
  • Based on the denials, two allow rules are prepared. We can also ask audit2allow to create a SELinux module:
# grep setkey
/var/log/audit/audit.log | audit2allow -M localpolicy
 
********** IMPORTANT **********
To make this policy package active, execute:
semodule -i localpolicy.pp
September 21, 2019

0 responses on "SELinux Policies"

Leave a Message

Featured Testimonial

When I first met Sangwan in December of 2017 he told me verbatim that he will make me an  expert of Linux if  I give him 4 months. I have already began interviewing for Linux jobs and getting prepared to go take my RHCE exam next month.Read more

Linux Administration Training

Yaw A. Boateng

Philadelphia, PA

Popular Courses

About The SkillPedia

The Skill Pedia is a platform for online training. It offers great learning experience for learners by offering features such as Interactive Videos, Interaction with Trainer, Assignments, Rich Audio Visuals and Handouts.

The Course Completion Certificate generated automatically based on your performance after the course is complete is an edge.

For Trainers, it is a platform for sharing your Skills which may be in the form of videos, slides, handouts, e-books or even consulting and get up to 85% of the fee you decide for the course.

The Skill Pedia - Learn or Teach a Skill

TheSkillPedia Tweets

top
WhatsApp chat

FESTIVAL OFFER!

 Avail 25% Discount on all Courses!  Offer Expiring on 31st Oct.

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

The Skill Pedia will use the information you provide on this form to be in touch with you and to provide updates and marketing.
X