It handles access to files/objects much more meticulously than do other classic permissions, ACLs …. This is done through a labeling of the whole file system, security decisions are then results of a combination of these labels and policy rules used. SELinux is a built-in kernel module with a bunch of rules and decisions determining who/what has the right to access what. SELinux is such a wonderful tool for hardening your system and that can get your system to the chaos if you mess with it xD xD xD. Too stupid when you found out that there is something called SELinux that is turned on by default to restrict access to your NFS partition by Apache processes!!!! I spent 2 days wondering and searching why in hell my apache couldn’t access its html directory. First time I worked as a sys admin, I had to deploy an apache server with its document Root mounted as an NFS partition. Selinux was such a burden for me years ago ( and still sometimes □ ). To compare current contexts with the default one, use matchpathcon command with filename.įor further details, man command will do □ The restoreconcommand is very useful and you can use it to restore contexts modified by chcon command, restorecon returns back to last modification saved into selinux configuration files. Observe that semanage fcontext doesn’t change the context unless you run restorecon. #semanage fcontext -a -t httpd_user_content_t /home/setuto/www Here we change the type context of the directory /home/setuto/www from user_home_t to httpd_user_content : This command adds your new updates to SELinux configuration files saving them forever.įor example, use semanage fcontext wih appropriate switch like a to add and d to delete in order to change file’s context. If you want to go for persistent changes, use semanage command instead. Updates using chcon are not persistent, if you relabel your file system or you run restorecon, you will lose the new configuration. #chcon –t httpd_user_content_t /home/setuto/www With t for type, u for user… man chcon will do for the rest □ : If you are just testing a new update, use chcon for temporary changes. To list context of some files, use semanage as follows and grep on the name of your files:Ĭommands like chconand semanageallow you to alter SELinux contexts easily. Install it ~]# yum –y install policycoreutils-pythonĭiscover the mapping between linux users and SELinux users:Ĭontext of a port, for example http ports: Policycoreutils-python-2.0.83-19.39.el6.i686 : SELinux policy core python As I’m working with CentOS 6, I wasn’t it already installed:Ĭheck which package provides the semanage ~]# yum provides *bin/semanage I use the semanage command to view and manage SELinux contexts. To check selinux context of currently running process, for example apache: To check selinux context of a file,directory, use: The Z switch displays SELinux context of your file,port… Let’s have our hands on SELinux contexts: SELinux users are not the same as users you connect with, many linux users may have the same selinux user within their context. When using targeted policy, you only need to understand the user and type in the 4-uplet context. So every file, directory, stream, port … within your system has its own context and SELinux rules know which user should access which role to access which type. So when you have your system installed with SELinux, the whole file system is labeled with a context and every file/object has a SELinux context described as the 4-uplet: SELinux depends on a group of labels to make access decisions.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |