centos | selinux

Basics of SELinux.

References:

techrepublic     digitalocean     digitalocean2     digitalocean3    

Check what SELinux packages are installed on your CentOS 7 system:

rpm -qa | grep selinux

Determine what mode SELinux is running in:

getenforce

sestatus

See mode:

cat /etc/sysconfig/selinux

List the SELinux policy modules currently loaded into memory:

semodule -l | less

List modules:

ls -l /etc/selinux/targeted/modules/active/modules/

The Z option is used with commands to find out security contexts:

ps auxZ

id -Z

ls -lZ /var/www/html/index.html

Enabling and Disabling SELinux. Edit the file

nano /etc/sysconfig/selinux

and change the mode to the one you want, e.g.

SELINUX=permissive

Then reboot.

Check logs:

cat /var/log/messages | grep "SELinux is preventing"

cat /var/log/messages | grep "SELinux"

Show SELinux policy:

semanage fcontext -l | grep '/var/www'

Add a new context:

semanage fcontext -a -t httpd_sys_content_t '/srv/www(/.*)?'

restorecon -Rv /srv/www

Move a file and have it appropriate security context of the directory:

mv file.html /srv/www/foo.com/html/

restorecon -v /srv/www/foo.com/html/file.html

Changing SELinux Boolean Settings:`

semanage boolean -l | less

See a particular Boolean Setting:`

getsebool ftpd_anon_write

Next we change the boolean to enable it:`

setsebool ftpd_anon_write on