RHEL SELinux

Introduction

This is a quick and dirty cheatsheet on RHEL Security Enchanced Linux (SELinux)

Directory and SELinux file 
/etc/selinux                  # selinux directory
/etc/selinux/conf             # selinux configuration file
Status 
sestatus
selinuxenabled		      # check $? after used by scripts 0=enabled (enforing or passive) and 1=disabled
Configuration 
semanage [option] -l  	      # options can be login, boolean, port, module, interface node

semanage fcontext -l          # List file context mapping definitions used by restorecon

semanage port -l                              # List current port label assignments
semanage port -a -t http_port_t -p tcp 81     # Allow httpd service to listen on port 81/TCP
semanage port -d -t http_port_t -p tcp 81     # Remove a custom port labeling
semanage port -m -t http_port_t -p tcp 81     # Modify a label associated with a port
SELinux modules 
semodule -l		      # list all the se modules
Get and Set SELinux 
getenforce
setenforce [0|1]   	      # 0=passive,1=enforcing

Note: will work until next reboot
Get and Set Services 
setsebool		      # allow services to work by on|off without recompiling the modules
getsebool -a		      # see if services are working [on|off]

setsebool httpd_enable_cgi on         # temporary
setsebool -P httpd_enable_cgi         # permanent
List all SELinux context reachable for user 
selinuxconlist [-l level] <user>
selinuxdefcon  [-l level] <user>
Change/Restore and List 
## The order is user:role:type:security level

chcon			            # change selinux security context of a file
restorecon		            # restore selinux security context of a file
ls -Z <file|directory>	            # display the selinux permissions

examples
===============================================================
chcon unconfined_u:object_r:user_home_t hello  ## added selinux permissions
chcon -u root -t user_home_t hello             ## change the selinux permissions

$ ls -Z file1
-rw-rw-r--. user1 group1 unconfined_u:object_r:user_home_t:s0 file1
Get Security Information 
## use the below to get the security information of files, processes and users
ps -Z
id -Z
ls -Z
Reporting tools 
ausearch, aureport and sealert
Troubleshooting 
/var/log/audit/audit.log          # Used by default if auditd daemon is running
/var/log/messages                 # Used when auditd is not running or when setroubleshoot-server is installed.

sealert -b                        # Start graphical SELinux Alert Browser
sealert -a LOG_FILE > report      # Analyze a logfile for SELinux alerts and generate report
sealert -l ID                     # Lookup alert by ID ("*" wildcard could be used to return all alerts).
Return to Main Page