Explore information related to selinux


List SELinux Contexts on Linux Mint 20

This article covers the different ways of listing the SELinux contexts on a Linux Mint 20 system. In fact, Using these methods, you can conveniently find out the SELinux contexts related to the processes, files, or users of your system depending upon your requirements.

Read More



Disable SELinux on CentOS 7 - How to do it ?

This article covers method to permanently disable SELinux on CentOS 7. SELinux, also known as Security-Enhanced Linux, is a security feature embedded in the Linux kernel. SELinux leverages Mandatory Access controls (MAC) to confine users to certain rules and policies and prevents them from performing unauthorized tasks on the Linux system as specified by the IT administrator

To Check SELinux status, simply run the command:

# sestatus

Read More



Easy way to Disable SELinux on CentOS 7 / RHEL 7 / Fedora Linux ?

This article will guide you on the steps to disable SELinux running on your CentOS 7, RHEL 7 and Fedora Linux. Security-Enhanced #Linux (#SELinux) is a security architecture for Linux #systems that allows administrators to have more control over who can access the system. It was originally developed by the United States National Security Agency (#NSA) as a series of patches to the Linux #kernel using Linux #Security Modules (LSM).

Read More



Files and Processes in SELinux on CentOS 7 - More information

This article covers Files and Processes in SELinux. Basically, managing file and process context are at the heart of a successful SELinux implementation.

With SELinux, a process or application will have only the rights it needs to function and NOTHING more. The SELinux policy for the application will determine what types of files it needs access to and what processes it can transition to. 

SELinux policies are written by app developers and shipped with the Linux distribution that supports it. A policy is basically a set of rules that maps processes and users to their rights.


SELinux enforces something we can term as “context inheritance”. What this means is that unless specified by the policy, processes and files are created with the contexts of their parents.

So if we have a process called “proc_a” spawning another process called “proc_b”, the spawned process will run in the same domain as “proc_a” unless specified otherwise by the SELinux policy.


SELinux in Action: Testing a File Context Error

1. First, let's create a directory named www under the root. We will also create a folder called html under www:

mkdir -p /www/html

 

2. If we run the ls -Z command, we will see these directories have been created with the default_t context:

ls -Z /www/

drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 html


3. Next we copy the contents of the /var/www/html directory to /www/html:

cp /var/www/html/index.html /www/html/

 

The copied file will have a context of default_t. That's the context of the parent directory.


We now edit the httpd.conf file to point to this new directory as the web site's root folder. 

i. We will also have to relax the access rights for this directory.

vi /etc/httpd/conf/httpd.conf

ii. First we comment out the existing location for document root and add a new DocumentRoot directive to /www/html:

# DocumentRoot "/var/www/html"

DocumentRoot "/www/html"

iii. We also comment out the access rights section for the existing document root and add a new section:

#<Directory "/var/www">

#    AllowOverride None

    # Allow open access:

#    Require all granted

#</Directory>


<Directory "/www">

    AllowOverride None

    # Allow open access:

    Require all granted

</Directory>


We leave the location of the cgi-bin directory as it is. We are not getting into detailed Apache configuration here; we just want our site to work for SELinux purposes.


iv. Finally, restart the httpd daemon:

service httpd restart

 

Once the server has been restarted, accessing the web page will give us the same “403 Forbidden” error (or default “Testing 123” page) we saw before.

The error is happening because the index.html file's context changed during the copy operation. It needs to be changed back to its original context (httpd_sys_content_t).

Read More



restorecond Will not restore a file with more than one hard link - How to resolve this issue

This article covers Tips to fix 'restorecond: Will not restore a file with more than one hard link' error.

To fix this problem type the following commands:

# rm /etc/sysconfig/networking/profiles/default/resolv.conf

# restorecon /etc/resolv.conf

# ln /etc/resolv.conf /etc/sysconfig/networking/profiles/default/resolv.conf

Read More




For Linux Tutorials

We create Linux HowTos and Tutorials for Sys Admins. Visit us on LinuxAPT.com

Also for Tech related tips, Visit forum.outsourcepath.com or General Technical tips on www.outsourcepath.com