The Big Damn SELinux Cheatsheet

From Ye Ole Stash

Jump to: navigation, search

Contents

1 Resources for SELinux
2 Commands you need to memorize
3 Ways to create new rules
- 3.1 Example (for clamscan)
4 My Module List for SELinux
- 4.1 How to Insert Custom Modules
- 4.2 How to add ports to services

Resources for SELinux

CentOS SELinux Page

Commands you need to memorize

These all assume setroubleshootd is running

sealert -a /var/log/audit/audit.log
getsebool -a

Ways to create new rules

If your sealert -a returns "You can generate a local policy module to allow this access - see FAQ" then you need to create a new rule. To do this either grep out the offending lines in audit.log or copy and paste them to a new file.

Phase one test

cat $YOURFILE | audit2allow -m $MODULE_NAME > $TMP.OUT
or
grep $PATTERN /var/log/audit/audit.log  | audit2allow -m $MODULE_NAME > $$?TMP.OUT

Phase two build

cat $YOURFILE | audit2allow -M $MODULE_NAME
or
grep $PATTERN /var/log/audit/audit.log  | audit2allow -M $MODULE_NAME

Phase Three insert

semodule -i $MODULE_NAME

Example (for clamscan)

(test) grep clamscan /var/log/audit/audit.log | audit2allow -m clamscanforincron > /tmp/clamscanforincron.te
(verify) cat /tmp/clamscanforincron.te
(create) grep clamscan /var/log/audit/audit.log | audit2allow -M clamscanforincron
(insert) semodule -i clamscanforincron.pp

My Module List for SELinux

clamscan with incron
squid This is for the squid service to run with the default RHEL init script which uses the squid user as default.

How to Insert Custom Modules

checkmodule -M -m -o squid.mod squid.te
semodule_package -o squid.pp -m squid.mod
semodule -i squid.pp

How to add ports to services

semanage port -l -- to list
semanage port -a -t http_port_t -p tcp 8081 - to add

Retrieved from "http://www.misterx.org/wiki/index.php/The_Big_Damn_SELinux_Cheatsheet"

Views

Personal tools

Log in

Search

Toolbox