Skip to content

selinux

I still see selinux as a productivity killer, but some companies want to use it so why not try to make the best of it.

The main gist of this chapter will be finding out why selinux does not let you do something.

status

To see if it's enabled at all sestatus is the quickest tool.

sestatus
1
2
3
4
setstatus

SELinux status:                 disabled 
# you whish

Of course if it says anything more than that it's enabled.

tools

At least on CentOS 7, these tools are not installed, and you really cannot live without them. They are setroubleshoot and setools

setroubleshoot
1
yum install setroubleshoot setools

Now to debug an example:

I had an apache installation with a readable .pem file in the /static directory. The server ran as socportal and all files where chowned socportal.

Still the http error log says, permission denied.

First you can display selinux's policies on the file with ls -Z option :

policies
1
ls -lZ /opt/portal/app/static/mgmtdwr.pem

It will show some mystic stuff like :

output
1
system_u:object_r:shell_exec_t

You get similar unreadable messages in the main selinux file : /var/log/audit/audit.log. So that's not much help, the sealert is much more helpful

sealert
1
sealert -a /var/log/audit/audit.log

This actually gives you not only readable comments about what's the problem but also a command to run to fix it. Of course you decide first if it is wise or not.

More to come ...