Difference between revisions of "Linux/Security/Selinux"

From Iveze
Jump to: navigation, search
Line 5: Line 5:
  
 
Another way to look at selinux is to see it as permissions for programs, like there are permissions for users.
 
Another way to look at selinux is to see it as permissions for programs, like there are permissions for users.
 +
 +
=== Policy tools ===
 +
Many configuring is done with the policy tools. So if you do not have a tool used on this page, then install the policy tools.
 +
yum install policycoreutils-python
  
 
=== Is selinux the problem? ===
 
=== Is selinux the problem? ===
When programs do not work as expected, there is a chance that selinux prevents access to certain resources. An easy test can be done by temporarily disabling selinux.
+
When a program does not work as expected, there is a chance that selinux prevents access to certain resources. An easy test can be done by temporarily disabling selinux.
 
  setenforce 0
 
  setenforce 0
 
Now run the program again to see if it works as expected. Do not forget to immediately turn selinux on again.
 
Now run the program again to see if it works as expected. Do not forget to immediately turn selinux on again.
 
  setenforce 1
 
  setenforce 1
 +
If selinux is proven to be the problem, then there are several ways to solve it.
 +
 +
=== Booleans ===
 +
 +
=== Files ===
 +
 +
=== Generate policies from log data ===
 +
 +
=== Make a type permissive ===
 +
 
[[Category:Linux]]
 
[[Category:Linux]]
 
[[Category:Access]]
 
[[Category:Access]]

Revision as of 15:36, 12 June 2015

Security-Enhanced Linux comes pre-installed with disto's like Centos. It can be such a large beast to configure all the policies properly, that many people choose to disable it. Here are some recipes for "easy selinux", so the protection can stay on.

What is selinux?

Selinux can best be seen as a sandbox that prevents programs from access to files and other programs they do not need to use. Does a webserver need to access the complete file system and execute any program it likes? A webserver open to the internet is prone to be compromised, so it would be undesirable that an attacker can get further into the system from within the webserver.

Another way to look at selinux is to see it as permissions for programs, like there are permissions for users.

Policy tools

Many configuring is done with the policy tools. So if you do not have a tool used on this page, then install the policy tools.

yum install policycoreutils-python

Is selinux the problem?

When a program does not work as expected, there is a chance that selinux prevents access to certain resources. An easy test can be done by temporarily disabling selinux.

setenforce 0

Now run the program again to see if it works as expected. Do not forget to immediately turn selinux on again.

setenforce 1

If selinux is proven to be the problem, then there are several ways to solve it.

Booleans

Files

Generate policies from log data

Make a type permissive