Month: April 2015

SELinux commands cheatsheet

A comprehensive list of SELinux commands with descriptions.

avcstat
Display short Selinux AVC statistical numbers (lookups, hits, misses, allocs, reclaims, frees).

avcstat

audit2allow
Automatically create rules to allow actions based on deny logs from SELinux.

cat /var/log/audit/audit.log | audit2allow
cat /var/log/audit/audit.log | grep apache | audit2allow

audit2why
Get more detailed output (human readable) from the SELinux log.

cat /var/log/audit/audit.log | audit2why

chcon
Change the SELinux context of a file or directory temporarily.
Upon reboot or reset (restorecon), the context will be changed back again.

chcon user_home_t /home/user
chcon -R -t user_home_t /home/*

checkpolicy

fixfiles

genhomedircon

getsebool

getenforce

matchpathcon

newrole

restorecon

run_init

selinuxenabled

sestatus

setfiles

setsebool

setenforce

SELinux: Run a command or script in a specific context

In this howto I will show you a quick sample on how to run a command or script in a specific file-, role- and user-context.

This is usefull if you need to test something before applying a permanent rule.

Use the following command:

runcon -t initrc_t -r system_r -u user_u yourcommandhere

-t is the file context.
-r is the role context.
-u is the user context.

SELinux: Permanently change file context of files and folders

This is a quick howto on changing the file context of files and folders in SELinux.

In this example I want to allow my webserver access to the www folder inside every users home:

unconfined_u:object_r:user_home_dir_t:SystemLow /home/user/www

Right now the current context of user_home_dir_t wont allow the webserver to read or write from the www folder.

In order to allow access to the folder, the context must be changed to httpd_user_rw_content_t or httpd_user_content_t, the latter will only allow read access:

semanage fcontext -a -t httpd_user_rw_content_t '/home/[^/]*/www(/.+)?'

Next, run this command to effectuate the new context rule:

restorecon -R /home

That’s it :)

SELinux: Creating a rule to allow a transition

This is a quick howto on creating a custom SELinux rule to allow transition from one file-context to another.

In this example I will allow the init script of php5-fpm to transition from initrc_t to httpd_php_t.

This is the file context of the init script:

system_u:object_r:initrc_exec_t:SystemLow /etc/init.d/php5-fpm

The init script will execute php5-fpm, which has the following file context:

system_u:object_r:httpd_php_exec_t:SystemLow /usr/sbin/php5-fpm

Right now, if I run the init script to launch php5-fpm, the process will end up with the following context:

system_u:system_r:initrc_t:s0 23182 ? Ss 0:00 php-fpm: master process

As you can see, the process is not transitioning properly to the correct context which is httpd_php_t.

In order to allow the transition, we must create a selinux module.
Create a new file (you may use a different name, just end it with .te) /etc/selinux/httpd_php.te, then fill it with the following content:

module httpd_php_t;
require {
    type initrc_t;
    type httpd_php_exec_t;
    type httpd_php_t;
    class file entrypoint;
    class process transition;
}
type_transition initrc_t httpd_php_exec_t :process httpd_php_t;
allow httpd_php_t httpd_php_exec_t :file entrypoint;
allow initrc_t httpd_php_t :process transition;

Now, run the following commands to generate the selinux module (remember to use the correct filename if you changed it):

checkmodule -M -m /etc/selinux/httpd_php.te -o /etc/selinux/httpd_php.mod
semodule_package -o /etc/selinux/httpd_php.pp -m /etc/selinux/httpd_php.mod
semodule -i /etc/selinux/httpd_php.pp

Thats it, now you can restart php5-fpm and the process should transition properly:

system_u:system_r:httpd_php_t:s0 23182 ? Ss 0:00 php-fpm: master process