22 SELinux Booleans semanage fcontext restorecon

By OK -
[root@localhost ~]# ps auxZ | grep http
system_u:system_r:httpd_t:s0    root       5285  0.0  0.4 221940  4980 ?        Ss   14:46   0:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0    apache     5290  0.0  0.3 224024  3096 ?        S    14:46   0:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0    apache     5291  0.0  0.3 224024  3096 ?        S    14:46   0:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0    apache     5293  0.0  0.3 224024  3096 ?        S    14:46   0:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0    apache     5294  0.0  0.3 224024  3096 ?        S    14:46   0:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0    apache     5295  0.0  0.3 224024  3096 ?        S    14:46   0:00 /usr/sbin/httpd -DFOREGROUND
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 5966 0.0  0.0 112648 956 pts/0 R+ 15:42   0:00 grep --color=auto http
[root@localhost ~]#

if you don't want intruder to access /tmp you have to manage context

[root@localhost ~]# ls -ldZ /tmp/
drwxrwxrwt. root root system_u:object_r:tmp_t:s0       /tmp/

when you mv file, context is persisted,
when you cp file, new context is inheret
========================
in order to manage context - utility semanage

[root@localhost ~]# semanage --help

  {import,export,login,user,port,interface,module,node,fcontext,boolean,permissive,dontaudit}
   ...
...

    port                Manage network port type definitions
    interface           Manage network interface type definitions
    module              Manage SELinux policy modules
    node                Manage network node type definitions
    fcontext            Manage file context mapping definitions
    boolean             Manage booleans to selectively enable functionality
====================
[root@localhost ~]# man semanage-fcontext

DESCRIPTION
       semanage is used to configure certain  elements  of  SELinux  policy  without
       requiring  modification  to  or  recompilation from policy sources.  semanage
       fcontext is used to  manage the default file system labeling  on  an  SELinux
       system.   This  command  maps file paths using regular expressions to SELinux
       labels.
====================
EXAMPLE
       remember to run restorecon after you set the file context
       Add file-context for everything under /web
       # semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
       # restorecon -R -v /web

       Substitute /home1 with /home when setting file context
       # semanage fcontext -a -e /home /home1
       # restorecon -R -v /home1

       For home directories under top level directory, for example /disk6/home,
       execute the following commands.
       # semanage fcontext -a -t home_root_t "/disk6"
       # semanage fcontext -a -e /home /disk6/home
       # restorecon -R -v /disk6

====================
restorecon  can be used if anything went wrong, it checks that context in directory matches the context in policy
====================
how restorecon works
[root@localhost ~]# cp /etc/hosts .
[root@localhost ~]# ls -Z /etc/hosts
-rw-r--r--. root root system_u:object_r:net_conf_t:s0  /etc/hosts
[root@localhost ~]# ls -Z hosts
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 hosts
[root@localhost ~]# rm /etc/hosts
rm: remove regular file ‘/etc/hosts’? y
[root@localhost ~]# mv hosts /etc/hosts
[root@localhost ~]# ls -Z /etc/hosts
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 /etc/hosts
[root@localhost ~]# restorecon -R -v /etc
restorecon reset /etc/hosts context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:net_conf_t:s0
[root@localhost ~]# 

[root@localhost ~]# ls -Z /etc/hosts
-rw-r--r--. root root unconfined_u:object_r:net_conf_t:s0 /etc/hosts
[root@localhost ~]# 






Comments

Post a Comment

Popular posts from this blog

HAproxy logging

By OK -
ubuntu@ubuntu:/etc/haproxy$ cat /etc/rsyslog.d/haproxy.conf # Create an additional socket in haproxy's chroot in order to allow logging via # /dev/log to chroot'ed HAProxy processes $ModLoad imudp $UDPServerRun 514 local0.* -/var/log/haproxy-0.log local1.* -/var/log/haproxy-1.log ### keep logs in localhost ## $AddUnixListenSocket /var/lib/haproxy/dev/log ------------------- ubuntu@ubuntu:/etc/haproxy$ cat /etc/haproxy/haproxy.cfg global chroot /var/lib/haproxy user haproxy group haproxy log 127.0.0.1   local0         log 127.0.0.1   local1 notice daemon frontend www     bind 192.168.40.128:8282    # haproxy public IP     default_backend as-backend    # backend used backend as-backend    balance leastconn    mode http  server as1 192.168.40.128:8082 check    # application srv 1 defaults log global mode http option httplog option dontlognull         contimeout 5000    
Read more

tomcat catalina coyote jasper cluster

By OK -
Tomcat Component are Catalina Coyote Jasper Cluster Catalina :  Catalina is the name of the servlet container of Apache Tomcat since version 4.x. Tomcat implements Sun Microsystems' specifications for servlet and JavaServer Pages (JSP), which are important Java-based Web technologies. Tomcat's servlet container was redesigned as Catalina in Tomcat version 4.x. other components of the Tomcat engine are: Tomcat Jasper which converts the code portions within JavaServer Pages into servlets and pass them to Catalina to process. Tomcat Coyote which is an HTTP connector based on HTTP/1.1 specifications that receives and transmits web requests to the Tomcat engine by listening to a TCP/IP port and returns requests back to the requesting client. Coyote :  The Coyote JK Connector element represents a Connector component that communicates with a web connector via the JK protocol (also known as the AJP protocol). This is used for cases where you wish to invisibly integr
Read more

NFS mount add in fstab _netdev instead of default | firewall-cmd --list-all

By OK -
Redhat recommends us to add  _netdev  option for NFS file system in /etc/fstab. So that they can be mounted after starting the networking service. Alternative ways to refer to partitions: Label : LABEL=label Network ID Samba : //server/share NFS : server:/share SSHFS : sshfs#user@server:/share Device : /dev/sdxy (not recommended) Example #1 //192.168.1.134/share_name /mnt/share_name cifs username=server_user,password=server_password,_netdev 0 0 ^ Path to your share ^ Mountpoint ^ Username ^ Password ^ See note A Note A: The  _netdev  options makes sure the mount is only attempted AFTER a network connection has been established. Example #2 10.10.10.1:/vol1/fs1 /data nfs defaults,_netdev 0 0 ============================ [root@localhost ~]# firewall-cmd --list-all public   target: default   icmp-block-inversion: no   interfaces:   sources:   services: dhcpv6-client high-availability ssh   ports:   protocols:   masquera
Read more