22 SELinux file system labels | man -k _selinux | mandb | yum provides */sepolicy | semanage fcontext -l

By OK -
[root@localhost www]# ls -Zl
total 0
drwxr-xr-x. 2 system_u:object_r:httpd_sys_script_exec_t:s0 root root  6 Apr 12 17:04 cgi-bin
drwxr-xr-x. 2 system_u:object_r:httpd_sys_content_t:s0 root root 24 Sep 20 17:00 html
[root@localhost www]#



List all file contexts

[root@localhost www]# semanage fcontext -l | more
SELinux fcontext                                   type               Context

/.*                                                all files          system_u:object_r:default_t:s0 
/[^/]+                                             regular file       system_u:object_r:etc_runtime_t:s0 
/a?quota\.(user|group)                             regular file       system_u:object_r:quota_db_t:s0 
/nsr(/.*)?                                         all files          system_u:object_r:var_t:s0 
/sys(/.*)?                                         all files          system_u:object_r:sysfs_t:s0 
/xen(/.*)?                                         all files          system_u:object_r:xen_image_t:s0 
/mnt(/[^/]*)?                                      directory          system_u:object_r:mnt_t:s0 



[root@localhost www]# semanage fcontext -l | grep httpd | more
/usr/.*\.cgi                                       regular file       system_u:object_r:httpd_sys_script_exec_t:s0 
/opt/.*\.cgi                                       regular file       system_u:object_r:httpd_sys_script_exec_t:s0 
/srv/([^/]*/)?www(/.*)?                            all files          system_u:object_r:httpd_sys_content_t:s0 
/srv/([^/]*/)?www/logs(/.*)?                       all files          system_u:object_r:httpd_log_t:s0 
/var/www(/.*)?                                     all files          system_u:object_r:httpd_sys_content_t:s0 
/var/www(/.*)?/logs(/.*)?                          all files          system_u:object_r:httpd_l og_t:s0 
=========================
Generate SELinux manpages

[root@localhost www]# man -k _selinux
pam_selinux (8)      - PAM module to set the default security context
[root@localhost www]# 

there are no SELinux manuals by default, we need to generated them by ourselves by using sepolicy utility which isn't installed by default

=========================
[root@localhost www]# yum provides */sepolicy
Loaded plugins: fastestmirror, langpacks
Existing lock /var/run/yum.pid: another copy is running as pid 6987.
Another app is currently holding the yum lock; waiting for it to exit...
  The other application is: PackageKit
    Memory : 108 M RSS (439 MB VSZ)
    Started: Sat Sep 23 09:16:19 2017 - 00:11 ago
    State  : Running, pid: 6987

Loading mirror speeds from cached hostfile
 * base: centos.ip-connect.vn.ua
 * extras: centos.ip-connect.vn.ua
 * updates: centos.ip-connect.vn.ua
policycoreutils-devel-2.5-8.el7.i686 : SELinux policy core policy devel utilities
Repo        : base
Matched from:
Filename    : /usr/share/bash-completion/completions/sepolicy
Filename    : /usr/bin/sepolicy

policycoreutils-devel-2.5-8.el7.x86_64 : SELinux policy core policy devel utilities
Repo        : base
Matched from:
Filename    : /usr/share/bash-completion/completions/sepolicy
Filename    : /usr/bin/sepolicy



policycoreutils-devel-2.5-9.el7.i686 : SELinux policy core policy devel utilities
Repo        : updates
Matched from:
Filename    : /usr/share/bash-completion/completions/sepolicy
Filename    : /usr/bin/sepolicy

=========================
[root@localhost www]# yum install -y policycoreutils-devel

=========================

[root@localhost www]# sepolicy manpage -a

update mandb index
[root@localhost www]# mandb
=========================
[root@localhost tmp]# mv * /usr/share/man/man8

[root@localhost www]# mandb
=========================

[root@localhost tmp]# man -k _selinux | more
_selinux (8)         - Security Enhanced Linux Policy for the processes
abrt_dump_oops_selinux (8) - Security Enhanced Linux Policy for the abrt_dump_oops p...
abrt_handle_event_selinux (8) - Security Enhanced Linux Policy for the abrt_handle_e...
abrt_helper_selinux (8) - Security Enhanced Linux Policy for the abrt_helper processes

=========================
[root@localhost tmp]# man -k httpd | grep selinux
apache_selinux (8)   - Security Enhanced Linux Policy for the httpd processes
httpd_helper_selinux (8) - Security Enhanced Linux Policy for the httpd_helper proce...
httpd_passwd_selinux (8) - Security Enhanced Linux Policy for the httpd_passwd proce...
httpd_php_selinux (8) - Security Enhanced Linux Policy for the httpd_php processes
httpd_rotatelogs_selinux (8) - Security Enhanced Linux Policy for the httpd_rotatelo...
httpd_selinux (8)    - Security Enhanced Linux Policy for the httpd processes
httpd_suexec_selinux (8) - Security Enhanced Linux Policy for the httpd_suexec proce...
httpd_sys_script_selinux (8) - Security Enhanced Linux Policy for the httpd_sys_scri...
httpd_unconfined_script_selinux (8) - Security Enhanced Linux Policy for the httpd_u...
httpd_user_script_selinux (8) - Security Enhanced Linux Policy for the httpd_user_sc...
[root@localhost tmp]# 








Comments

Post a Comment

Popular posts from this blog

HAproxy logging

By OK -
ubuntu@ubuntu:/etc/haproxy$ cat /etc/rsyslog.d/haproxy.conf # Create an additional socket in haproxy's chroot in order to allow logging via # /dev/log to chroot'ed HAProxy processes $ModLoad imudp $UDPServerRun 514 local0.* -/var/log/haproxy-0.log local1.* -/var/log/haproxy-1.log ### keep logs in localhost ## $AddUnixListenSocket /var/lib/haproxy/dev/log ------------------- ubuntu@ubuntu:/etc/haproxy$ cat /etc/haproxy/haproxy.cfg global chroot /var/lib/haproxy user haproxy group haproxy log 127.0.0.1   local0         log 127.0.0.1   local1 notice daemon frontend www     bind 192.168.40.128:8282    # haproxy public IP     default_backend as-backend    # backend used backend as-backend    balance leastconn    mode http  server as1 192.168.40.128:8082 check    # application srv 1 defaults log global mode http option httplog option dontlognull         contimeout 5000    
Read more

tomcat catalina coyote jasper cluster

By OK -
Tomcat Component are Catalina Coyote Jasper Cluster Catalina :  Catalina is the name of the servlet container of Apache Tomcat since version 4.x. Tomcat implements Sun Microsystems' specifications for servlet and JavaServer Pages (JSP), which are important Java-based Web technologies. Tomcat's servlet container was redesigned as Catalina in Tomcat version 4.x. other components of the Tomcat engine are: Tomcat Jasper which converts the code portions within JavaServer Pages into servlets and pass them to Catalina to process. Tomcat Coyote which is an HTTP connector based on HTTP/1.1 specifications that receives and transmits web requests to the Tomcat engine by listening to a TCP/IP port and returns requests back to the requesting client. Coyote :  The Coyote JK Connector element represents a Connector component that communicates with a web connector via the JK protocol (also known as the AJP protocol). This is used for cases where you wish to invisibly integr
Read more

NFS mount add in fstab _netdev instead of default | firewall-cmd --list-all

By OK -
Redhat recommends us to add  _netdev  option for NFS file system in /etc/fstab. So that they can be mounted after starting the networking service. Alternative ways to refer to partitions: Label : LABEL=label Network ID Samba : //server/share NFS : server:/share SSHFS : sshfs#user@server:/share Device : /dev/sdxy (not recommended) Example #1 //192.168.1.134/share_name /mnt/share_name cifs username=server_user,password=server_password,_netdev 0 0 ^ Path to your share ^ Mountpoint ^ Username ^ Password ^ See note A Note A: The  _netdev  options makes sure the mount is only attempted AFTER a network connection has been established. Example #2 10.10.10.1:/vol1/fs1 /data nfs defaults,_netdev 0 0 ============================ [root@localhost ~]# firewall-cmd --list-all public   target: default   icmp-block-inversion: no   interfaces:   sources:   services: dhcpv6-client high-availability ssh   ports:   protocols:   masquera
Read more