22 SELinux Booleans semanage fcontext restorecon

By OK -
[root@localhost ~]# ps auxZ | grep http
system_u:system_r:httpd_t:s0    root       5285  0.0  0.4 221940  4980 ?        Ss   14:46   0:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0    apache     5290  0.0  0.3 224024  3096 ?        S    14:46   0:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0    apache     5291  0.0  0.3 224024  3096 ?        S    14:46   0:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0    apache     5293  0.0  0.3 224024  3096 ?        S    14:46   0:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0    apache     5294  0.0  0.3 224024  3096 ?        S    14:46   0:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0    apache     5295  0.0  0.3 224024  3096 ?        S    14:46   0:00 /usr/sbin/httpd -DFOREGROUND
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 5966 0.0  0.0 112648 956 pts/0 R+ 15:42   0:00 grep --color=auto http
[root@localhost ~]#

if you don't want intruder to access /tmp you have to manage context

[root@localhost ~]# ls -ldZ /tmp/
drwxrwxrwt. root root system_u:object_r:tmp_t:s0       /tmp/

when you mv file, context is persisted,
when you cp file, new context is inheret
========================
in order to manage context - utility semanage

[root@localhost ~]# semanage --help

  {import,export,login,user,port,interface,module,node,fcontext,boolean,permissive,dontaudit}
   ...
...

    port                Manage network port type definitions
    interface           Manage network interface type definitions
    module              Manage SELinux policy modules
    node                Manage network node type definitions
    fcontext            Manage file context mapping definitions
    boolean             Manage booleans to selectively enable functionality
====================
[root@localhost ~]# man semanage-fcontext

DESCRIPTION
       semanage is used to configure certain  elements  of  SELinux  policy  without
       requiring  modification  to  or  recompilation from policy sources.  semanage
       fcontext is used to  manage the default file system labeling  on  an  SELinux
       system.   This  command  maps file paths using regular expressions to SELinux
       labels.
====================
EXAMPLE
       remember to run restorecon after you set the file context
       Add file-context for everything under /web
       # semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
       # restorecon -R -v /web

       Substitute /home1 with /home when setting file context
       # semanage fcontext -a -e /home /home1
       # restorecon -R -v /home1

       For home directories under top level directory, for example /disk6/home,
       execute the following commands.
       # semanage fcontext -a -t home_root_t "/disk6"
       # semanage fcontext -a -e /home /disk6/home
       # restorecon -R -v /disk6

====================
restorecon  can be used if anything went wrong, it checks that context in directory matches the context in policy
====================
how restorecon works
[root@localhost ~]# cp /etc/hosts .
[root@localhost ~]# ls -Z /etc/hosts
-rw-r--r--. root root system_u:object_r:net_conf_t:s0  /etc/hosts
[root@localhost ~]# ls -Z hosts
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 hosts
[root@localhost ~]# rm /etc/hosts
rm: remove regular file ‘/etc/hosts’? y
[root@localhost ~]# mv hosts /etc/hosts
[root@localhost ~]# ls -Z /etc/hosts
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 /etc/hosts
[root@localhost ~]# restorecon -R -v /etc
restorecon reset /etc/hosts context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:net_conf_t:s0
[root@localhost ~]# 

[root@localhost ~]# ls -Z /etc/hosts
-rw-r--r--. root root unconfined_u:object_r:net_conf_t:s0 /etc/hosts
[root@localhost ~]# 






Comments

Post a Comment

Popular posts from this blog

HAproxy logging

By OK -
ubuntu@ubuntu:/etc/haproxy$ cat /etc/rsyslog.d/haproxy.conf # Create an additional socket in haproxy's chroot in order to allow logging via # /dev/log to chroot'ed HAProxy processes $ModLoad imudp $UDPServerRun 514 local0.* -/var/log/haproxy-0.log local1.* -/var/log/haproxy-1.log ### keep logs in localhost ## $AddUnixListenSocket /var/lib/haproxy/dev/log ------------------- ubuntu@ubuntu:/etc/haproxy$ cat /etc/haproxy/haproxy.cfg global chroot /var/lib/haproxy user haproxy group haproxy log 127.0.0.1   local0         log 127.0.0.1   local1 notice daemon frontend www     bind 192.168.40.128:8282    # haproxy public IP     default_backend as-backend    # backend used backend as-backend    balance leastconn    mode http  server as1 192.168.40.128:8082 check    # application srv 1 defaults log ...
Read more

teamcity Automatic Agent Start under Linux

By OK -
Automatic Agent Start under Linux To run agent automatically on the machine boot under Linux, configure daemon process with the  agent.sh start  command to start it and  agent.sh stop  command to stop it. Refer to an example procedure below: 1. Navigate to the services start/stop services scripts directory: cd /etc/init.d/ 2. Open the build agent service script: sudo vim buildAgent 3. Paste the following into the file : #!/bin/sh ### BEGIN INIT INFO # Provides: TeamCity Build Agent # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Start build agent daemon at boot time # Description: Enable service provided by daemon. ### END INIT INFO #Provide the correct user name: USER="agentuser" case "$1" in start) su - $USER -c "cd BuildAgent/bin ; ./agent.sh start" ;; stop) su - $USER -c "cd BuildAgent/bin ; ./agent....
Read more

NFS mount add in fstab _netdev instead of default | firewall-cmd --list-all

By OK -
Redhat recommends us to add  _netdev  option for NFS file system in /etc/fstab. So that they can be mounted after starting the networking service. Alternative ways to refer to partitions: Label : LABEL=label Network ID Samba : //server/share NFS : server:/share SSHFS : sshfs#user@server:/share Device : /dev/sdxy (not recommended) Example #1 //192.168.1.134/share_name /mnt/share_name cifs username=server_user,password=server_password,_netdev 0 0 ^ Path to your share ^ Mountpoint ^ Username ^ Password ^ See note A Note A: The  _netdev  options makes sure the mount is only attempted AFTER a network connection has been established. Example #2 10.10.10.1:/vol1/fs1 /data nfs defaults,_netdev 0 0 ============================ [root@localhost ~]# firewall-cmd --list-all public   target: default   icmp-block-inversion: no   interfaces:   sources:   services: dhcpv6-client high-availabi...
Read more