22 SELinux file system labels | man -k _selinux | mandb | yum provides */sepolicy | semanage fcontext -l

By OK -
[root@localhost www]# ls -Zl
total 0
drwxr-xr-x. 2 system_u:object_r:httpd_sys_script_exec_t:s0 root root  6 Apr 12 17:04 cgi-bin
drwxr-xr-x. 2 system_u:object_r:httpd_sys_content_t:s0 root root 24 Sep 20 17:00 html
[root@localhost www]#



List all file contexts

[root@localhost www]# semanage fcontext -l | more
SELinux fcontext                                   type               Context

/.*                                                all files          system_u:object_r:default_t:s0 
/[^/]+                                             regular file       system_u:object_r:etc_runtime_t:s0 
/a?quota\.(user|group)                             regular file       system_u:object_r:quota_db_t:s0 
/nsr(/.*)?                                         all files          system_u:object_r:var_t:s0 
/sys(/.*)?                                         all files          system_u:object_r:sysfs_t:s0 
/xen(/.*)?                                         all files          system_u:object_r:xen_image_t:s0 
/mnt(/[^/]*)?                                      directory          system_u:object_r:mnt_t:s0 



[root@localhost www]# semanage fcontext -l | grep httpd | more
/usr/.*\.cgi                                       regular file       system_u:object_r:httpd_sys_script_exec_t:s0 
/opt/.*\.cgi                                       regular file       system_u:object_r:httpd_sys_script_exec_t:s0 
/srv/([^/]*/)?www(/.*)?                            all files          system_u:object_r:httpd_sys_content_t:s0 
/srv/([^/]*/)?www/logs(/.*)?                       all files          system_u:object_r:httpd_log_t:s0 
/var/www(/.*)?                                     all files          system_u:object_r:httpd_sys_content_t:s0 
/var/www(/.*)?/logs(/.*)?                          all files          system_u:object_r:httpd_l og_t:s0 
=========================
Generate SELinux manpages

[root@localhost www]# man -k _selinux
pam_selinux (8)      - PAM module to set the default security context
[root@localhost www]# 

there are no SELinux manuals by default, we need to generated them by ourselves by using sepolicy utility which isn't installed by default

=========================
[root@localhost www]# yum provides */sepolicy
Loaded plugins: fastestmirror, langpacks
Existing lock /var/run/yum.pid: another copy is running as pid 6987.
Another app is currently holding the yum lock; waiting for it to exit...
  The other application is: PackageKit
    Memory : 108 M RSS (439 MB VSZ)
    Started: Sat Sep 23 09:16:19 2017 - 00:11 ago
    State  : Running, pid: 6987

Loading mirror speeds from cached hostfile
 * base: centos.ip-connect.vn.ua
 * extras: centos.ip-connect.vn.ua
 * updates: centos.ip-connect.vn.ua
policycoreutils-devel-2.5-8.el7.i686 : SELinux policy core policy devel utilities
Repo        : base
Matched from:
Filename    : /usr/share/bash-completion/completions/sepolicy
Filename    : /usr/bin/sepolicy

policycoreutils-devel-2.5-8.el7.x86_64 : SELinux policy core policy devel utilities
Repo        : base
Matched from:
Filename    : /usr/share/bash-completion/completions/sepolicy
Filename    : /usr/bin/sepolicy



policycoreutils-devel-2.5-9.el7.i686 : SELinux policy core policy devel utilities
Repo        : updates
Matched from:
Filename    : /usr/share/bash-completion/completions/sepolicy
Filename    : /usr/bin/sepolicy

=========================
[root@localhost www]# yum install -y policycoreutils-devel

=========================

[root@localhost www]# sepolicy manpage -a

update mandb index
[root@localhost www]# mandb
=========================
[root@localhost tmp]# mv * /usr/share/man/man8

[root@localhost www]# mandb
=========================

[root@localhost tmp]# man -k _selinux | more
_selinux (8)         - Security Enhanced Linux Policy for the processes
abrt_dump_oops_selinux (8) - Security Enhanced Linux Policy for the abrt_dump_oops p...
abrt_handle_event_selinux (8) - Security Enhanced Linux Policy for the abrt_handle_e...
abrt_helper_selinux (8) - Security Enhanced Linux Policy for the abrt_helper processes

=========================
[root@localhost tmp]# man -k httpd | grep selinux
apache_selinux (8)   - Security Enhanced Linux Policy for the httpd processes
httpd_helper_selinux (8) - Security Enhanced Linux Policy for the httpd_helper proce...
httpd_passwd_selinux (8) - Security Enhanced Linux Policy for the httpd_passwd proce...
httpd_php_selinux (8) - Security Enhanced Linux Policy for the httpd_php processes
httpd_rotatelogs_selinux (8) - Security Enhanced Linux Policy for the httpd_rotatelo...
httpd_selinux (8)    - Security Enhanced Linux Policy for the httpd processes
httpd_suexec_selinux (8) - Security Enhanced Linux Policy for the httpd_suexec proce...
httpd_sys_script_selinux (8) - Security Enhanced Linux Policy for the httpd_sys_scri...
httpd_unconfined_script_selinux (8) - Security Enhanced Linux Policy for the httpd_u...
httpd_user_script_selinux (8) - Security Enhanced Linux Policy for the httpd_user_sc...
[root@localhost tmp]# 








Comments

Post a Comment

Popular posts from this blog

HAproxy logging

By OK -
ubuntu@ubuntu:/etc/haproxy$ cat /etc/rsyslog.d/haproxy.conf # Create an additional socket in haproxy's chroot in order to allow logging via # /dev/log to chroot'ed HAProxy processes $ModLoad imudp $UDPServerRun 514 local0.* -/var/log/haproxy-0.log local1.* -/var/log/haproxy-1.log ### keep logs in localhost ## $AddUnixListenSocket /var/lib/haproxy/dev/log ------------------- ubuntu@ubuntu:/etc/haproxy$ cat /etc/haproxy/haproxy.cfg global chroot /var/lib/haproxy user haproxy group haproxy log 127.0.0.1   local0         log 127.0.0.1   local1 notice daemon frontend www     bind 192.168.40.128:8282    # haproxy public IP     default_backend as-backend    # backend used backend as-backend    balance leastconn    mode http  server as1 192.168.40.128:8082 check    # application srv 1 defaults log ...
Read more

teamcity Automatic Agent Start under Linux

By OK -
Automatic Agent Start under Linux To run agent automatically on the machine boot under Linux, configure daemon process with the  agent.sh start  command to start it and  agent.sh stop  command to stop it. Refer to an example procedure below: 1. Navigate to the services start/stop services scripts directory: cd /etc/init.d/ 2. Open the build agent service script: sudo vim buildAgent 3. Paste the following into the file : #!/bin/sh ### BEGIN INIT INFO # Provides: TeamCity Build Agent # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Start build agent daemon at boot time # Description: Enable service provided by daemon. ### END INIT INFO #Provide the correct user name: USER="agentuser" case "$1" in start) su - $USER -c "cd BuildAgent/bin ; ./agent.sh start" ;; stop) su - $USER -c "cd BuildAgent/bin ; ./agent....
Read more

NFS mount add in fstab _netdev instead of default | firewall-cmd --list-all

By OK -
Redhat recommends us to add  _netdev  option for NFS file system in /etc/fstab. So that they can be mounted after starting the networking service. Alternative ways to refer to partitions: Label : LABEL=label Network ID Samba : //server/share NFS : server:/share SSHFS : sshfs#user@server:/share Device : /dev/sdxy (not recommended) Example #1 //192.168.1.134/share_name /mnt/share_name cifs username=server_user,password=server_password,_netdev 0 0 ^ Path to your share ^ Mountpoint ^ Username ^ Password ^ See note A Note A: The  _netdev  options makes sure the mount is only attempted AFTER a network connection has been established. Example #2 10.10.10.1:/vol1/fs1 /data nfs defaults,_netdev 0 0 ============================ [root@localhost ~]# firewall-cmd --list-all public   target: default   icmp-block-inversion: no   interfaces:   sources:   services: dhcpv6-client high-availabi...
Read more