| Home Profile Fun |
#175 Linux 10.03.2009
Examples of common SELinux commandsThis page is a summary of examples for common SELinux commands. Many of the already existing Linux commands have been adapted to work with SELinux. Usually you get the SELinux functionality by using the -Z option. Some examples of these: id -Z I use the opportunity to stress that 'su -' does not change the security context! $ id uid=888(xyz) gid=888(xyz) groups=888(xyz) context=user_u:system_r:unconfined_t:s0 $ su - Password: # id uid=0(root) gid=0(root) groups=0(root) context=user_u:system_r:unconfined_t:s0 ls -Z ps -auxZ find /etc -context "system_u:object_r:etc_t:s0" Now it's time for the actual userland commands of SELinux: Change the SELinux role (available only in the strict policy). newrole -r sysadm_t Display an overview of the SELinux status. # sestatus -v SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 23 Policy from config file: targeted Process contexts: Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Init context: system_u:system_r:init_t:s0 /sbin/mingetty system_u:system_r:getty_t:s0 /usr/sbin/sshd system_u:system_r:sshd_t:s0-s0:c0.c1023 File contexts: Controlling term: unconfined_u:object_r:unconfined_devpts_t:s0 /etc/passwd system_u:object_r:etc_t:s0 /etc/shadow system_u:object_r:shadow_t:s0 /bin/bash system_u:object_r:shell_exec_t:s0 /bin/login system_u:object_r:login_exec_t:s0 /bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0 /sbin/agetty system_u:object_r:getty_exec_t:s0 /sbin/init system_u:object_r:init_exec_t:s0 /sbin/mingetty system_u:object_r:getty_exec_t:s0 /usr/sbin/sshd system_u:object_r:sshd_exec_t:s0 /lib/libc.so.6 system_u:object_r:lib_t:s0 -> system_u:object_r:lib_t:s0 /lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0 Is SELinux running in permissive or enforcing mode? # getenforce Enforcing Switch enforcing mode off and on again. setenforce 0 setenforce 1 Print all booleans. # getsebool -a allow_console_login --> off allow_cvs_read_shadow --> off allow_daemons_dump_core --> on ... Print only a single boolean. # getsebool allow_console_login allow_console_login --> off Change the value of a single boolean. # setsebool allow_console_login On Change the security context of single files or file systems. As an example we change the SELinux user of the file xyz.txt from unconfined_u to system_u. # ls -Z ./xyz.txt -rw-r--r-- root root unconfined_u:object_r:admin_home_t:s0 xyz.txt # chcon 'system_u:object_r:admin_home_t:s0' ./xyz.txt # ls -Z ./xyz.txt -rw-r--r-- root root system_u:object_r:admin_home_t:s0 ./xyz.txt Relabel files with the standard security context. By using -vn you can simulate the operation and see what would be done. # ls -lZ /etc/zshrc -rw-r--r-- root root unconfined_u:object_r:admin_home_t:s0 zshrc # restorecon -vn /etc/zshrc restorecon reset /etc/zshrc context unconfined_u:object_r:admin_home_t:s0->system_u:object_r:etc_t:s0 # restorecon /etc/zshrc # ls -lZ /etc/zshrc -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/zshrc Start a process in a certain security context (only possible in permissive mode): # setenforce 0 # vim& [1] 5686 # runcon 'system_u:object_r:admin_home_t:s0' vim& [2] 5701 # ps Z ... unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5686 pts/1 T 0:00 vim system_u:object_r:admin_home_t:s0 5701 pts/1 T 0:00 vim ... Start init scripts and thus daemons in the correct security context: # run_init /etc/init.d/apache2 start Some more commands follow without examples. A tool to analyse rule violations and automatically derive changes of the SELinux policy. It prevents you from directly changing the policy code. audit2allow Aid to understand the reasons of denied messages. audit2why Label file systems with a security context or fix the security context. setfiles fixfiles The following command shows data of the access vector cache (statistics). avcstat SELinux Training |