SELinux Modes and Policy

SELinux mode: /etc/sysconfig/selinux
# modes are available: disable, permissive, enforcing. Change between modes must boot.
Enforcing mode can be change without booting only to permissive.
# getenforce
# setenforce Enforcing
# set enforce Permissive
by default should be all time Enforcing
set context/
# ls -Z -see the context.
Context have 3 parts:
User part is first which is for advanced.
Role part – also for advanced configuration
Type part – access on files or directories
All processes have context.
Also ports have the context:
# netstat -Ztulpen
Context match a process with a file or port in order to match the access.
Boolean are switch for enable/disable the policy.
# getsebool -a
# getsebool -a | grep ftp

SELinux Labels and Booleans managing context
Show the current context for http context:
# ps Zaux | grep http
For http is httpd_t
default document root for httpd is /var/www/
Here I can see that the context is setup correctly.
In policy there should be a line which say that the httpd_t SOURCE context is allow to go to TARGET context httpd_sys_content_t
If something is wrong and a script on server which allow to go to /tmp directory, SELinux will not allow because have wrong context: tmp_t:
Set context:
# semanage –help
Arguments: fcontext, boolean, port
For file context:
# man semanage
On this page are subpages for othr subfunctions:
# man semanage-fcontext
At end of this man page have example. Just copy/paste the example and modify it as need it.
SELinux write to policy and not to file system. To apply to file system, must run the command:
# restorecon -R -v /web
This utility is ok to check it when something is not going OK.
# restorecon -R -v /etc – is restoring to whole directory.

# semanage fcontext -l – display all context from system.
# yum provides *sepolicy – check which is provide the documentation because is not installed by default.
Install the policy:
# yum -y install policycoreutils-devel
Now I have to run:
# sepolicy manpage -a
Is generating the man pages for all services with selinux
Update the man database
# mandb
Check all pages with _selinux in description:
# man -k _selinux
And now for httpd:
# man -k _selinux | grep httpd
and there is httpd_selinux
The man pages are all by default into /tmp directory. Must be moved:
# cd /tmp
# mv * /usr/share/man/man8
Update the man pages index:
# mandb
Now use the man page:
# manpage -a -p /usr/share/man/man8

Using booleans
# getseboot -a – show all bools from system.
# getsebool -a | grep ftp
User access home directory:
# setsebool ftp_home_dir on
This will survive reboot:
Check it:
# semanage boolean -l | grep ftp
Make it persistent:
# setsebool -P ftp_home_dir on

Analyzing SELinux Log Files
Check the troubleshoot packages:
# yum installed | grep setrouble
Must have installed the packages.
Check if the auditd is started:
# systemctl status auditd
Analyze the audit log:
# grep AVC /var/log/audit/audit.log
All SELinux messages have the header AVC
denied{getattr} is the atribute denied for server vsftpd.
Check the SOURCE context and TARGET context which are not the same.
Conclusion: vsftpd dont have the SELInux permissions to access audion_home_t target files.
Must relable the files or allow ftpd to access the files:
Check /var/log/messages for additional information
“sealert” is the word to search. Copy it.