SELinux Handling
Zur Navigation springen
Zur Suche springen
Status
- sestatus
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28
- getenforce
Permissive
Modus ändern
Bei Regelverstoß warnen, aber nicht einschränken
- setenforce 0
- setenforce permissive
Anwendungen einschränken
- setenforce 1
- setenforce enforcing
In der Konfigurationsdatei
- cat /etc/selinux/config
#SELINUX=enforcing #SELinux security policy is enforced. SELINUX=permissive #SELinux prints warnings instead of enforcing. #SELINUX=disabled #No SELinux policy is loaded. SELINUXTYPE=targeted #Targeted processes are protected, #SELINUXTYPE=minimum #Modification of targeted policy. Only selected processes are protected. #SELINUXTYPE=mls #Multi Level Security protection.
Kontext
- Dateien, Ports und Prozesse haben unter SELinux einen Kontext
- Sie sind einem SELinux-Benutzer, einer SELinux-Rolle und einem Typen zugeordnet
- mit -Z wird konventionell der Kontext angezeigt
Dateien
- ls -lZ /etc | head
-rw-r--r--. 1 root root system_u:object_r:etc_t:s0 2981 11. Nov 10:22 adduser.conf -rw-r--r--. 1 root root system_u:object_r:adjtime_t:s0 44 11. Nov 10:29 adjtime drwxr-xr-x. 2 root root system_u:object_r:etc_t:s0 4096 6. Jan 11:14 alternatives -rw-r--r--. 1 root root system_u:object_r:etc_t:s0 4185 29. Jul 2019 analog.cfg drwxr-xr-x. 8 root root system_u:object_r:httpd_config_t:s0 4096 11. Nov 10:28 apache2 drwxr-xr-x. 3 root root system_u:object_r:etc_t:s0 4096 21. Nov 09:54 apparmor.d drwxr-xr-x. 8 root root system_u:object_r:etc_t:s0 4096 11. Nov 10:29 apt drwxr-x---. 4 root root system_u:object_r:auditd_etc_t:s0 4096 21. Nov 10:15 audit -rw-r--r--. 1 root root system_u:object_r:etc_t:s0 1994 27. Mär 2022 bash.bashrc
- semanage fcontext -l | head
SELinux-fcontext Typ Inhalt / directory system_u:object_r:root_t:s0 /.* all files system_u:object_r:default_t:s0 /\.ismount-test-file regular file system_u:object_r:sosreport_tmp_t:s0 /\.journal all files <<None>> /a?quota\.(user|group) regular file system_u:object_r:quota_db_t:s0 /afs directory system_u:object_r:mnt_t:s0 /bacula(/.*)? all files system_u:object_r:bacula_store_t:s0 /boot directory system_u:object_r:boot_t:s0
Ports
- ss -lntpZ
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=442,proc_ctx=system_u:system_r:sshd_t:s0-s0:c0.c1023,fd=3))
LISTEN 0 511 *:80 *:* users:(("apache2",pid=45973,proc_ctx=system_u:system_r:httpd_t:s0,fd=4),("apache2",pid=45972,proc_ctx=system_u:system_r:httpd_t:s0,fd=4),("apache2",pid=443,proc_ctx=system_u:system_r:httpd_t:s0,fd=4))
LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=442,proc_ctx=system_u:system_r:sshd_t:s0-s0:c0.c1023,fd=4))
- semanage port -l
SELinux Port-Typ Proto Port-Nummer afs3_callback_port_t tcp 7001 afs3_callback_port_t udp 7001 afs_bos_port_t udp 7007 afs_fs_port_t tcp 2040 afs_fs_port_t udp 7000, 7005 afs_ka_port_t udp 7004 afs_pt_port_t udp 7002 afs_vl_port_t udp 7003
Prozesse
- ps -Z
LABEL PID TTY TIME CMD unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 46270 pts/0 00:00:00 sudo unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 46271 pts/0 00:00:00 su unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 46272 pts/0 00:00:00 bash unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 46864 pts/0 00:00:00 ps
- ps -eZ
LABEL PID TTY TIME CMD system_u:system_r:init_t:s0 1 ? 00:00:55 systemd system_u:system_r:kernel_t:s0 2 ? 00:00:02 kthreadd system_u:system_r:kernel_t:s0 3 ? 00:00:00 rcu_gp system_u:system_r:kernel_t:s0 4 ? 00:00:00 rcu_par_gp system_u:system_r:kernel_t:s0 6 ? 00:00:00 kworker/0:0H-events_highpri system_u:system_r:kernel_t:s0 8 ? 00:00:00 mm_percpu_wq system_u:system_r:kernel_t:s0 9 ? 00:00:00 rcu_tasks_rude_ system_u:system_r:kernel_t:s0 10 ? 00:00:00 rcu_tasks_trace system_u:system_r:kernel_t:s0 11 ? 00:00:00 ksoftirqd/0