status

• sestatus

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

selinux configfile for permanent settings

• /etc/selinux/config

#SELINUX=enforcing #SELinux security policy is enforced.
SELINUX=permissive #SELinux prints warnings instead of enforcing.
#SELINUX=disabled #No SELinux policy is loaded.
SELINUXTYPE=targeted #Targeted processes are protected,
#SELINUXTYPE=minimum #Modification of targeted policy. Only selected processes are protected.
#SELINUXTYPE=mls #Multi Level Security protection.

change mode online

• setenforce enforcing
• setenforce permissive

check mode

• getenforce

Enforcing

files

SELinux File Contexts

• ls -lZ /var/log/charon_debug.log

-rw-r--r--. root root system_u:object_r:var_log_t:s0   /var/log/charon_debug.log

SELinux Process Contexts

• ps -efZ | grep charon

system_u:system_r:ipsec_t:s0    root       797     1  0 10:09 ?        00:00:00 /usr/libexec/strongswan/starter --daemon charon --nofork
system_u:system_r:ipsec_t:s0    root       874   797  0 10:09 ?        00:00:00 /usr/libexec/strongswan/charon

ports

show allowed port access

• semanage port -l | grep "^http_port"

http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000

add port

http

• semanage port -a -t http_port_t -p tcp 82

ssh

• semanage port -a -t ssh_port_t -p tcp 8472

custom

• hinzufügen

semanage port -a -t my_port_t -p tcp 9999

• löschen

 semanage port -d -t my_port_t -p tcp 9999

remove port

• semanage port -d -t http_port_t -p tcp 8472

Auspacken eines Modules aus dem Speicher

• semodule -E ssh
• semodule_unpackage ssh.pp ssh.mod
• sedismod ssh.mod