SELinux Handling
status
- sestatus
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28
selinux configfile for permanent settings
- /etc/selinux/config
#SELINUX=enforcing #SELinux security policy is enforced. SELINUX=permissive #SELinux prints warnings instead of enforcing. #SELINUX=disabled #No SELinux policy is loaded. SELINUXTYPE=targeted #Targeted processes are protected, #SELINUXTYPE=minimum #Modification of targeted policy. Only selected processes are protected. #SELINUXTYPE=mls #Multi Level Security protection.
change mode online
- setenforce enforcing
- setenforce permissive
check mode
- getenforce
Enforcing
files
SELinux File Contexts
- ls -lZ /var/log/charon_debug.log
-rw-r--r--. root root system_u:object_r:var_log_t:s0 /var/log/charon_debug.log
SELinux Process Contexts
- ps -efZ | grep charon
system_u:system_r:ipsec_t:s0 root 797 1 0 10:09 ? 00:00:00 /usr/libexec/strongswan/starter --daemon charon --nofork system_u:system_r:ipsec_t:s0 root 874 797 0 10:09 ? 00:00:00 /usr/libexec/strongswan/charon
ports
show allowed port access
- semanage port -l | grep "^http_port"
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
add port
http
- semanage port -a -t http_port_t -p tcp 82
ssh
- semanage port -a -t ssh_port_t -p tcp 8472
remove port
- semanage port -d -t http_port_t -p tcp 8472
Auspacken eines Modules aus dem Speicher
- semodule -E ssh
- semodule_unpackage ssh.pp ssh.mod