SELinux Notes

Michael Stone, October 18, 2015, , (src)

Contents

Introduction

I use SELinux on a personal server but to do so, I need to remember some (otherwise fairly obscure) commands. They include:

Changing Roles

newrole -r sysadm_r

Creating a Policy Module

grep ... | audit2allow -M $MODULE

Compiling a Policy Module

# edit $MODULE.te; bump module version
make -f /usr/share/selinux/default/include/Makefile $MODULE.pp

Installing a Policy Module

semodule -i $MODULE.pp

Updating a Module

semodule -u $MODULE.pp

Restart a Service

run_init service $SERVICE restart

Inhibit Automatic Service Restarts

(c/o Major Hayden):

cat > /usr/sbin/policy-rc.d <<EOF
#!/bin/sh
echo "All runlevel operations denied by policy" >&2
exit 101
EOF

Status, Logs

cat /var/log/audit/audit.log | grep $KEY | audit2allow -w
cat /var/log/audit/audit.log | grep $KEY | audit2allow
audit2why -al | less -RSn

Debugging, Management

sestatus

sesearch -T -s $SRC -t $target
sesearch -R -A -t 'mail.*' | grep -e postfix -e mail

semanage fcontext -l
semanage login -l
semanage user -l

semanage login -m -s 'staff_u' root
semanage login -m -s 'user_u' -r s0 __default__

semanage dontaudit off

touch /.autorelabel; reboot
restorecon -Rv /path/to/dir/...