% SELinux Notes
% Michael Stone
% October 18, 2015

### Introduction

I use SELinux on a personal server but to do so, I need to remember some
(otherwise fairly obscure) commands. They include:

### Changing Roles

~~~~
newrole -r sysadm_r
~~~~

### Creating a Policy Module

~~~~
grep ... | audit2allow -M $MODULE
~~~~

### Compiling a Policy Module

~~~~
# edit $MODULE.te; bump module version
make -f /usr/share/selinux/default/include/Makefile $MODULE.pp
~~~~

### Installing a Policy Module

~~~~
semodule -i $MODULE.pp
~~~~

### Updating a Module

~~~~
semodule -u $MODULE.pp
~~~~

### Restart a Service

~~~~
run_init service $SERVICE restart
~~~~

### Inhibit Automatic Service Restarts

(c/o [Major Hayden](https://major.io/2014/06/26/install-debian-packages-without-starting-daemons/)):

~~~~
cat > /usr/sbin/policy-rc.d <<EOF
#!/bin/sh
echo "All runlevel operations denied by policy" >&2
exit 101
EOF
~~~~

### Status, Logs

~~~~
cat /var/log/audit/audit.log | grep $KEY | audit2allow -w
cat /var/log/audit/audit.log | grep $KEY | audit2allow
audit2why -al | less -RSn
~~~~

### Debugging, Management

~~~~
sestatus

sesearch -T -s $SRC -t $target
sesearch -R -A -t 'mail.*' | grep -e postfix -e mail

semanage fcontext -l
semanage login -l
semanage user -l

semanage login -m -s 'staff_u' root
semanage login -m -s 'user_u' -r s0 __default__

semanage dontaudit off

touch /.autorelabel; reboot
restorecon -Rv /path/to/dir/...
~~~~