SELinux

Security Enhanced Linux

Infrastructure

UNIX

UNIX Security

Check

SELinux policy core python utilities

Check

Is SELinux "enforcing"...

getenforce

More info...

sestatus

What will mode be after reboot...

grep ^SELINUX= /etc/selinux/config

To see SELinux attributes of a file...

ls -hlZa myfile

SELinux policy core python utilities

Install

The semanage utility is often not installed by default. To install use...

yum install policycoreutils-python-utils

This package includes:

semanage
audit2allow
audit2why
chcat
sandbox

Mode

SELinux is enabled by default in Red Hat Enterprise Linux, CentOS and Oracle Enterprise Linux (among others). It can be in one of three modes...

Enforcing
Permissive
Disabled

Enforcing

To change mode to "enforcing"...

setenforce 1

To make the change permanent (i.e. survive a reboot) use one of these (dependant on current mode)...

sed -i 's/SELINUX=permissive/SELINUX=enforcing/' /etc/selinux/config

sed -i 's/SELINUX=disabled/SELINUX=enforcing/' /etc/selinux/config

Changing from disabled to any other mode will need a reboot

Permissive

To change mode to "permissive"...

setenforce 0

To make the change permanent (i.e. survive a reboot) use one of these (dependant on current mode)...

sed -i 's/SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config

sed -i 's/SELINUX=disabled/SELINUX=permissive/' /etc/selinux/config

Changing from disabled to any other mode will need a reboot

Disable

To permanently disable (i.e. survive a reboot) SELinux, use one of these (dependant on current mode)...

sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config

sed -i 's/SELINUX=permissive/SELINUX=disabled/' /etc/selinux/config

Changing from any mode to "disabled" will need a reboot

Troubleshooting

The command below can be useful for diagnosing permission errors related to SELinux...

cat /var/log/audit/audit.log | audit2allow -w -a

-a-w

--all--why

Read from audit and message logTranslates SELInux audit messages into a description of why access was denied

Login

User

SELinux confined users (Roles and levels for an SELinux user)

Port

Network port type definitions

Check

semanage port -l

semanage port -l | grep mysql

mysqld_port_t tcp 1186, 3306, 63132-63164mysqlmanagerd_port_t tcp 2273

Network Ports

Add

semanage port -a -t mysqld_port_t -p tcp 6446

Delete

semanage port -d -t mysqld_port_t -p tcp 6446

Fcontext

File context mapping definitions

Check

semanage fcontext -l

semanage fcontext -l | grep mysql

Add

The example below adds some hidden files to the file context mapping definitions. ...

semanage fcontext -a -t mysqld_db_t '/var/lib/mysql(/.aaa.*)?'

restorecon -v /var/lib/mysql/.aaa.*

restorecon restores the default SELinux security contexts for a file. The -v flag shows the changes.

I ran into this specific issue when /var/lib/mysql was a distinct mount point and the server was protected by Sentinel1 (i.e. Sentinel1 creates 4 files in every mount point .aaa.html, .aaa.ini, .aaa.log, aaa.pdf.. for some reason MySQL then tries to process these files at startup and fails if SELinux is enforcing and this context mapping is not in place.

Boolean

Booleans to selectively enable functionality

Bibliography

https://github.com/SELinuxProjecthttps://selinuxproject.org/page/Main_Pagehttps://en.wikipedia.org/wiki/Security-Enhanced_Linuxhttps://www.techrepublic.com/article/how-to-use-semanage-and-avoid-disabling-selinux/https://blogs.oracle.com/mysql/selinux-and-mysql-v2https://www.tecmint.com/selinux-essentials-and-control-filesystem-access/https://www.tecmint.com/disable-selinux-in-centos-rhel-fedora/https://www.redhat.com/en/topics/linux/what-is-selinuxhttps://www.percona.com/resources/videos/selinux-fun-mysql-and-friends-matthias-crauwels-percona-live-online-2020