Embedded Files
Security Enhanced Linux
Check
Check
Is SELinux "enforcing"...
getenforce
More info...
sestatus
What will mode be after reboot...
grep ^SELINUX= /etc/selinux/config
To see SELinux attributes of a file...
ls -hlZa myfile
SELinux policy core python utilities
SELinux policy core python utilities
Install
Install
The semanage utility is often not installed by default. To install use...
yum install policycoreutils-python-utils
This package includes:
- semanage
- audit2allow
- audit2why
- chcat
- sandbox
Mode
Mode
SELinux is enabled by default in Red Hat Enterprise Linux, CentOS and Oracle Enterprise Linux (among others). It can be in one of three modes...
Enforcing
Permissive
Disabled
Enforcing
Enforcing
To change mode to "enforcing"...
setenforce 1
To make the change permanent (i.e. survive a reboot) use one of these (dependant on current mode)...
sed -i 's/SELINUX=permissive/SELINUX=enforcing/' /etc/selinux/config
sed -i 's/SELINUX=disabled/SELINUX=enforcing/' /etc/selinux/config
Changing from disabled to any other mode will need a rebootPermissive
Permissive
To change mode to "permissive"...
setenforce 0
To make the change permanent (i.e. survive a reboot) use one of these (dependant on current mode)...
sed -i 's/SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config
sed -i 's/SELINUX=disabled/SELINUX=permissive/' /etc/selinux/config
Changing from disabled to any other mode will need a rebootDisable
Disable
To permanently disable (i.e. survive a reboot) SELinux, use one of these (dependant on current mode)...
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
sed -i 's/SELINUX=permissive/SELINUX=disabled/' /etc/selinux/config
Changing from any mode to "disabled" will need a rebootTroubleshooting
Troubleshooting
The command below can be useful for diagnosing permission errors related to SELinux...
cat /var/log/audit/audit.log | audit2allow -w -a
-a-w
--all--why
Read from audit and message logTranslates SELInux audit messages into a description of why access was denied
Login
Login
Login mappings between linux users and SELinux confined users
User
User
SELinux confined users (Roles and levels for an SELinux user)
Port
Port
Network port type definitions
Check
Check
semanage port -l
semanage port -l | grep mysql
mysqld_port_t tcp 1186, 3306, 63132-63164mysqlmanagerd_port_t tcp 2273
Add
Add
semanage port -a -t mysqld_port_t -p tcp 6446
Delete
Delete
semanage port -d -t mysqld_port_t -p tcp 6446
Fcontext
Fcontext
File context mapping definitions
Check
Check
semanage fcontext -l
semanage fcontext -l | grep mysql
Add
Add
The example below adds some hidden files to the file context mapping definitions. ...
semanage fcontext -a -t mysqld_db_t '/var/lib/mysql(/.aaa.*)?'
restorecon -v /var/lib/mysql/.aaa.*
restorecon restores the default SELinux security contexts for a file. The -v flag shows the changes.I ran into this specific issue when /var/lib/mysql was a distinct mount point and the server was protected by Sentinel1 (i.e. Sentinel1 creates 4 files in every mount point .aaa.html, .aaa.ini, .aaa.log, aaa.pdf.. for some reason MySQL then tries to process these files at startup and fails if SELinux is enforcing and this context mapping is not in place.
Boolean
Boolean
Booleans to selectively enable functionality
Bibliography
Bibliography
https://github.com/SELinuxProjecthttps://selinuxproject.org/page/Main_Pagehttps://en.wikipedia.org/wiki/Security-Enhanced_Linuxhttps://www.techrepublic.com/article/how-to-use-semanage-and-avoid-disabling-selinux/https://blogs.oracle.com/mysql/selinux-and-mysql-v2https://www.tecmint.com/selinux-essentials-and-control-filesystem-access/https://www.tecmint.com/disable-selinux-in-centos-rhel-fedora/https://www.redhat.com/en/topics/linux/what-is-selinuxhttps://www.percona.com/resources/videos/selinux-fun-mysql-and-friends-matthias-crauwels-percona-live-online-2020
Page updated
Google Sites
Report abuse