Checking SELinux mode#

$ getenforce
Enforcing

Changing SELinux mode#

$ setenforce 0

Listing SELinux Contexts#

$ semanage fcontext -l
SELinux fcontext                                   type               Context
/                                                  directory          system_u:object_r:root_t:s0
/.*                                                all files          system_u:object_r:default_t:s0
...
/etc/pki/instance(/.*)?                          all files          system_u:object_r:pki_tomcat_etc_rw_t:s0
/etc/pki/instance/alias(/.*)?                    all files          system_u:object_r:pki_tomcat_cert_t:s0
/usr/lib/systemd/system/pki-tomcat.*               all files          system_u:object_r:pki_tomcat_unit_file_t:s0
/var/lib/pki/instance(/.*)?                      all files          system_u:object_r:pki_tomcat_var_lib_t:s0
/var/log/pki/instance(/.*)?                      all files          system_u:object_r:pki_tomcat_log_t:s0

Creating SELinux Contexts#

Removing SELinux Contexts#

Displaying SELinux Contexts#

$ ls -lZ /var/lib/pki/instance
lrwxrwxrwx. 1 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0   25 Jul 26 14:28 alias -> /etc/pki/instance/alias
lrwxrwxrwx. 1 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0   21 Jul 26 14:28 bin -> /usr/share/tomcat/bin
drwxrwx---. 5 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0  104 Jul 26 14:28 ca
lrwxrwxrwx. 1 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0   28 Jul 26 14:28 common -> /usr/share/pki/server/common
lrwxrwxrwx. 1 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0   19 Jul 26 14:28 conf -> /etc/pki/instance
drwxrwx---. 2 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0 4096 Jul 26 14:28 lib
lrwxrwxrwx. 1 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0   23 Jul 26 14:28 logs -> /var/log/pki/instance
lrwxrwxrwx. 1 root    root    system_u:object_r:pki_tomcat_var_lib_t:s0   16 Jul 26 14:28 ``\ ``instance`` -> /usr/sbin/tomcat``
drwxrwx---. 2 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0    6 Jul 26 14:28 temp
drwxr-xr-x. 2 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0    6 Jul 26 14:28 webapps
drwxrwx---. 3 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0   22 Jul 26 14:28 work

Restoring SELinux Contexts#

$ restorecon -FR /var/lib/pki/pki-tomcat

Listing SELinux Ports#

$ semanage port -l

Verification#

Reset the audit log:

$ cat /dev/null > /var/log/audit/audit.log

Switch to permissive mode:

$ setenforce 0

Run the tests, then check the AVCs in the audit log:

$ audit2allow -i /var/log/audit/audit.log

Switch to enforcing mode:

$ setenforce 1

Run the tests again to make sure it works.

Listing AVC Messages#

$ ausearch -m AVC

Issues#

Running Java under HTTPD#

AVC denial:

type=AVC msg=audit(1571779838.122:1337): avc:  denied  { execmem } for  pid=108666 comm="java" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0

Possible solution:

$ setsebool -P httpd_execmem 1

References#