Checking SELinux mode#
$ getenforce
Enforcing
Changing SELinux mode#
$ setenforce 0
Listing SELinux Contexts#
$ semanage fcontext -l
SELinux fcontext type Context
/ directory system_u:object_r:root_t:s0
/.* all files system_u:object_r:default_t:s0
...
/etc/pki/
instance
(/.*)? all files system_u:object_r:pki_tomcat_etc_rw_t:s0
/etc/pki/
instance
/alias(/.*)? all files system_u:object_r:pki_tomcat_cert_t:s0
/usr/lib/systemd/system/pki-tomcat.* all files system_u:object_r:pki_tomcat_unit_file_t:s0
/var/lib/pki/
instance
(/.*)? all files system_u:object_r:pki_tomcat_var_lib_t:s0
/var/log/pki/
instance
(/.*)? all files system_u:object_r:pki_tomcat_log_t:s0
Creating SELinux Contexts#
Removing SELinux Contexts#
Displaying SELinux Contexts#
$ ls -lZ /var/lib/pki/
instance
lrwxrwxrwx. 1 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0 25 Jul 26 14:28 alias -> /etc/pki/
instance
/alias
lrwxrwxrwx. 1 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0 21 Jul 26 14:28 bin -> /usr/share/tomcat/bin
drwxrwx---. 5 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0 104 Jul 26 14:28 ca
lrwxrwxrwx. 1 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0 28 Jul 26 14:28 common -> /usr/share/pki/server/common
lrwxrwxrwx. 1 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0 19 Jul 26 14:28 conf -> /etc/pki/
instance
drwxrwx---. 2 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0 4096 Jul 26 14:28 lib
lrwxrwxrwx. 1 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0 23 Jul 26 14:28 logs -> /var/log/pki/
instance
lrwxrwxrwx. 1 root root system_u:object_r:pki_tomcat_var_lib_t:s0 16 Jul 26 14:28 ``\ ``instance
`` -> /usr/sbin/tomcat``drwxrwx---. 2 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0 6 Jul 26 14:28 temp
drwxr-xr-x. 2 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0 6 Jul 26 14:28 webapps
drwxrwx---. 3 pkiuser pkiuser system_u:object_r:pki_tomcat_var_lib_t:s0 22 Jul 26 14:28 work
Restoring SELinux Contexts#
$ restorecon -FR /var/lib/pki/pki-tomcat
Listing SELinux Ports#
$ semanage port -l
Verification#
Reset the audit log:
$ cat /dev/null > /var/log/audit/audit.log
Switch to permissive mode:
$ setenforce 0
Run the tests, then check the AVCs in the audit log:
$ audit2allow -i /var/log/audit/audit.log
Switch to enforcing mode:
$ setenforce 1
Run the tests again to make sure it works.
Listing AVC Messages#
$ ausearch -m AVC
Issues#
Running Java under HTTPD#
AVC denial:
type=AVC msg=audit(1571779838.122:1337): avc: denied { execmem } for pid=108666 comm="java" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0
Possible solution:
$ setsebool -P httpd_execmem 1