Software >> OS >> Unix >> Linux >> RHEL >> 7 >> Security >> SELINUX >> quick reference
| Purpose | File/Command | Remarks |
| selinux configuration |
/etc/selinux/config or the softlink /etc/sysconfig/selinux |
|
| get selinux state/mode |
getenforce |
# enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. |
| view labels (security context) of files | ls -Z path | |
| view labels (security context) of processes | ps -Z | |
| view labels (security context) of ports | netstat -Z | |
| set selinux to permissive mode | setenforce 0 | change is not persistent, does not persist after reboot |
| set selinux to enforcing mode | setenforce 1 | change is not persistent, does not persist after reboot |
| show full selinux status | sestatus -v | |
|
set selinux to specific mode for specific label e.g. set selinux to permissive for label httpd_t |
semanage permissive -a httpd_t | -a for add |
| get all selinux boolean values | getsebool -a | shows off or on state of the selinux settings |
| set selinux boolean value for a setting e.g. ftpd_anon_write | setsebool -P ftpd_anon_write on | -P => persistent |
| trace what boolean changes were made | /etc/selinux/targeted/modules/active/booleans.local | |
| show mapping of linux user to selinux user | semanage login -l | |
| show list of selinux users |
seinfo -u or semanage user -l |
|
| map a linux user to selinux user | semanage login -a -s staff_u jdoe | map linux user jdoe to selinux user staff_u -a => add -s => selinux user |
| change user security context for a file | chcon -u selinux_user filename | ls -Z filename to confirm after the change |
| show process security context | ps -axZ | |
| restore file(s) to their default selinux security context | restorecon filepath(s) | |
| show what ports are allowed for a process context label |
e.g. for httpd semanage port -l | grep http |
|
| show roles in the domain | seinfo -adomain -r | |
| list all types associated to a role |
seinfo -rrole -x e.g. seinfo -rstaff_r -x
|
|
| Allow binding to new port for particular service e.g. httpd |
semanage port -a -t http_port_t -p tcp 2222 |
|
| Override the policy for existing port |
semanage port -m -t unreserved_port_t -p tcp 2222 |
|
| List all ports | semanage port -l | |
| To list port numbers of a specific port like http |
semanage port -l | grep -w http_port_t |
|
Find port names for specific port number |
semanage port -l | grep 53 |
|
| Delete a port |
semanage port -d -t unreserved_port_t -p tcp 2222 |
|
| Delete a range of ports |
semanage port -d -t http_port_t -p tcp 2223-2225 |
Q. What are the components of selinux security context
A.
- SELinux user
- SELinux role
- Type
- Sensitivity / category
e.g.
SELinux user : unconfined_u
SELinux role : object_r
Type : default_t
Sensivity : s0