Find knowledge base article(s) by searching for keywords in the title e.g. type linux in the search box below
Find knowledge base article(s) by browsing the subject categories of articles
Technology quick references, cheatsheets, user manuals etc.
Shop Online through ShopifyLite
Tutorials on various IT applications.
Search Title    (UL:0 |SS:f)

Software >> OS >> Unix >> Linux >> RHEL >> 7 >> Security >> SELINUX >> quick reference

 

Purpose File/Command Remarks
selinux configuration

/etc/selinux/config

or the softlink

/etc/sysconfig/selinux

 
get selinux state/mode

getenforce

#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
view labels (security context) of files ls -Z path  
view labels (security context) of processes ps -Z  
view labels (security context) of ports netstat -Z  
 set selinux to permissive mode setenforce 0 change is not persistent, does not persist after reboot
 set selinux to enforcing mode setenforce 1 change is not persistent, does not persist after reboot
 show full selinux status sestatus -v  

 set selinux to specific mode for specific label

e.g. set selinux to permissive for label httpd_t

 semanage permissive -a httpd_t -a for add
get all selinux boolean values getsebool -a shows off or on state of the selinux settings
set selinux boolean value for a setting e.g. ftpd_anon_write setsebool -P ftpd_anon_write on -P => persistent
trace what boolean changes were made /etc/selinux/targeted/modules/active/booleans.local  
show mapping of linux user to selinux user semanage login -l  
show list of selinux users

seinfo -u

or

semanage user -l

 
map a linux user to selinux user semanage login -a -s staff_u jdoe map linux user jdoe to selinux user staff_u
-a => add
-s => selinux user
 
change user security context for a file chcon -u selinux_user filename ls -Z filename to confirm after the change
show process security context ps -axZ  
restore file(s) to their default selinux security context restorecon filepath(s)  
show what ports are allowed for a process context label

e.g. for httpd

semanage port -l | grep http

 
show roles in the domain seinfo -adomain -r  
list all types associated to a role

seinfo -rrole -x

e.g.

seinfo -rstaff_r -x

 

 
Allow binding to new port for particular service e.g. httpd
semanage port -a -t http_port_t -p tcp 2222
 
Override the policy for existing port
semanage port -m -t unreserved_port_t -p tcp 2222
 
List all ports semanage port -l  
To list port numbers of a specific port like http
semanage port -l | grep -w http_port_t
 
Find port names for specific port number
semanage port -l | grep 53
 
Delete a port
semanage port -d -t unreserved_port_t -p tcp 2222
 
Delete a range of ports
semanage port -d -t http_port_t -p tcp 2223-2225
 

 Q. What are the components of selinux security context

A.

  1. SELinux user
  2. SELinux role
  3. Type
  4. Sensitivity / category

e.g.


SELinux user : unconfined_u
SELinux role : object_r
Type : default_t
Sensivity : s0

 

 

[ © 2008-2021 myfaqbase.com - A property of WPDC Consulting ]