One minute
Selinux
SElinux
Basics
Activate / deactivate selinux :
setenforce 1/0
Get all boolean available
getsebool -a
Activate a seboolean :
setsebool -P use_nfs_home_dirs on
-P is for persitant so it will stays after reboot
Advanced
You can create rules if some stuff are now allowed and not in a boolean.
This is what audit logs are made for. For example let’s say HAproxy can’t read socket to write logs we can search in audit logs to see :
grep haproxy /var/log/audit/audit.log
Yep it’s not readable at all but you can ask your system to create a rule based on those stuff with this command :
grep haproxy /var/log/audit/audit.log|audit2allow
It will return something like that :
module rsyslog 1.0;
require {
type syslogd_t;
type haproxy_var_lib_t;
class sock_file { create setattr };
class dir { add_name search write };
}
#============= syslogd_t ==============
allow syslogd_t haproxy_var_lib_t:dir { add_name search write };
allow syslogd_t haproxy_var_lib_t:sock_file { create setattr };
Which can be used to build a rule :
grep haproxy /var/log/audit/audit.log|audit2allow -m haproxy > haproxy.te
checkmodule -M -m -o haproxy.mod haproxy.te
semodule_package -o haproxy.pp -m haproxy.mod
semodule -i haproxy.pp
These commands create a rule and install it.
You can easily remove it after if you want with the command :
semodule -r haproxy