Overview

SELinux has two major components on your system. There's the kernel mechanism which is enforcing a bunch of access rules which apply to processes and files. And secondly, there's file labels : every file on your system has extra labels attached to it which tie-in with those access rules. Run ls -Z and you'll see what I mean.

Type Enforcement

Primary mechanism of access control in the targeted policy usr, role, *type", sensitivity, category

Commands

  • setsebool and getsebool
  • chcon (change context)
  • /usr/sbin/setenforce (urns it off and on)
  • /usr/sbin/setsebool -P httpd_disable_trans 0 (turns of for web server)
  • /usr/sbin/seinfo (list of elements of the policy)
  • /usr/sbin/matchcon /some/path (displays policy for the item
  • semange (updates everything)
  • /usr/bin/audit2allow -i /var/log/messages
  • sealert
  • restorecon -R -v /path

Cheat Sheet

from http://www.mediawiki.org/wiki/SELinux

  • chcon -R -t httpd_user_content_t /path/to/mediawiki_install
  • chcon -t httpd_sys_script_exec_t /usr/lib/php/modules/fileinfo.so (rather than shared library?)
  • chcon -t httpd_sys_script_exec_t includes/GlobalFunctions?.php
  • chcon -R -t httpd_sys_script_rw_t images (change directory so that scripts can read and write to directory)