Skip to content

selinux

Show Selinux contexts

ls -lZ index.html

Get Selinux status

sestatus
getenforce

Show Selinux denied log

cat /var/log/audit/audit.log | grep nginx | grep denied
  • scontext = Source Context
  • tcontext = Target Context
  • _u:_r:_t:s# = user:role:type:security level

Check suggested Selinux rules

apt-get install policycoreutils-python-utils
audit2why -i /var/log/audit/audit.log
audit2allow -i /var/log/audit/audit.log

Search denied logs

ausearch -ts recent -m avc -i

Enable nginx proxy in Selinux (if used)

setsebool -P httpd_can_network_connect 1
setsebool -P httpd_can_network_relay 1
semanage port -a -t http_port_t -p tcp <proxy-port>

Allow Nginx to run on port 442 with SELinux

  • Install the required SELinux management tools, if not already installed:
sudo yum install policycoreutils-python-utils

or

sudo dnf install policycoreutils-python-utils

or on Debian/Ubuntu based:

sudo apt install policycoreutils-python-utils
  • Check the current label for port 442:
sudo semanage port -l | grep 442

If no label is found, continue to step 3.

  • Add a new SEManage port SELinux policy for HTTP services on port 442:
sudo semanage port -a -t http_port_t -p tcp 442
  • Verify the new port label:
sudo semanage port -l | grep http_port_t

You should now see port 442 included in the list of allowed ports for the 'http_port_t' SELinux policy.

  • Update your Nginx configuration to listen on port 442. In your virtual host configuration (usually found in /etc/nginx/sites-available or /etc/nginx/conf.d), add the line as shown below:
listen 442 ssl;

Make sure you also have your SSL certificates and other SSL directives configured properly.

  • Restart Nginx:
sudo systemctl restart nginx
  • Check the status of Nginx:
sudo systemctl status nginx

Now Nginx should be running on port 442 with SELinux in enforcing mode.

Get all denied request and build a module

cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -M mynginx
semodule -i mynginx.pp

List of ports http could use

semanage port -l | grep -w http_port_t

Assign Selinux policy on folder

semanage fcontext -a -t httpd_sys_content_t "/home/wwwuser(/.*)?"

Restore the security context

restorecon -rv /home/wwwuser

Allow execute

semanage fcontext -a -t bin_t '/opt/librenms/librenms-service.py'
restorecon -Fv /opt/bin/librenms-service.py

Disable SELinux

nano /etc/sysconfig/selinux

SELINUX=disabled

Default SELinux file context policies

written in /etc/selinux/targeted/files/

SELinux change file context policy for directory and its content

semanage fcontext -a -t cifs_t "/opt/log/releases(/.*)?"
restorecon -v /opt/log/releases -R

How to human read SELinux logs

  • Get ID of the event 
    root@app1.dev.server [20150527 08:56:31]:/opt$ tail -2 /var/log/audit/audit.log
type=USER_END msg=audit(1432731157.222:13303): pid=20577 uid=0 auid=4294967295 ses=4294967295 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_xauth acct="username" exe="/usr/bin/su" hostname=? addr=? terminal=pts/0 res=success'

id = 1432731157.222:13303

  • Find that ID in the audit SELinux log
grep "1432731157.222:13303"  /var/log/audit/audit.log | audit2why

SELinux allow nginx send mail

# Either add allow rule for each denied message
ausearch -m avc -ts boot
audit2allow -a
audit2allow -a -M myhttpd
semodule -i myhttpd.pp

# Or this one works better
setsebool -P httpd_can_sendmail=on