Wednesday, January 30, 2013

SE Linux Cure (mini mini post)

I think its only natural for admins to avoid SELinux. Having SELinux enabled can make your simplest changes resulting in system failures. Or maybe even no change at all (no changes that you remember..).

The Cure

In the past, I depend upon a few commands that might shed some light on SELinux troubles.
The commands are :
  1. ls -Z : this parameter shows additional column, named the security context, that is owned by each file
  2. chcon : this command changes a file's context to the given context argument. Example, chcon -t mysqld_db_t mysql - this command sets the security context of the mysql directory to mysqld_db_t
  3. restorecon : this command restores a file's context to default
But a recent trouble opened my mind that more tools are needed. For example, in Ubuntu systems, we might need to poke the directory /etc/apparmor.d and edit rule files there.
In recent CentOS trouble, these commands are handy :
  • yum install setroubleshoot - this installs sealert, semanage tools
  • sealert -a /var/log/audit/audit.log - this dumps audit log into readable messages
  • semanage fcontext - this changes many file context according to a wildcard path expression.
  • setenforce - it might help to temporarily allow the selinux violation during troubleshooting. This can be done by setenforce 0 to allow and setenforce 1 to disallow violations.
  • semodule -DB - disable dontaudit clauses. 
  • semodule -B - reenable dontaudit clauses
  • restorecon -vF filename_or_directory - reset SELinux context of the file or directory to default, normally enabling access to such filename/directory that otherwise denied by SElinux

No comments: