Официален блог на WebEKM EKM очаквайте сайта онлайн скоро.

Download Free Templates http://bigtheme.net/ free full Wordpress, Joomla, Mgento - premium themes.

SELinux – the highest level of security, implementing and troubleshooting


Linux provides 3 levels regarding filesystem security: standard permissions, ACL and SELinux. SELinux handles not only with files permissions but with applications, resources and network ports as well. SELinux may put a ban on an application access to the spicified system files or may not allowed a user changing file permission. What is, how work and how to troubleshoot SELinux, let’s get to know!

What the power of SELinux consists in ?

As I mentioned in the introduction the power of SElinux consists in, that can assign different  access of a single daemon to different parts of the system. The process may have or not have an access to network ports, files, sockets, directories according to the policies. From the security point of view it has a huge meaning, the attacker after succesfull attack will gain only access to the part of the system restricted to single daemon not entire system. 

/etc/sysconfig/selinux – SELinux configuration file


There are 3 posibilities regarding action that SELinux may undertake : 

enforcing – exacts rules / setenforce 1
permissive – logs violations, but doesn’t stop them / setenforce 0
disabled – turned off

sestauts – the command for checking state of SELinux enable/disable

Enforcing will be used in order to block, permissive in order to check what would happen if we used enforcing mode. By defalult SElinux type is “targeted”. Files, folders, processes and ports are labeled according to the access required to them

Commands that shows labels context:
ls -Z  – files and folders

selinux labels examples

As we see there are a couple of labels attached to the files. I just listed /etc folder. We have not only etc_t labels but bin_t,  locale_t as well, “etc_t” means “etc type” and so on. Based on these labels SELinux makes decisions. Contexts are inherited like permissions and ACLs, from folder to included files in its.

We may aslo check labels for processes and sockets
ps -z  – processes
netstat -Z  – ports

If we want to change the label of the file or folder we do this with command chcon:

chcon -t  -R type file/folder   (R stands for recursive)

If we want to restore original labels :

restorcon -vR file/folder


I’ve installed httpd daemon (or Apache if you wish) and started its. Let’s go over /var/www folder. As we see html folder is labeled with httpd_sys_content. Inside the folder there is an index.html that has exactly the same type of label. Index.html just inherited rights. Everything is ok

2. var.html content

Let’s check what is the label of apache daemon with command “ps -Zaux” . As we see the label of httpd service is httpd_t. Just this. That’s fine, Apache will get an access to the www folder with label httpd_sys_content due to the SELinux rules. So far, so good. If we type localhost in the browser we gonna see index.html content!

3 apache label

Now, let’s make things more complicated. I logged off  and logged on as user ‘marcin’In folder /home/marcin I created index.html file and copy its to the correct folder of Apache /var/www/ namely. I even grant full permissions to everyone to read, write and execute index.html file because originaly this file didn’t have full permissions.

33 lab chmod

Let’s check if the site will be working out. Unfortunately not!

5html forbiddeen access

So we have 777 permissions, we are logged as root and we can’t run a file ?
Let’s check what say SELinux labels.

888 userhome

It has turned out index.html file has SELinux label user_home_t because has been created in home folder of user marcin not in folder /var/www/, if was then would inherit label from www folder httpd_sys_content.

Ok, so let’s try change the label of index.html from user_home_t to httpd_sys_content

changing selinux index

Let’s check what we got

999 pop jpg

And finally, we have to try to open index.html file …. SUCCESS !

10 http pop


SELinux Troubleshooting

In order to show how to troubleshoot SELinux I took the lab back to the place, where I created index.html file as user marcin in /home/marcin folder and copy its to the /var/www/html folder. As you see ls -Z show that index.html has label home_user_t. Now you won’t be able to run index.html in the browser for lack of permissions.

11 index user_home

Ok, let’s see how to find out what is wrong, firstly we have to install appropriate
program and restart the auditd service

yum install setroubleshoot-server

service auditd restart


Let’ try to run index.html one more time in the browser (with no luck of course)

From var/log/messages file we will find out everything what we have to know

12 var log messages

The interesting for us line is marked on yellow colour, we get to know where is the problem and what we have to do next – we have to run “sealert -l c03093c4-9bef-4be7-a692-2a53d2bea36d” command
So let’s run “sealert -l c03093c4-9bef-4be7-a692-2a53d2bea36d


So, from above alert we get to know that  in order to allow the Apache reading files with label user_content we have to run command:

setsebool -P httpd_read_user_content 1

Let’s run setsebool -P httpd_read_user_content 1 and check what happens with index.html in the browser

SUCCESS! We didn’t change the label to httpd_sys_content and we didn’t grant 777 permissions to index.html file but it works ! What we just did ?

What is SELinux Booleans ?

SELinux Booleans enables us setting up what SELinux does or doesn’t do in given situation. When we’ve run “setsebool -P httpd_read_user_content 1” we didn’t do nothing more than set up permamently that Apache (httpd) is enable reading files with user_content SELinux labels.

getsebool -a shows all possible boolans, good to use grep

14 getsebool httpdread

As we see httpd_read_user_content is turned off let’s change it

setsebool [-P] booloption on/off – setting up bool and state

15sebool changed on

/etc/selinux/targeted/active/booleans.local – file contains a list with booleans and settings that we have changed.

Let’s check if our new entry regarding httpd_read_user_content ie being placed
in booleans.local file.

17selinux targett active

Yes, it is !


Onlain bookmaker bet365.com - the best bokie