Difference between revisions of "SE Linux Troubleshooting"

From Michael's Information Zone
Jump to navigation Jump to search
 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
==Setroubleshoot==
 
<ref>http://www.serverlab.ca/tutorials/linux/administration-linux/troubleshooting-selinux-centos-red-hat/</ref>
 
<ref>http://www.serverlab.ca/tutorials/linux/administration-linux/troubleshooting-selinux-centos-red-hat/</ref>
 
<pre>
 
<pre>
 
yum install setroubleshoot setools
 
yum install setroubleshoot setools
 
sealert -a /var/log/audit/audit.log
 
sealert -a /var/log/audit/audit.log
 +
</pre>
 +
==Audit2allow (without setroubleshoot)==
 +
<ref>https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-fixing_problems-allowing_access_audit2allow</ref>
 +
<pre>
 +
sudo grep fail2ban /var/log/audit/audit.log | audit2allow -M fail2ban2
 +
******************** IMPORTANT ***********************
 +
To make this policy package active, execute:
 +
 +
semodule -i fail2ban2.pp
 +
 +
[ec2-user@ip-172-26-5-161 ~]$ nano fail2ban2.
 +
[ec2-user@ip-172-26-5-161 ~]$ nano fail2ban2.pp
 +
[ec2-user@ip-172-26-5-161 ~]$ sudo semodule -i fail2ban2.pp
 
</pre>
 
</pre>
 
==Configure SELinux on Amazon Linux AMI==
 
==Configure SELinux on Amazon Linux AMI==
Line 13: Line 27:
 
<pre>
 
<pre>
 
Edit /etc/grub.conf and change selinux=0 to selinux=1, then add security=selinux enforcing=1
 
Edit /etc/grub.conf and change selinux=0 to selinux=1, then add security=selinux enforcing=1
 +
</pre>
 +
*<ref>https://www.centos.org/docs/5/html/5.2/Deployment_Guide/sec-sel-fsrelabel.html</ref>Then tell selinux you want to relable the filesystem
 +
<pre>
 +
touch /.autorelabel
 +
</pre>
 +
*Reboot and check selinux status
 +
<pre>
 +
sestatus
  
 +
SELinux status:                enabled
 +
SELinuxfs mount:                /selinux
 +
SELinux root directory:        /etc/selinux/
 +
Loaded policy name:            targeted
 +
Current mode:                  enforcing
 +
Mode from config file:          enforcing
 +
Policy MLS status:              enabled
 +
Policy deny_unknown status:    allowed
 +
Max kernel policy version:      30
 +
</pre>
 +
==Application Specific==
 +
===Apache Settings===
 +
Needed to allow apache to write to the web directory for a NextCloud update.
 +
<pre>
 +
chcon -R -t httpd_sys_rw_content_t /var/www/html
 
</pre>
 
</pre>
*
+
===NFS===
 +
Ran into a problem with a MySQL container using an NFS bind mount. Ends up there is a conflict<ref>https://serverfault.com/questions/591129/enable-selinux-to-allow-mysql-files-to-be-read-and-written-on-a-nfs-share</ref>. MySQL requires different context for both the sock file and data files. It was recommended to mount the data with
 +
context="system_u:object_r:mysqld_db_t:s0"
 +
and update my.cnf to use the new data directory. I just ended up running the database in the container then run regular backups to the NFS storage. The reason being that the NFS storage gets backed up offsite.
 +
<br>
 +
<br>

Latest revision as of 06:45, 13 April 2020

Setroubleshoot

[1]

yum install setroubleshoot setools
sealert -a /var/log/audit/audit.log

Audit2allow (without setroubleshoot)

[2]

sudo grep fail2ban /var/log/audit/audit.log | audit2allow -M fail2ban2
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i fail2ban2.pp

[ec2-user@ip-172-26-5-161 ~]$ nano fail2ban2.
[ec2-user@ip-172-26-5-161 ~]$ nano fail2ban2.pp 
[ec2-user@ip-172-26-5-161 ~]$ sudo semodule -i fail2ban2.pp 

Configure SELinux on Amazon Linux AMI

[3]

  • Install packages
yum install libselinux libselinux-utils selinux-policy-minimum selinux-policy-mls selinux-policy-targeted policycoreutils 
  • Edit grub boot options
Edit /etc/grub.conf and change selinux=0 to selinux=1, then add security=selinux enforcing=1
  • [4]Then tell selinux you want to relable the filesystem
touch /.autorelabel
  • Reboot and check selinux status
sestatus 

SELinux status:                 enabled
SELinuxfs mount:                /selinux
SELinux root directory:         /etc/selinux/
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      30

Application Specific

Apache Settings

Needed to allow apache to write to the web directory for a NextCloud update.

chcon -R -t httpd_sys_rw_content_t /var/www/html

NFS

Ran into a problem with a MySQL container using an NFS bind mount. Ends up there is a conflict[5]. MySQL requires different context for both the sock file and data files. It was recommended to mount the data with

context="system_u:object_r:mysqld_db_t:s0"

and update my.cnf to use the new data directory. I just ended up running the database in the container then run regular backups to the NFS storage. The reason being that the NFS storage gets backed up offsite.