Difference between revisions of "SE Linux Troubleshooting"
Jump to navigation
Jump to search
Michael.mast (talk | contribs) |
Michael.mast (talk | contribs) |
||
| Line 1: | Line 1: | ||
| + | ==Setroubleshoot== | ||
<ref>http://www.serverlab.ca/tutorials/linux/administration-linux/troubleshooting-selinux-centos-red-hat/</ref> | <ref>http://www.serverlab.ca/tutorials/linux/administration-linux/troubleshooting-selinux-centos-red-hat/</ref> | ||
<pre> | <pre> | ||
yum install setroubleshoot setools | yum install setroubleshoot setools | ||
sealert -a /var/log/audit/audit.log | sealert -a /var/log/audit/audit.log | ||
| + | </pre> | ||
| + | ==Audit2allow (without setroubleshoot)== | ||
| + | <ref>https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-fixing_problems-allowing_access_audit2allow</ref> | ||
| + | <pre> | ||
| + | sudo grep fail2ban /var/log/audit/audit.log | audit2allow -M fail2ban2 | ||
| + | ******************** IMPORTANT *********************** | ||
| + | To make this policy package active, execute: | ||
| + | |||
| + | semodule -i fail2ban2.pp | ||
| + | |||
| + | [ec2-user@ip-172-26-5-161 ~]$ nano fail2ban2. | ||
| + | [ec2-user@ip-172-26-5-161 ~]$ nano fail2ban2.pp | ||
| + | [ec2-user@ip-172-26-5-161 ~]$ sudo semodule -i fail2ban2.pp | ||
</pre> | </pre> | ||
==Configure SELinux on Amazon Linux AMI== | ==Configure SELinux on Amazon Linux AMI== | ||
Revision as of 12:02, 11 December 2017
Setroubleshoot
yum install setroubleshoot setools sealert -a /var/log/audit/audit.log
Audit2allow (without setroubleshoot)
sudo grep fail2ban /var/log/audit/audit.log | audit2allow -M fail2ban2 ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i fail2ban2.pp [ec2-user@ip-172-26-5-161 ~]$ nano fail2ban2. [ec2-user@ip-172-26-5-161 ~]$ nano fail2ban2.pp [ec2-user@ip-172-26-5-161 ~]$ sudo semodule -i fail2ban2.pp
Configure SELinux on Amazon Linux AMI
- Install packages
yum install libselinux libselinux-utils selinux-policy-minimum selinux-policy-mls selinux-policy-targeted policycoreutils
- Edit grub boot options
Edit /etc/grub.conf and change selinux=0 to selinux=1, then add security=selinux enforcing=1
- [4]Then tell selinux you want to relable the filesystem
touch /.autorelabel
- Reboot and check selinux status
sestatus SELinux status: enabled SELinuxfs mount: /selinux SELinux root directory: /etc/selinux/ Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 30
- ↑ http://www.serverlab.ca/tutorials/linux/administration-linux/troubleshooting-selinux-centos-red-hat/
- ↑ https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-fixing_problems-allowing_access_audit2allow
- ↑ http://www.chrisumbel.com/article/selinux_amazon_aws_ec2_ami_linux
- ↑ https://www.centos.org/docs/5/html/5.2/Deployment_Guide/sec-sel-fsrelabel.html
