Difference between revisions of "SE Linux Troubleshooting"
Jump to navigation
Jump to search
Michael.mast (talk | contribs) (Created page with "<ref>http://www.serverlab.ca/tutorials/linux/administration-linux/troubleshooting-selinux-centos-red-hat/</ref> <pre> yum install setroubleshoot setools sealert -a /var/log/au...") |
Michael.mast (talk | contribs) |
||
| (4 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| + | ==Setroubleshoot== | ||
<ref>http://www.serverlab.ca/tutorials/linux/administration-linux/troubleshooting-selinux-centos-red-hat/</ref> | <ref>http://www.serverlab.ca/tutorials/linux/administration-linux/troubleshooting-selinux-centos-red-hat/</ref> | ||
<pre> | <pre> | ||
| Line 4: | Line 5: | ||
sealert -a /var/log/audit/audit.log | sealert -a /var/log/audit/audit.log | ||
</pre> | </pre> | ||
| + | ==Audit2allow (without setroubleshoot)== | ||
| + | <ref>https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-fixing_problems-allowing_access_audit2allow</ref> | ||
| + | <pre> | ||
| + | sudo grep fail2ban /var/log/audit/audit.log | audit2allow -M fail2ban2 | ||
| + | ******************** IMPORTANT *********************** | ||
| + | To make this policy package active, execute: | ||
| + | |||
| + | semodule -i fail2ban2.pp | ||
| + | |||
| + | [ec2-user@ip-172-26-5-161 ~]$ nano fail2ban2. | ||
| + | [ec2-user@ip-172-26-5-161 ~]$ nano fail2ban2.pp | ||
| + | [ec2-user@ip-172-26-5-161 ~]$ sudo semodule -i fail2ban2.pp | ||
| + | </pre> | ||
| + | ==Configure SELinux on Amazon Linux AMI== | ||
| + | <ref>http://www.chrisumbel.com/article/selinux_amazon_aws_ec2_ami_linux</ref> | ||
| + | *Install packages | ||
| + | <pre> | ||
| + | yum install libselinux libselinux-utils selinux-policy-minimum selinux-policy-mls selinux-policy-targeted policycoreutils | ||
| + | </pre> | ||
| + | *Edit grub boot options | ||
| + | <pre> | ||
| + | Edit /etc/grub.conf and change selinux=0 to selinux=1, then add security=selinux enforcing=1 | ||
| + | </pre> | ||
| + | *<ref>https://www.centos.org/docs/5/html/5.2/Deployment_Guide/sec-sel-fsrelabel.html</ref>Then tell selinux you want to relable the filesystem | ||
| + | <pre> | ||
| + | touch /.autorelabel | ||
| + | </pre> | ||
| + | *Reboot and check selinux status | ||
| + | <pre> | ||
| + | sestatus | ||
| + | |||
| + | SELinux status: enabled | ||
| + | SELinuxfs mount: /selinux | ||
| + | SELinux root directory: /etc/selinux/ | ||
| + | Loaded policy name: targeted | ||
| + | Current mode: enforcing | ||
| + | Mode from config file: enforcing | ||
| + | Policy MLS status: enabled | ||
| + | Policy deny_unknown status: allowed | ||
| + | Max kernel policy version: 30 | ||
| + | </pre> | ||
| + | ==Application Specific== | ||
| + | ===Apache Settings=== | ||
| + | Needed to allow apache to write to the web directory for a NextCloud update. | ||
| + | <pre> | ||
| + | chcon -R -t httpd_sys_rw_content_t /var/www/html | ||
| + | </pre> | ||
| + | ===NFS=== | ||
| + | Ran into a problem with a MySQL container using an NFS bind mount. Ends up there is a conflict<ref>https://serverfault.com/questions/591129/enable-selinux-to-allow-mysql-files-to-be-read-and-written-on-a-nfs-share</ref>. MySQL requires different context for both the sock file and data files. It was recommended to mount the data with | ||
| + | context="system_u:object_r:mysqld_db_t:s0" | ||
| + | and update my.cnf to use the new data directory. I just ended up running the database in the container then run regular backups to the NFS storage. The reason being that the NFS storage gets backed up offsite. | ||
| + | <br> | ||
| + | <br> | ||
Latest revision as of 06:45, 13 April 2020
Contents
Setroubleshoot
yum install setroubleshoot setools sealert -a /var/log/audit/audit.log
Audit2allow (without setroubleshoot)
sudo grep fail2ban /var/log/audit/audit.log | audit2allow -M fail2ban2 ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i fail2ban2.pp [ec2-user@ip-172-26-5-161 ~]$ nano fail2ban2. [ec2-user@ip-172-26-5-161 ~]$ nano fail2ban2.pp [ec2-user@ip-172-26-5-161 ~]$ sudo semodule -i fail2ban2.pp
Configure SELinux on Amazon Linux AMI
- Install packages
yum install libselinux libselinux-utils selinux-policy-minimum selinux-policy-mls selinux-policy-targeted policycoreutils
- Edit grub boot options
Edit /etc/grub.conf and change selinux=0 to selinux=1, then add security=selinux enforcing=1
- [4]Then tell selinux you want to relable the filesystem
touch /.autorelabel
- Reboot and check selinux status
sestatus SELinux status: enabled SELinuxfs mount: /selinux SELinux root directory: /etc/selinux/ Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 30
Application Specific
Apache Settings
Needed to allow apache to write to the web directory for a NextCloud update.
chcon -R -t httpd_sys_rw_content_t /var/www/html
NFS
Ran into a problem with a MySQL container using an NFS bind mount. Ends up there is a conflict[5]. MySQL requires different context for both the sock file and data files. It was recommended to mount the data with
context="system_u:object_r:mysqld_db_t:s0"
and update my.cnf to use the new data directory. I just ended up running the database in the container then run regular backups to the NFS storage. The reason being that the NFS storage gets backed up offsite.
- ↑ http://www.serverlab.ca/tutorials/linux/administration-linux/troubleshooting-selinux-centos-red-hat/
- ↑ https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-fixing_problems-allowing_access_audit2allow
- ↑ http://www.chrisumbel.com/article/selinux_amazon_aws_ec2_ami_linux
- ↑ https://www.centos.org/docs/5/html/5.2/Deployment_Guide/sec-sel-fsrelabel.html
- ↑ https://serverfault.com/questions/591129/enable-selinux-to-allow-mysql-files-to-be-read-and-written-on-a-nfs-share
