SE Linux Troubleshooting

From Michael's Information Zone
Revision as of 06:45, 13 April 2020 by Michael.mast (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Setroubleshoot

[1]

yum install setroubleshoot setools
sealert -a /var/log/audit/audit.log

Audit2allow (without setroubleshoot)

[2]

sudo grep fail2ban /var/log/audit/audit.log | audit2allow -M fail2ban2
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i fail2ban2.pp

[ec2-user@ip-172-26-5-161 ~]$ nano fail2ban2.
[ec2-user@ip-172-26-5-161 ~]$ nano fail2ban2.pp 
[ec2-user@ip-172-26-5-161 ~]$ sudo semodule -i fail2ban2.pp 

Configure SELinux on Amazon Linux AMI

[3]

  • Install packages
yum install libselinux libselinux-utils selinux-policy-minimum selinux-policy-mls selinux-policy-targeted policycoreutils 
  • Edit grub boot options
Edit /etc/grub.conf and change selinux=0 to selinux=1, then add security=selinux enforcing=1
  • [4]Then tell selinux you want to relable the filesystem
touch /.autorelabel
  • Reboot and check selinux status
sestatus 

SELinux status:                 enabled
SELinuxfs mount:                /selinux
SELinux root directory:         /etc/selinux/
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      30

Application Specific

Apache Settings

Needed to allow apache to write to the web directory for a NextCloud update.

chcon -R -t httpd_sys_rw_content_t /var/www/html

NFS

Ran into a problem with a MySQL container using an NFS bind mount. Ends up there is a conflict[5]. MySQL requires different context for both the sock file and data files. It was recommended to mount the data with

context="system_u:object_r:mysqld_db_t:s0"

and update my.cnf to use the new data directory. I just ended up running the database in the container then run regular backups to the NFS storage. The reason being that the NFS storage gets backed up offsite.