SE Linux Troubleshooting

From Michael's Information Zone
Revision as of 08:14, 9 October 2019 by Michael.mast (talk | contribs)
Jump to navigation Jump to search

Setroubleshoot

[1]

yum install setroubleshoot setools
sealert -a /var/log/audit/audit.log

Audit2allow (without setroubleshoot)

[2]

sudo grep fail2ban /var/log/audit/audit.log | audit2allow -M fail2ban2
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i fail2ban2.pp

[ec2-user@ip-172-26-5-161 ~]$ nano fail2ban2.
[ec2-user@ip-172-26-5-161 ~]$ nano fail2ban2.pp 
[ec2-user@ip-172-26-5-161 ~]$ sudo semodule -i fail2ban2.pp 

Configure SELinux on Amazon Linux AMI

[3]

  • Install packages
yum install libselinux libselinux-utils selinux-policy-minimum selinux-policy-mls selinux-policy-targeted policycoreutils 
  • Edit grub boot options
Edit /etc/grub.conf and change selinux=0 to selinux=1, then add security=selinux enforcing=1
  • [4]Then tell selinux you want to relable the filesystem
touch /.autorelabel
  • Reboot and check selinux status
sestatus 

SELinux status:                 enabled
SELinuxfs mount:                /selinux
SELinux root directory:         /etc/selinux/
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      30

Apache Settings

Needed to allow apache to write to the web directory for a NextCloud update.

chcon -R -t httpd_sys_rw_content_t /var/www/html