[Solved] Selinux - my arch enemy - contexts

Support for security such as Firewalls and securing linux
Post Reply
lightman47
Posts: 1161
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

[Solved] Selinux - my arch enemy - contexts

Post by lightman47 » 2020/07/15 17:06:10

Selinux absolutely eludes me. I know what it does and why. Any grip on the management of it is lost on me, with the exception of setenforce that I have to use for a couple of my apps ... regularly.

I have a shared directory on a data drive on my server upstairs that contains a couple databases - to which I cannot save LibreOffice edits unless I turn off enforcement for the save duration. Poking around a few minutes ago, I now know why:

Code: Select all

$ ls -laZ
drwsrwsr-x. egor family unconfined_u:object_r:httpd_sys_content_t:s0 .
drwxrwxr-x. egor family unconfined_u:object_r:httpd_sys_content_t:s0 ..
-rw-rw-r--. egor family system_u:object_r:httpd_sys_content_t:s0 16portswitch_crawlspace.odb
-rwxrwxr--. egor family system_u:object_r:httpd_sys_content_t:s0 Access_CLA.odb
-rwxrwxr--. egor family unconfined_u:object_r:httpd_sys_content_t:s0 Access.odb
I suspect the http context was the result of an embarrassing "incident" a number of years ago that I caught about 10 seconds after I issued the command that seemed to be taking a long time. :oops: Can someone tell me to what context I should set this folder so that family users may edit and that will survive 'restorecon'?

A "sub-question": Is there any EASY way to find out contexts and what they actually DO so that next time I might figure it out myself?


Grateful for the help, thank you.
Last edited by lightman47 on 2020/07/17 15:54:06, edited 3 times in total.
Remember - importing/building packages will likely "byte you in the butt" come update time, long after you'd forgotten you did that! Use repos whenever possible.

Thraex
Posts: 42
Joined: 2019/05/14 19:50:28

Re: Selinux - my arch enemy - contexts

Post by Thraex » 2020/07/15 17:32:42

I would try to set the shared directory's type to public_content_t with

Code: Select all

semanage fcontext -at public_content_t "/directory(/.*)?"
That regex applies that type to the directory and everything in it. Then run

Code: Select all

restorecon -vR /directory
to apply the new type. That context will work for exports using nfs, samba, etc.

For your sub-question, I'm sure there is but I haven't looked around too much for it to tell you. Mostly I use "semanage fcontext -l" to list them and grep for samba or httpd or whatever I'm using. You also may want to look at booleans that could be causing issues. They're somewhat self-explanatory and you can list them all with "getsebool -a" and see if they're on or off.


Also, a good video to learn a lot about selinux would be "SELinux for Mere Mortals" that was filmed at the Red Hat Summit. About 45 minutes long but incredibly informative.

User avatar
TrevorH
Forum Moderator
Posts: 29117
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Selinux - my arch enemy - contexts

Post by TrevorH » 2020/07/15 18:00:19

To correctly diagnose selinux problems you need to look at the log entries for it. Ideally you run something like this in this order

service auditd rotate
rm /var/log/audit/audit.log.*
setenforce 0
<recreate the problem>
grep -i avc /var/log/audit/audit.log

You can also use aureport -a to get a list of the avcs and ausearch -a nnnn (where nnnn is the number from the right hand end of the aureport -a lines you're interested in) to explain them.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

lightman47
Posts: 1161
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: [Solved] Selinux - my arch enemy - contexts

Post by lightman47 » 2020/07/17 16:27:28

Thank you. I'm going to have to watch that video a number more times.
Remember - importing/building packages will likely "byte you in the butt" come update time, long after you'd forgotten you did that! Use repos whenever possible.

User avatar
TrevorH
Forum Moderator
Posts: 29117
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: [Solved] Selinux - my arch enemy - contexts

Post by TrevorH » 2020/07/17 18:00:10

BTW, the reason for going permissive before you start is so that you catch everything in one go. If you are enforcing and try this process, when it hits the first denial it will stop and give an error so it never goes onto whatever step in the code comes next. So you get a list of exactly one problem and if you use the wiki instructions on how to generate your own policy file with audit2allow, you will load that new policy and it'll fix the problem that was listed and then go on and find the next one. Repeat. In permissive you get a list of all denials in one go and it never errors so it goes through the entire thing from end to end.

And the reason for clearing the logs is so that you don't accidentally include something in this new policy that doesn't belong to the thing you're trying to make work. Without that, you might accidentally allow something that really should be denied.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

Post Reply

Return to “CentOS 7 - Security Support”