SELinux es una capa adicional de seguridad que permite realizar el etiquetado de los Archivos y Directorios en el sistema operativo..
SELinux es un grupo de reglas de seguridad que permiten a un proceso acceder a directorios o archivos.
Cada uno de los archivos o directorios tiene un formato especifico y al cual llamaremos el contexto. Los contextos pueden ser de varios tipos y cada uno depende deacuerdo al servicio que se lo vaya a configurar.
El SELinux tiene varios modos de configuración
SELinux en Modo Activo
Niega el acceso a los archivos o directorios que no tienen el contexto adecuado para el servicio requerido
SELinux en Modo Pasivo
Es frecuentemente usado para hacer pruebas de configuración nuevas. Cuando esta en modo permisivo el SELinux permite interactuar al servicio y los archivos sin el contexto correcto pero esta actividad queda registrada en los logs
Para determinar el modo del SELinux configurado en el servidor ejecutar:
[root@dark ~]# getenforce
Enforcing
[root@dark ~]#
Para configurar el SELinux en algunos de los modos descritos.
Con la opcion de -Z se puede visualizar el contexto del SELiunx. definido a un archivo o directorio.
Ejemplo:
[dark@dark home]$ ls -aZl
total 28
drwxr-xr-x. 5 root root system_u:object_r:home_root_t:s0 4096 jul 14 19:36 .
dr-xr-xr-x. 20 root root system_u:object_r:root_t:s0 4096 jul 22 11:40 ..
-rwxr-xr-x 1 root root ? 502 jul 9 12:34 centos_mirror6.conf
drwxr-xr-x. 33 dark dark unconfined_u:object_r:user_home_dir_t:s0 4096 ago 3 15:51 dark
-rw-r--r-- 1 named named ? 739 abr 21 15:27 forward.dark.zone
drwxr-xr-x 7 root root ? 4096 jul 15 19:04 pepe
drwx------ 4 pruebassh pruebassh ? 4096 jul 15 14:03 pruebassh
[dark@dark home]$
SELinux es un grupo de reglas de seguridad que permiten a un proceso acceder a directorios o archivos.
Cada uno de los archivos o directorios tiene un formato especifico y al cual llamaremos el contexto. Los contextos pueden ser de varios tipos y cada uno depende deacuerdo al servicio que se lo vaya a configurar.
El SELinux tiene varios modos de configuración
- Activo
- Pasivo
- Desactivado
SELinux en Modo Activo
Niega el acceso a los archivos o directorios que no tienen el contexto adecuado para el servicio requerido
SELinux en Modo Pasivo
Es frecuentemente usado para hacer pruebas de configuración nuevas. Cuando esta en modo permisivo el SELinux permite interactuar al servicio y los archivos sin el contexto correcto pero esta actividad queda registrada en los logs
SELinux en Modo Desactivado
Al igual que el modo Pasivo el SELInux permite pruebas de configuración nuevas pero no mantiene registro de los errores provocados por tener el servicio del SELinux desactivado.
Para determinar el modo del SELinux configurado en el servidor ejecutar:
[root@dark ~]# getenforce
Enforcing
[root@dark ~]#
Para cambiar momentaneamente de Enforcing a permissive
[root@dark ~]# setenforce 0
Disabled
[root@dark ~]#
Disabled
[root@dark ~]#
Para que los cambios sean permanentes tras un reinicio del Sistema Operativo se debe editar el archivo
/etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#
enforcing - SELinux security policy is enforced.
#
permissive - SELinux prints warnings instead of enforcing.
#
disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#
targeted - Targeted processes are protected,
#
minimum - Modification of targeted policy. Only selected processes
#
are protected.
#
mls - Multi Level Security protection.
SELINUXTYPE=targeted
Para configurar el SELinux en algunos de los modos descritos.
Con la opcion de -Z se puede visualizar el contexto del SELiunx. definido a un archivo o directorio.
Ejemplo:
[dark@dark home]$ ls -aZl
total 28
drwxr-xr-x. 5 root root system_u:object_r:home_root_t:s0 4096 jul 14 19:36 .
dr-xr-xr-x. 20 root root system_u:object_r:root_t:s0 4096 jul 22 11:40 ..
-rwxr-xr-x 1 root root ? 502 jul 9 12:34 centos_mirror6.conf
drwxr-xr-x. 33 dark dark unconfined_u:object_r:user_home_dir_t:s0 4096 ago 3 15:51 dark
-rw-r--r-- 1 named named ? 739 abr 21 15:27 forward.dark.zone
drwxr-xr-x 7 root root ? 4096 jul 15 19:04 pepe
drwx------ 4 pruebassh pruebassh ? 4096 jul 15 14:03 pruebassh
[dark@dark home]$
[root@dark ~]# ps -ZC httpd
LABEL PID TTY TIME CMD
system_u:system_r:httpd_t:s0 1553 ? 00:00:18 httpd
system_u:system_r:httpd_t:s0 10726 ? 00:00:02 httpd
system_u:system_r:httpd_t:s0 22495 ? 00:00:11 httpd
system_u:system_r:httpd_t:s0 25776 ? 00:00:09 httpd
[root@dark ~]# ls -Z /var/www/html/
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_content_t:s0 kicstart
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_content_t:s0 centos6repo
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_content_t:s0 centos7repo
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_content_t:s0 epel6repo
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_content_t:s0 epel7repo
Configurar los booleanos del SELinux
Los booleanos son reglas que se deben de configurar dependiendo de los servicios los cuales deben de ser activados o desactivados.
Para identificar cuales son los booleanos que estan activos en el Sistema Operativo
[root@dark ~]# getsebool -a
abrt_anon_write --> off
abrt_handle_event --> off
abrt_upload_watch_anon_write --> on
antivirus_can_scan_system --> off
antivirus_use_jit --> off
auditadm_exec_content --> on
authlogin_nsswitch_use_ldap --> off
authlogin_radius --> off
authlogin_yubikey --> off
awstats_purge_apache_log_files --> off
boinc_execmem --> on
cdrecord_read_content --> off
cluster_can_network_connect --> off
cluster_manage_all_files --> off
cluster_use_execmem --> off
cobbler_anon_write --> off
cobbler_can_network_connect --> off
cobbler_use_cifs --> off
cobbler_use_nfs --> off
collectd_tcp_network_connect --> off
condor_tcp_network_connect --> off
conman_can_network --> off
cron_can_relabel --> off
cron_userdomain_transition --> on
cups_execmem --> off
cvs_read_shadow --> off
daemons_dump_core --> off
daemons_enable_cluster_mode --> off
daemons_use_tcp_wrapper --> off
daemons_use_tty --> off
dbadm_exec_content --> on
dbadm_manage_user_files --> off
dbadm_read_user_files --> off
deny_execmem --> off
deny_ptrace --> off
dhcpc_exec_iptables --> off
dhcpd_use_ldap --> off
docker_connect_any --> off
docker_transition_unconfined --> on
domain_fd_use --> on
domain_kernel_load_modules --> off
entropyd_use_audio --> on
exim_can_connect_db --> off
exim_manage_user_files --> off
exim_read_user_files --> off
fcron_crond --> off
fenced_can_network_connect --> off
fenced_can_ssh --> off
fips_mode --> on
ftp_home_dir --> off
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
git_cgi_enable_homedirs --> off
git_cgi_use_cifs --> off
git_cgi_use_nfs --> off
git_session_bind_all_unreserved_ports --> off
git_session_users --> off
git_system_enable_homedirs --> off
git_system_use_cifs --> off
git_system_use_nfs --> off
gitosis_can_sendmail --> off
glance_api_can_network --> off
glance_use_execmem --> off
glance_use_fusefs --> off
global_ssp --> off
gluster_anon_write --> off
gluster_export_all_ro --> off
gluster_export_all_rw --> on
gpg_agent_env_file --> off
gpg_web_anon_write --> off
gssd_read_tmp --> on
guest_exec_content --> on
haproxy_connect_any --> off
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> on
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> on
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off
httpd_run_foreman --> on
httpd_run_preupgrade --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> on
httpd_ssi_exec --> off
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> on
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off
icecast_use_any_tcp_ports --> off
irc_use_any_tcp_ports --> off
irssi_use_full_network --> off
kdumpgui_run_bootloader --> off
kerberos_enabled --> on
ksmtuned_use_cifs --> off
ksmtuned_use_nfs --> off
logadm_exec_content --> on
logging_syslogd_can_sendmail --> off
logging_syslogd_use_tty --> on
login_console_enabled --> on
logrotate_use_nfs --> off
logwatch_can_network_connect_mail --> off
lsmd_plugin_connect_any --> off
mailman_use_fusefs --> off
mcelog_client --> off
mcelog_exec_scripts --> on
mcelog_foreground --> off
mcelog_server --> off
minidlna_read_generic_user_content --> off
mmap_low_allowed --> off
mock_enable_homedirs --> off
mount_anyfile --> on
mozilla_plugin_bind_unreserved_ports --> off
mozilla_plugin_can_network_connect --> off
mozilla_plugin_use_bluejeans --> off
mozilla_plugin_use_gps --> off
mozilla_plugin_use_spice --> off
mozilla_read_content --> off
mpd_enable_homedirs --> off
mpd_use_cifs --> off
mpd_use_nfs --> off
mplayer_execstack --> off
mysql_connect_any --> off
nagios_run_pnp4nagios --> off
nagios_run_sudo --> off
named_tcp_bind_http_port --> off
named_write_master_zones --> off
neutron_can_network --> off
nfs_export_all_ro --> on
nfs_export_all_rw --> on
nfsd_anon_write --> off
nis_enabled --> off
nscd_use_shm --> on
openshift_use_nfs --> off
openvpn_can_network_connect --> on
openvpn_enable_homedirs --> on
openvpn_run_unconfined --> off
passenger_can_connect_all --> off
passenger_run_foreman --> on
passenger_run_puppetmaster --> on
pcp_bind_all_unreserved_ports --> off
piranha_lvs_can_network_connect --> off
polipo_connect_all_unreserved --> off
polipo_session_bind_all_unreserved_ports --> off
polipo_session_users --> off
polipo_use_cifs --> off
polipo_use_nfs --> off
polyinstantiation_enabled --> off
postfix_local_write_mail_spool --> on
postgresql_can_rsync --> off
postgresql_selinux_transmit_client_label --> off
postgresql_selinux_unconfined_dbadm --> on
postgresql_selinux_users_ddl --> on
pppd_can_insmod --> off
pppd_for_user --> off
privoxy_connect_any --> on
prosody_bind_http_port --> off
pulp_manage_puppet --> on
puppetagent_manage_all_files --> off
puppetmaster_use_db --> off
racoon_read_shadow --> off
rsync_anon_write --> off
rsync_client --> off
rsync_export_all_ro --> off
rsync_full_access --> off
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_load_libgfapi --> off
samba_portmapper --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_use_fusefs --> off
sanlock_use_nfs --> off
sanlock_use_samba --> off
saslauthd_read_shadow --> off
secadm_exec_content --> on
secure_mode --> off
secure_mode_insmod --> off
secure_mode_policyload --> off
selinuxuser_direct_dri_enabled --> on
selinuxuser_execheap --> off
selinuxuser_execmod --> on
selinuxuser_execstack --> on
selinuxuser_mysql_connect_enabled --> off
selinuxuser_ping --> on
selinuxuser_postgresql_connect_enabled --> off
selinuxuser_rw_noexattrfile --> on
selinuxuser_share_music --> off
selinuxuser_tcp_server --> off
selinuxuser_udp_server --> off
selinuxuser_use_ssh_chroot --> off
sftpd_anon_write --> off
sftpd_enable_homedirs --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
sge_domain_can_network_connect --> off
sge_use_nfs --> off
smartmon_3ware --> off
smbd_anon_write --> off
spamassassin_can_network --> off
spamd_enable_home_dirs --> on
squid_connect_any --> on
squid_use_tproxy --> off
ssh_chroot_rw_homedirs --> off
ssh_keysign --> off
ssh_sysadm_login --> off
staff_exec_content --> on
staff_use_svirt --> off
swift_can_network --> off
sysadm_exec_content --> on
telepathy_connect_all_ports --> off
telepathy_tcp_connect_generic_network_ports --> on
tftp_anon_write --> off
tftp_home_dir --> off
tor_bind_all_unreserved_ports --> off
tor_can_network_relay --> off
unconfined_chrome_sandbox_transition --> on
unconfined_login --> on
unconfined_mozilla_plugin_transition --> on
unprivuser_use_svirt --> off
use_ecryptfs_home_dirs --> off
use_fusefs_home_dirs --> off
use_lpd_server --> off
use_nfs_home_dirs --> off
use_samba_home_dirs --> off
user_exec_content --> on
varnishd_connect_any --> off
virt_read_qemu_ga_data --> off
virt_rw_qemu_ga_data --> off
virt_sandbox_use_all_caps --> off
virt_sandbox_use_audit --> on
virt_sandbox_use_mknod --> off
virt_sandbox_use_netlink --> off
virt_sandbox_use_nfs --> off
virt_sandbox_use_samba --> off
virt_sandbox_use_sys_admin --> off
virt_transition_userdomain --> off
virt_use_comm --> off
virt_use_execmem --> off
virt_use_fusefs --> off
virt_use_nfs --> off
virt_use_rawip --> off
virt_use_samba --> off
virt_use_sanlock --> off
virt_use_usb --> on
virt_use_xserver --> off
webadm_manage_user_files --> off
webadm_read_user_files --> off
wine_mmap_zero_ignore --> off
xdm_exec_bootloader --> off
xdm_sysadm_login --> off
xdm_write_home --> off
xen_use_nfs --> off
xend_run_blktap --> on
xend_run_qemu --> on
xguest_connect_network --> on
xguest_exec_content --> on
xguest_mount_media --> on
xguest_use_bluetooth --> on
xserver_clients_write_xshm --> off
xserver_execmem --> off
xserver_object_manager --> off
zabbix_can_network --> off
zarafa_setrlimit --> off
zebra_write_config --> off
zoneminder_anon_write --> off
zoneminder_run_sudo --> off
[root@dark ~]#
Para cambiar el estado del Booleano a activo se debe ejecutar
[root@dark ~]# setsebool -P samba_share_nfs 1
Para desactivar el booleano
[root@dark ~]# setsebool -P samba_share_nfs 0
Para agregar un tipo de contexto a un directorio
Validar si tiene instalado el rpm semanage, en caso de no tenerlo instalar lo siguiente:
[root@dark ~]# yum install policycoreutils-python
Vamos agregar un contexto al directorio /home/dark/html
El tipo del contexto httpd_sys_content_t
[root@dark ~]# semanage fcontext -a -t httpd_sys_content_t '/home/dark/html(/.*)?'
Con esto los archivos nuevos que se creen en ese directorio ya tendrán el contexto correcto.
Para listar los contextos de SELinux y los directorios que están aplicados ejecutar:
[root@dark ~]# semanage fcontext --list | grep nfs
/etc/rc\.d/init\.d/mountnfs-bootclean\.sh regular file system_u:object_r:tmpreaper_exec_t:s0
/etc/rc\.d/init\.d/nfs regular file system_u:object_r:nfsd_initrc_exec_t:s0
/etc/rc\.d/init\.d/nfslock regular file system_u:object_r:rpcd_initrc_exec_t:s0
/usr/lib/nfs-utils/scripts(/.*)? all files system_u:object_r:bin_t:s0
/usr/lib/systemd/system/nfs.* regular file system_u:object_r:nfsd_unit_file_t:s0
/usr/sbin/rpc\.mountd regular file system_u:object_r:nfsd_exec_t:s0
/usr/sbin/rpc\.nfsd regular file system_u:object_r:nfsd_exec_t:s0
/usr/share/cluster/svclib_nfslock regular file system_u:object_r:bin_t:s0
/usr/share/munin/plugins/nfs.* regular file system_u:object_r:system_munin_plugin_exec_t:s0
/usr/share/system-config-nfs/nfs-export\.py regular file system_u:object_r:bin_t:s0
/usr/share/system-config-nfs/system-config-nfs\.py regular file system_u:object_r:bin_t:s0
/var/lib/nfs(/.*)? all files system_u:object_r:var_lib_nfs_t:s0
/var/lib/nfs/rpc_pipefs(/.*)? all files <<None>>
/var/tmp/nfs_0 regular file system_u:object_r:krb5_host_rcache_t:s0
Configurar los booleanos del SELinux
Los booleanos son reglas que se deben de configurar dependiendo de los servicios los cuales deben de ser activados o desactivados.
Para identificar cuales son los booleanos que estan activos en el Sistema Operativo
[root@dark ~]# getsebool -a
abrt_anon_write --> off
abrt_handle_event --> off
abrt_upload_watch_anon_write --> on
antivirus_can_scan_system --> off
antivirus_use_jit --> off
auditadm_exec_content --> on
authlogin_nsswitch_use_ldap --> off
authlogin_radius --> off
authlogin_yubikey --> off
awstats_purge_apache_log_files --> off
boinc_execmem --> on
cdrecord_read_content --> off
cluster_can_network_connect --> off
cluster_manage_all_files --> off
cluster_use_execmem --> off
cobbler_anon_write --> off
cobbler_can_network_connect --> off
cobbler_use_cifs --> off
cobbler_use_nfs --> off
collectd_tcp_network_connect --> off
condor_tcp_network_connect --> off
conman_can_network --> off
cron_can_relabel --> off
cron_userdomain_transition --> on
cups_execmem --> off
cvs_read_shadow --> off
daemons_dump_core --> off
daemons_enable_cluster_mode --> off
daemons_use_tcp_wrapper --> off
daemons_use_tty --> off
dbadm_exec_content --> on
dbadm_manage_user_files --> off
dbadm_read_user_files --> off
deny_execmem --> off
deny_ptrace --> off
dhcpc_exec_iptables --> off
dhcpd_use_ldap --> off
docker_connect_any --> off
docker_transition_unconfined --> on
domain_fd_use --> on
domain_kernel_load_modules --> off
entropyd_use_audio --> on
exim_can_connect_db --> off
exim_manage_user_files --> off
exim_read_user_files --> off
fcron_crond --> off
fenced_can_network_connect --> off
fenced_can_ssh --> off
fips_mode --> on
ftp_home_dir --> off
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
git_cgi_enable_homedirs --> off
git_cgi_use_cifs --> off
git_cgi_use_nfs --> off
git_session_bind_all_unreserved_ports --> off
git_session_users --> off
git_system_enable_homedirs --> off
git_system_use_cifs --> off
git_system_use_nfs --> off
gitosis_can_sendmail --> off
glance_api_can_network --> off
glance_use_execmem --> off
glance_use_fusefs --> off
global_ssp --> off
gluster_anon_write --> off
gluster_export_all_ro --> off
gluster_export_all_rw --> on
gpg_agent_env_file --> off
gpg_web_anon_write --> off
gssd_read_tmp --> on
guest_exec_content --> on
haproxy_connect_any --> off
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> on
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> on
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off
httpd_run_foreman --> on
httpd_run_preupgrade --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> on
httpd_ssi_exec --> off
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> on
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off
icecast_use_any_tcp_ports --> off
irc_use_any_tcp_ports --> off
irssi_use_full_network --> off
kdumpgui_run_bootloader --> off
kerberos_enabled --> on
ksmtuned_use_cifs --> off
ksmtuned_use_nfs --> off
logadm_exec_content --> on
logging_syslogd_can_sendmail --> off
logging_syslogd_use_tty --> on
login_console_enabled --> on
logrotate_use_nfs --> off
logwatch_can_network_connect_mail --> off
lsmd_plugin_connect_any --> off
mailman_use_fusefs --> off
mcelog_client --> off
mcelog_exec_scripts --> on
mcelog_foreground --> off
mcelog_server --> off
minidlna_read_generic_user_content --> off
mmap_low_allowed --> off
mock_enable_homedirs --> off
mount_anyfile --> on
mozilla_plugin_bind_unreserved_ports --> off
mozilla_plugin_can_network_connect --> off
mozilla_plugin_use_bluejeans --> off
mozilla_plugin_use_gps --> off
mozilla_plugin_use_spice --> off
mozilla_read_content --> off
mpd_enable_homedirs --> off
mpd_use_cifs --> off
mpd_use_nfs --> off
mplayer_execstack --> off
mysql_connect_any --> off
nagios_run_pnp4nagios --> off
nagios_run_sudo --> off
named_tcp_bind_http_port --> off
named_write_master_zones --> off
neutron_can_network --> off
nfs_export_all_ro --> on
nfs_export_all_rw --> on
nfsd_anon_write --> off
nis_enabled --> off
nscd_use_shm --> on
openshift_use_nfs --> off
openvpn_can_network_connect --> on
openvpn_enable_homedirs --> on
openvpn_run_unconfined --> off
passenger_can_connect_all --> off
passenger_run_foreman --> on
passenger_run_puppetmaster --> on
pcp_bind_all_unreserved_ports --> off
piranha_lvs_can_network_connect --> off
polipo_connect_all_unreserved --> off
polipo_session_bind_all_unreserved_ports --> off
polipo_session_users --> off
polipo_use_cifs --> off
polipo_use_nfs --> off
polyinstantiation_enabled --> off
postfix_local_write_mail_spool --> on
postgresql_can_rsync --> off
postgresql_selinux_transmit_client_label --> off
postgresql_selinux_unconfined_dbadm --> on
postgresql_selinux_users_ddl --> on
pppd_can_insmod --> off
pppd_for_user --> off
privoxy_connect_any --> on
prosody_bind_http_port --> off
pulp_manage_puppet --> on
puppetagent_manage_all_files --> off
puppetmaster_use_db --> off
racoon_read_shadow --> off
rsync_anon_write --> off
rsync_client --> off
rsync_export_all_ro --> off
rsync_full_access --> off
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_load_libgfapi --> off
samba_portmapper --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_use_fusefs --> off
sanlock_use_nfs --> off
sanlock_use_samba --> off
saslauthd_read_shadow --> off
secadm_exec_content --> on
secure_mode --> off
secure_mode_insmod --> off
secure_mode_policyload --> off
selinuxuser_direct_dri_enabled --> on
selinuxuser_execheap --> off
selinuxuser_execmod --> on
selinuxuser_execstack --> on
selinuxuser_mysql_connect_enabled --> off
selinuxuser_ping --> on
selinuxuser_postgresql_connect_enabled --> off
selinuxuser_rw_noexattrfile --> on
selinuxuser_share_music --> off
selinuxuser_tcp_server --> off
selinuxuser_udp_server --> off
selinuxuser_use_ssh_chroot --> off
sftpd_anon_write --> off
sftpd_enable_homedirs --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
sge_domain_can_network_connect --> off
sge_use_nfs --> off
smartmon_3ware --> off
smbd_anon_write --> off
spamassassin_can_network --> off
spamd_enable_home_dirs --> on
squid_connect_any --> on
squid_use_tproxy --> off
ssh_chroot_rw_homedirs --> off
ssh_keysign --> off
ssh_sysadm_login --> off
staff_exec_content --> on
staff_use_svirt --> off
swift_can_network --> off
sysadm_exec_content --> on
telepathy_connect_all_ports --> off
telepathy_tcp_connect_generic_network_ports --> on
tftp_anon_write --> off
tftp_home_dir --> off
tor_bind_all_unreserved_ports --> off
tor_can_network_relay --> off
unconfined_chrome_sandbox_transition --> on
unconfined_login --> on
unconfined_mozilla_plugin_transition --> on
unprivuser_use_svirt --> off
use_ecryptfs_home_dirs --> off
use_fusefs_home_dirs --> off
use_lpd_server --> off
use_nfs_home_dirs --> off
use_samba_home_dirs --> off
user_exec_content --> on
varnishd_connect_any --> off
virt_read_qemu_ga_data --> off
virt_rw_qemu_ga_data --> off
virt_sandbox_use_all_caps --> off
virt_sandbox_use_audit --> on
virt_sandbox_use_mknod --> off
virt_sandbox_use_netlink --> off
virt_sandbox_use_nfs --> off
virt_sandbox_use_samba --> off
virt_sandbox_use_sys_admin --> off
virt_transition_userdomain --> off
virt_use_comm --> off
virt_use_execmem --> off
virt_use_fusefs --> off
virt_use_nfs --> off
virt_use_rawip --> off
virt_use_samba --> off
virt_use_sanlock --> off
virt_use_usb --> on
virt_use_xserver --> off
webadm_manage_user_files --> off
webadm_read_user_files --> off
wine_mmap_zero_ignore --> off
xdm_exec_bootloader --> off
xdm_sysadm_login --> off
xdm_write_home --> off
xen_use_nfs --> off
xend_run_blktap --> on
xend_run_qemu --> on
xguest_connect_network --> on
xguest_exec_content --> on
xguest_mount_media --> on
xguest_use_bluetooth --> on
xserver_clients_write_xshm --> off
xserver_execmem --> off
xserver_object_manager --> off
zabbix_can_network --> off
zarafa_setrlimit --> off
zebra_write_config --> off
zoneminder_anon_write --> off
zoneminder_run_sudo --> off
[root@dark ~]#
[root@dark ~]# setsebool -P samba_share_nfs 1
[root@dark ~]# setsebool -P samba_share_nfs 0
Para agregar un tipo de contexto a un directorio
Validar si tiene instalado el rpm semanage, en caso de no tenerlo instalar lo siguiente:
[root@dark ~]# yum install policycoreutils-python
Vamos agregar un contexto al directorio /home/dark/html
El tipo del contexto httpd_sys_content_t
[root@dark ~]# semanage fcontext -a -t httpd_sys_content_t '/home/dark/html(/.*)?'
Con esto los archivos nuevos que se creen en ese directorio ya tendrán el contexto correcto.
Para listar los contextos de SELinux y los directorios que están aplicados ejecutar:
[root@dark ~]# semanage fcontext --list | grep nfs
/etc/rc\.d/init\.d/mountnfs-bootclean\.sh regular file system_u:object_r:tmpreaper_exec_t:s0
/etc/rc\.d/init\.d/nfs regular file system_u:object_r:nfsd_initrc_exec_t:s0
/etc/rc\.d/init\.d/nfslock regular file system_u:object_r:rpcd_initrc_exec_t:s0
/usr/lib/nfs-utils/scripts(/.*)? all files system_u:object_r:bin_t:s0
/usr/lib/systemd/system/nfs.* regular file system_u:object_r:nfsd_unit_file_t:s0
/usr/sbin/rpc\.mountd regular file system_u:object_r:nfsd_exec_t:s0
/usr/sbin/rpc\.nfsd regular file system_u:object_r:nfsd_exec_t:s0
/usr/share/cluster/svclib_nfslock regular file system_u:object_r:bin_t:s0
/usr/share/munin/plugins/nfs.* regular file system_u:object_r:system_munin_plugin_exec_t:s0
/usr/share/system-config-nfs/nfs-export\.py regular file system_u:object_r:bin_t:s0
/usr/share/system-config-nfs/system-config-nfs\.py regular file system_u:object_r:bin_t:s0
/var/lib/nfs(/.*)? all files system_u:object_r:var_lib_nfs_t:s0
/var/lib/nfs/rpc_pipefs(/.*)? all files <<None>>
/var/tmp/nfs_0 regular file system_u:object_r:krb5_host_rcache_t:s0
No hay comentarios:
Publicar un comentario