SELinux User's and Administrator's Guide

SELinux

getenforce
~]# getenforce
Enforcing
setenforce 0
getenforce
~]# setenforce 0
~]# getenforce
Permissive
setenforce 1
getenforce
~]# setenforce 1
~]# getenforce
Enforcing
semanage permissive -a httpd_t
~]# semanage permissive -a httpd_t
ls -Z file1
~]$ ls -Z file1
-rwxrw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0      file1

semanage login -l
~]# semanage login -l
Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *

ls -Z /usr/bin/passwd
~]$ ls -Z /usr/bin/passwd
-rwsr-xr-x  root root system_u:object_r:passwd_exec_t:s0 /usr/bin/passwd

ls -Z /etc/shadow
~]$ ls -Z /etc/shadow
-r--------. root root system_u:object_r:shadow_t:s0    /etc/shadow

passwd
~]$ passwd
Changing password for user user_name.
Changing password for user_name.
(current) UNIX password:

ps -eZ | grep passwd
~]$ ps -eZ | grep passwd
unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 13212 pts/1 00:00:00 passwd

ps -eZ
]$ ps -eZ 
system_u:system_r:dhcpc_t:s0             1869 ?  00:00:00 dhclient
system_u:system_r:sshd_t:s0-s0:c0.c1023  1882 ?  00:00:00 sshd
system_u:system_r:gpm_t:s0               1964 ?  00:00:00 gpm
system_u:system_r:crond_t:s0-s0:c0.c1023 1973 ?  00:00:00 crond
system_u:system_r:kerneloops_t:s0        1983 ?  00:00:05 kerneloops
system_u:system_r:crond_t:s0-s0:c0.c1023 1991 ?  00:00:00 atd

id -Z
~]$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

sestatus
~]$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      30
touch /var/www/html/testfile
~]# touch /var/www/html/testfile
ls -Z /var/www/html/testfile
~]$ ls -Z /var/www/html/testfile
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/testfile

systemctl start httpd.service
~]# systemctl start httpd.service
systemctl status httpd.service
~]$ systemctl status httpd.service
httpd.service - The Apache HTTP Server
	  Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
	  Active: active (running) since Mon 2013-08-05 14:00:55 CEST; 8s ago

wget http://localhost/testfile
~]$ wget http://localhost/testfile
--2009-11-06 17:43:01--  http://localhost/testfile
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 0 [text/plain]
Saving to: `testfile'

[ <=>                              ] 0     --.-K/s   in 0s

2009-11-06 17:43:01 (0.00 B/s) - `testfile' saved [0/0]

chcon -t samba_share_t /var/www/html/testfile
~]# chcon -t samba_share_t /var/www/html/testfile
ls -Z /var/www/html/testfile
~]$ ls -Z /var/www/html/testfile
-rw-r--r--  root root unconfined_u:object_r:samba_share_t:s0 /var/www/html/testfile

wget http://localhost/testfile
~]$ wget http://localhost/testfile
--2009-11-06 14:11:23--  http://localhost/testfile
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2009-11-06 14:11:23 ERROR 403: Forbidden.

rm -i /var/www/html/testfile
~]# rm -i /var/www/html/testfile
systemctl stop httpd.service
~]# systemctl stop httpd.service
type=AVC msg=audit(1220706212.937:70): avc:  denied  { getattr } for  pid=1904 comm="httpd" path="/var/www/html/testfile" dev=sda5 ino=247576 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0  tclass=file

type=SYSCALL msg=audit(1220706212.937:70): arch=40000003 syscall=196 success=no exit=-13 a0=b9e21da0 a1=bf9581dc a2=555ff4 a3=2008171 items=0 ppid=1902 pid=1904 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1220706212.937:70): avc:  denied  { getattr } for  pid=1904 comm="httpd" path="/var/www/html/testfile" dev=sda5 ino=247576 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0  tclass=file

type=SYSCALL msg=audit(1220706212.937:70): arch=40000003 syscall=196 success=no exit=-13 a0=b9e21da0 a1=bf9581dc a2=555ff4 a3=2008171 items=0 ppid=1902 pid=1904 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

[Wed May 06 23:00:54 2009] [error] [client 127.0.0.1] (13)Permission denied: access to /testfile denied

[Wed May 06 23:00:54 2009] [error] [client 127.0.0.1] (13)Permission denied: access to /testfile denied

chcon -t samba_share_t /var/www/html/testfile
~]# chcon -t samba_share_t /var/www/html/testfile
ls -Z /var/www/html/testfile
~]$ ls -Z /var/www/html/testfile
-rw-r--r--  root root unconfined_u:object_r:samba_share_t:s0 /var/www/html/testfile
systemctl status httpd.service
~]$ systemctl status httpd.service
httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
   Active: inactive (dead)
systemctl stop httpd.service
~]# systemctl stop httpd.service
chcon -t bin_t /usr/sbin/httpd
~]# chcon -t bin_t /usr/sbin/httpd
ls -Z /usr/sbin/httpd
~]$ ls -Z /usr/sbin/httpd
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/sbin/httpd

systemctl start httpd.service
~]# systemctl start httpd.service
systemctl status httpd.service
~]# systemctl status httpd.service
httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
   Active: active (running) since Thu 2013-08-15 11:17:01 CEST; 5s ago

ps -eZ | grep httpd
~]$ ps -eZ | grep httpd
system_u:system_r:unconfined_service_t:s0 11884 ? 00:00:00 httpd
system_u:system_r:unconfined_service_t:s0 11885 ? 00:00:00 httpd
system_u:system_r:unconfined_service_t:s0 11886 ? 00:00:00 httpd
system_u:system_r:unconfined_service_t:s0 11887 ? 00:00:00 httpd
system_u:system_r:unconfined_service_t:s0 11888 ? 00:00:00 httpd
system_u:system_r:unconfined_service_t:s0 11889 ? 00:00:00 httpd

wget http://localhost/testfile
~]$ wget http://localhost/testfile
--2009-05-07 01:41:10--  http://localhost/testfile
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 0 [text/plain]
Saving to: `testfile'

[ <=>                            ]--.-K/s   in 0s

2009-05-07 01:41:10 (0.00 B/s) - `testfile' saved [0/0]
restorecon -v /usr/sbin/httpd
~]# restorecon -v /usr/sbin/httpd
restorecon reset /usr/sbin/httpd context system_u:object_r:unconfined_exec_t:s0->system_u:object_r:httpd_exec_t:s0

ls -Z /usr/sbin/httpd
~]$ ls -Z /usr/sbin/httpd
-rwxr-xr-x  root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd
systemctl restart httpd.service
~]# systemctl restart httpd.service
ps -eZ | grep httpd
~]$ ps -eZ | grep httpd
system_u:system_r:httpd_t:s0    8883 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0    8884 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0    8885 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0    8886 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0    8887 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0    8888 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0    8889 ?        00:00:00 httpd

rm -i /var/www/html/testfile
~]# rm -i /var/www/html/testfile
rm: remove regular empty file `/var/www/html/testfile'? y

systemctl stop httpd.service
~]# systemctl stop httpd.service
semanage login -l
~]# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *

__default__               unconfined_u              s0-s0:c0.c1023

__default__               unconfined_u              s0-s0:c0.c1023

useradd newuser
~]# useradd newuser
passwd newuser
~]# passwd newuser
Changing password for user newuser.
New UNIX password: Enter a password
Retype new UNIX password: Enter the same password again
passwd: all authentication tokens updated successfully.

id -Z
[newuser@localhost ~]$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

~]$seinfo -u
Users: 8
   sysadm_u
   system_u
   xguest_u
   root
   guest_u
   staff_u
   user_u
   unconfined_u
~]$seinfo -u
Users: 8
   sysadm_u
   system_u
   xguest_u
   root
   guest_u
   staff_u
   user_u
   unconfined_u

seinfo -r
~]$ seinfo -r
semanage user -a -r s0-s0:c0.c1023 -R "default_role_r administrator_r" SELinux_user_u
~]# semanage user -a -r s0-s0:c0.c1023 -R "default_role_r administrator_r" SELinux_user_u
cp /etc/selinux/targeted/contexts/users/staff_u /etc/selinux/targeted/contexts/users/SELinux_user_u
~]# cp /etc/selinux/targeted/contexts/users/staff_u /etc/selinux/targeted/contexts/users/SELinux_user_u
semanage login -a -s SELinux_user_u -rs0:c0.c1023 linux_user
semanage login -a -s SELinux_user_u -rs0:c0.c1023 linux_user
echo "linux_user ALL=(ALL) TYPE=administrator_t ROLE=administrator_r /bin/bash " > /etc/sudoers.d/linux_user
~]# echo "linux_user ALL=(ALL) TYPE=administrator_t ROLE=administrator_r /bin/bash " > /etc/sudoers.d/linux_user
restorecon -FR -v /home/linux_user
~]# restorecon -FR -v /home/linux_user
id -Z
~]$ id -Z
SELinux_user_u:default_role_r:SELinux_user_t:s0:c0.c1023
sudo -i
id -Z
~]$ sudo -i
~]# id -Z
SELinux_user_u:administrator_r:administrator_t:s0:c0.c1023
semanage user -a -r s0-s0:c0.c1023 -R "staff_r webadm_r" confined_u
cp /etc/selinux/targeted/contexts/users/staff_u /etc/selinux/targeted/contexts/users/confined_u
semanage login -a -s confined_u -rs0:c0.c1023 linux_user
restorecon -FR -v /home/linux_user
echo "linux_user ALL=(ALL) ROLE=webadm_r TYPE=webadm_t /bin/bash " > /etc/sudoers.d/linux_user
~]# semanage user -a -r s0-s0:c0.c1023 -R "staff_r webadm_r" confined_u
~]# cp /etc/selinux/targeted/contexts/users/staff_u /etc/selinux/targeted/contexts/users/confined_u
~]# semanage login -a -s confined_u -rs0:c0.c1023 linux_user
~]# restorecon -FR -v /home/linux_user
~]# echo "linux_user ALL=(ALL) ROLE=webadm_r TYPE=webadm_t /bin/bash " > /etc/sudoers.d/linux_user
id -Z
sudo -i
id -Z
~]$ id -Z
confined_u:staff_r:staff_t:s0:c0.c1023
~]$ sudo -i
~]# id -Z
confined_u:webadm_r:webadm_t:s0:c0.c1023

type=AVC msg=audit(1223024155.684:49): avc:  denied  { getattr } for  pid=2000 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=399185 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=file

type=AVC msg=audit(1223024155.684:49): avc:  denied  { getattr } for  pid=2000 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=399185 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=file

May 7 18:55:56 localhost setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l de7e30d6-5488-466d-a606-92c9f40d316d

systemctl enable auditd.service
~]# systemctl enable auditd.service
systemctl enable rsyslog.service
~]# systemctl enable rsyslog.service
systemctl is-enabled auditd
~]$ systemctl is-enabled auditd
enabled

systemctl is-enabled rsyslog
~]$ systemctl is-enabled rsyslog
enabled

systemctl status auditd.service | grep enabled
~]$ systemctl status auditd.service | grep enabled
auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled)

This file controls the state of SELinux on the system.
SELINUX= can take one of these three values:
      enforcing - SELinux security policy is enforced.
      permissive - SELinux prints warnings instead of enforcing.
      disabled - No SELinux policy is loaded.
SELINUXTYPE= can take one of these two values:
      targeted - Targeted processes are protected,
      mls - Multi Level Security protection.
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted

sestatus
~]$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      30

This file controls the state of SELinux on the system.
SELINUX= can take one of these three values:
      enforcing - SELinux security policy is enforced.
      permissive - SELinux prints warnings instead of enforcing.
      disabled - No SELinux policy is loaded.
SELINUXTYPE= can take one of these two values:
      targeted - Targeted processes are protected,
      mls - Multi Level Security protection.
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted
reboot
~]# reboot
rpm -q package_name
rpm -q package_name
This file controls the state of SELinux on the system.
SELINUX= can take one of these three values:
      enforcing - SELinux security policy is enforced.
      permissive - SELinux prints warnings instead of enforcing.
      disabled - No SELinux policy is loaded.
SELINUXTYPE= can take one of these two values:
      targeted - Targeted processes are protected,
      mls - Multi Level Security protection.
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted
reboot
~]# reboot
ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today
~]# ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today
grep "SELinux is preventing" /var/log/messages
~]# grep "SELinux is preventing" /var/log/messages
This file controls the state of SELinux on the system.
SELINUX= can take one of these three values:
      enforcing - SELinux security policy is enforced.
      permissive - SELinux prints warnings instead of enforcing.
      disabled - No SELinux policy is loaded.
SELINUXTYPE= can take one of these two values:
      targeted - Targeted processes are protected,
      mls - Multi Level Security protection.
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted
getenforce
~]$ getenforce
Disabled
touch /.autorelabel
reboot
~]# touch /.autorelabel
~]# reboot
yum install kernel-doc
less /usr/share/doc/kernel-doc-3.10.0/Documentation/kernel-parameters.txt
~]# yum install kernel-doc
~]$ less /usr/share/doc/kernel-doc-3.10.0/Documentation/kernel-parameters.txt
semanage boolean -l
~]# semanage boolean -l
SELinux boolean                State  Default Description

smartmon_3ware                 (off  ,  off)  Determine whether smartmon can...
mpd_enable_homedirs            (off  ,  off)  Determine whether mpd can traverse...
getsebool -a
~]$ getsebool -a
cvs_read_shadow --> off
daemons_dump_core --> on

getsebool cvs_read_shadow
~]$ getsebool cvs_read_shadow
cvs_read_shadow --> off

getsebool cvs_read_shadow daemons_dump_core
~]$ getsebool cvs_read_shadow daemons_dump_core
cvs_read_shadow --> off
daemons_dump_core --> on

getsebool httpd_can_network_connect_db
~]$ getsebool httpd_can_network_connect_db
httpd_can_network_connect_db --> off

setsebool httpd_can_network_connect_db on
~]# setsebool httpd_can_network_connect_db on
getsebool httpd_can_network_connect_db
~]$ getsebool httpd_can_network_connect_db
httpd_can_network_connect_db --> on

setsebool -P httpd_can_network_connect_db on
~]# setsebool -P httpd_can_network_connect_db on
setsebool -[Tab]
~]# setsebool -[Tab]
-P

getsebool samba_[Tab]
~]$ getsebool samba_[Tab]
samba_create_home_dirs   samba_export_all_ro      samba_run_unconfined
samba_domain_controller  samba_export_all_rw      samba_share_fusefs
samba_enable_home_dirs   samba_portmapper         samba_share_nfs

setsebool -P virt_use_[Tab]
~]# setsebool -P virt_use_[Tab]
virt_use_comm     virt_use_nfs      virt_use_sanlock
virt_use_execmem  virt_use_rawip    virt_use_usb
virt_use_fusefs   virt_use_samba    virt_use_xserver

semanage [Tab]
~]# semanage [Tab]
boolean     export      import      login       node        port
dontaudit   fcontext    interface   module      permissive  user

semanage fcontext -[Tab]
~]# semanage fcontext -[Tab]
-a           -D           --equal      --help       -m           -o
--add        --delete     -f           -l           --modify     -S
-C           --deleteall  --ftype      --list       -n           -t
-d           -e           -h           --locallist  --noheading  --type

Emptysemanage fcontext -a -t samba<tab>
~]# Emptysemanage fcontext -a -t samba<tab>
samba_etc_t                     samba_secrets_t
sambagui_exec_t                 samba_share_t
samba_initrc_exec_t             samba_unconfined_script_exec_t
samba_log_t                     samba_unit_file_t
samba_net_exec_t

semanage port -a -t http_port_t -p tcp 81
~]# semanage port -a -t http_port_t -p tcp 81
ls -Z file1
~]$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1

ls -dZ - /etc
~]$ ls -dZ - /etc
drwxr-xr-x. root root system_u:object_r:etc_t:s0       /etc

touch /etc/file1
~]# touch /etc/file1
ls -lZ /etc/file1
~]# ls -lZ /etc/file1
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0   /etc/file1

chcon -t httpd_sys_content_t file-name
~]$ chcon -t httpd_sys_content_t file-name
chcon -R -t httpd_sys_content_t directory-name
~]$ chcon -R -t httpd_sys_content_t directory-name
touch file1
~]$ touch file1
ls -Z file1
~]$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1

chcon -t samba_share_t file1
~]$ chcon -t samba_share_t file1
ls -Z file1
~]$ ls -Z file1 
-rw-rw-r--  user1 group1 unconfined_u:object_r:samba_share_t:s0 file1

restorecon -v file1
~]$ restorecon -v file1
restorecon reset file1 context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:user_home_t:s0

mkdir /web
~]# mkdir /web
touch /web/file{1,2,3}
~]# touch /web/file{1,2,3}
ls -dZ /web
~]# ls -dZ /web
drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /web

ls -lZ /web
~]# ls -lZ /web
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file3

chcon -R -t httpd_sys_content_t /web/
~]# chcon -R -t httpd_sys_content_t /web/
ls -dZ /web/
~]# ls -dZ /web/
drwxr-xr-x  root root unconfined_u:object_r:httpd_sys_content_t:s0 /web/

ls -lZ /web/
~]# ls -lZ /web/
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3

restorecon -R -v /web/
~]# restorecon -R -v /web/
restorecon reset /web context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
restorecon reset /web/file2 context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
restorecon reset /web/file3 context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
restorecon reset /web/file1 context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0

semanage fcontext -C -l
~]# semanage fcontext -C -l
semanage fcontext -a options file-name|directory-name
~]# semanage fcontext -a options file-name|directory-name
restorecon -v file-name|directory-name
~]# restorecon -v file-name|directory-name
touch /etc/file1
~]# touch /etc/file1
ls -Z /etc/file1
~]$ ls -Z /etc/file1
-rw-r--r--  root root unconfined_u:object_r:etc_t:s0       /etc/file1

ls -dZ directory_name
~]$ ls -dZ directory_name
semanage fcontext -a -t samba_share_t /etc/file1
~]# semanage fcontext -a -t samba_share_t /etc/file1
ls -Z /etc/file1
~]# ls -Z /etc/file1
-rw-r--r--  root root unconfined_u:object_r:etc_t:s0       /etc/file1

semanage fcontext -C -l
~]$ semanage fcontext -C -l
/etc/file1    unconfined_u:object_r:samba_share_t:s0

restorecon -v /etc/file1
~]# restorecon -v /etc/file1
restorecon reset /etc/file1 context unconfined_u:object_r:etc_t:s0->system_u:object_r:samba_share_t:s0

mkdir /web
~]# mkdir /web
touch /web/file{1,2,3}
~]# touch /web/file{1,2,3}
ls -dZ /web
~]# ls -dZ /web
drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /web

ls -lZ /web
~]# ls -lZ /web
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file3

semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
~]# semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
ls -dZ /web
~]$ ls -dZ /web
drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /web

ls -lZ /web
~]$ ls -lZ /web
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file3

/web(/.*)?    system_u:object_r:httpd_sys_content_t:s0

/web(/.*)?    system_u:object_r:httpd_sys_content_t:s0

restorecon -R -v /web
~]# restorecon -R -v /web
restorecon reset /web context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/file2 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/file3 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/file1 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0

semanage fcontext -d "/web(/.*)?"
~]# semanage fcontext -d "/web(/.*)?"
semanage fcontext -d file-name|directory-name
~]# semanage fcontext -d file-name|directory-name
/test    system_u:object_r:httpd_sys_content_t:s0

/test    system_u:object_r:httpd_sys_content_t:s0

semanage fcontext -d /test
~]# semanage fcontext -d /test
mount server:/export /local/mount/point -o \ context="system_u:object_r:httpd_sys_content_t:s0"
~]# mount server:/export /local/mount/point -o \ context="system_u:object_r:httpd_sys_content_t:s0"
mount /dev/sda2 /test/ -o defcontext="system_u:object_r:samba_share_t:s0"
~]# mount /dev/sda2 /test/ -o defcontext="system_u:object_r:samba_share_t:s0"
mount server:/export /local/mount/point -o context="system_u:object_r:httpd_sys_content_t:s0"
~]# mount server:/export /local/mount/point -o context="system_u:object_r:httpd_sys_content_t:s0"
mount server:/export/web /local/web -o context="system_u:object_r:httpd_sys_content_t:s0"
~]# mount server:/export/web /local/web -o context="system_u:object_r:httpd_sys_content_t:s0"
mount server:/export/database /local/database -o context="system_u:object_r:mysqld_db_t:s0"
~]# mount server:/export/database /local/database -o context="system_u:object_r:mysqld_db_t:s0"
kernel: SELinux: mount invalid.  Same superblock, different security settings for (dev 0:15, type nfs)

kernel: SELinux: mount invalid.  Same superblock, different security settings for (dev 0:15, type nfs)

mount server:/export/web /local/web -o nosharecache,context="system_u:object_r:httpd_sys_content_t:s0"
~]# mount server:/export/web /local/web -o nosharecache,context="system_u:object_r:httpd_sys_content_t:s0"
mount server:/export/database /local/database -o \ nosharecache,context="system_u:object_r:mysqld_db_t:s0"
~]# mount server:/export/database /local/database -o \ nosharecache,context="system_u:object_r:mysqld_db_t:s0"
server:/export /local/mount/ nfs context="system_u:object_r:httpd_sys_content_t:s0" 0 0

server:/export /local/mount/ nfs context="system_u:object_r:httpd_sys_content_t:s0" 0 0

touch file1
~]$ touch file1
ls -Z file1
~]$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1

ls -Z file1
~]$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1

cp file1 /etc/
~]# cp file1 /etc/
ls -Z /etc/file1
~]$ ls -Z /etc/file1
-rw-r--r--  root root unconfined_u:object_r:etc_t:s0   /etc/file1

touch file1
~]$ touch file1
ls -Z file1
~]$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1

ls -dZ /var/www/html/
~]$ ls -dZ /var/www/html/
drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/

cp file1 /var/www/html/
~]# cp file1 /var/www/html/
ls -Z /var/www/html/file1
~]$ ls -Z /var/www/html/file1
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/file1

touch file1
~]$ touch file1
ls -Z file1
~]$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1

ls -dZ /var/www/html/
~]$ ls -dZ /var/www/html/
drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/

cp --preserve=context file1 /var/www/html/
~]# cp --preserve=context file1 /var/www/html/
ls -Z /var/www/html/file1
~]$ ls -Z /var/www/html/file1
-rw-r--r--  root root unconfined_u:object_r:user_home_t:s0 /var/www/html/file1

touch file1
~]$ touch file1
ls -Z file1
~]$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1

cp --context=system_u:object_r:samba_share_t:s0 file1 file2
~]$ cp --context=system_u:object_r:samba_share_t:s0 file1 file2
ls -Z file1 file2
~]$ ls -Z file1 file2
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
-rw-rw-r--  user1 group1 system_u:object_r:samba_share_t:s0 file2

touch /etc/file1
~]# touch /etc/file1
ls -Z /etc/file1
~]$ ls -Z /etc/file1
-rw-r--r--  root root unconfined_u:object_r:etc_t:s0   /etc/file1

touch /tmp/file2
~]$ touch /tmp/file2
~$ ls -Z /tmp/file2
-rw-r--r--  root root unconfined_u:object_r:user_tmp_t:s0 /tmp/file2

~$ ls -Z /tmp/file2
-rw-r--r--  root root unconfined_u:object_r:user_tmp_t:s0 /tmp/file2

cp /tmp/file2 /etc/file1
~]# cp /tmp/file2 /etc/file1
ls -Z /etc/file1
~]$ ls -Z /etc/file1
-rw-r--r--  root root unconfined_u:object_r:etc_t:s0   /etc/file1

touch file1
~]$ touch file1
ls -Z file1
~]$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1

ls -dZ /var/www/html/
~]$ ls -dZ /var/www/html/
drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/

mv file1 /var/www/html/
~]# mv file1 /var/www/html/
ls -Z /var/www/html/file1
~]# ls -Z /var/www/html/file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 /var/www/html/file1

touch /var/www/html/file{1,2,3}
~]# touch /var/www/html/file{1,2,3}
ls -Z /var/www/html/
~]# ls -Z /var/www/html/
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3

chcon -t samba_share_t /var/www/html/file1
~]# chcon -t samba_share_t /var/www/html/file1
matchpathcon -V /var/www/html/*
~]$ matchpathcon -V /var/www/html/*
/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
/var/www/html/file2 verified.
/var/www/html/file3 verified.

/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
restorecon -v /var/www/html/file1
~]# restorecon -v /var/www/html/file1
restorecon reset /var/www/html/file1 context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0

tar -xvf archive.tar | restorecon -f -
~]$ tar -xvf archive.tar | restorecon -f -
cd /var/www/html/
~]$ cd /var/www/html/
html]$ ls -dZ /var/www/html/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 .
html]$ ls -dZ /var/www/html/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 .
html]# touch file{1,2,3}
html]# touch file{1,2,3}
html]$ ls -Z /var/www/html/
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3

html]$ ls -Z /var/www/html/
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3

html]# tar --selinux -cf test.tar file{1,2,3}
html]# tar --selinux -cf test.tar file{1,2,3}
mkdir /test
~]# mkdir /test
chmod 777 /test/
~]# chmod 777 /test/
cp /var/www/html/test.tar /test/
~]$ cp /var/www/html/test.tar /test/
cd /test/
~]$ cd /test/
test]$ tar --selinux -xvf test.tar
test]$ tar --selinux -xvf test.tar
test]$ ls -lZ /test/
-rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file3
-rw-r--r--  user1 group1 unconfined_u:object_r:default_t:s0 test.tar

test]$ ls -lZ /test/
-rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file3
-rw-r--r--  user1 group1 unconfined_u:object_r:default_t:s0 test.tar

rm -ri /test/
~]# rm -ri /test/
touch /var/www/html/file{1,2,3}
~]# touch /var/www/html/file{1,2,3}
ls -Z /var/www/html/
~]# ls -Z /var/www/html/
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3

cd /var/www/html
~]$ cd /var/www/html
html]# star -xattr -H=exustar -c -f=test.star file{1,2,3}
star: 1 blocks + 0 bytes (total of 10240 bytes = 10.00k).

html]# star -xattr -H=exustar -c -f=test.star file{1,2,3}
star: 1 blocks + 0 bytes (total of 10240 bytes = 10.00k).

mkdir /test
~]# mkdir /test
chmod 777 /test/
~]# chmod 777 /test/
cp /var/www/html/test.star /test/
~]$ cp /var/www/html/test.star /test/
cd /test/
~]$ cd /test/
test]$ star -x -f=test.star 
star: 1 blocks + 0 bytes (total of 10240 bytes = 10.00k).

test]$ star -x -f=test.star 
star: 1 blocks + 0 bytes (total of 10240 bytes = 10.00k).

ls -lZ /test/
~]$ ls -lZ /test/
-rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file3
-rw-r--r--  user1 group1 unconfined_u:object_r:default_t:s0 test.star

rm -ri /test/
~]# rm -ri /test/
yum remove star
~]# yum remove star
avcstat
~]# avcstat 
   lookups       hits     misses     allocs   reclaims      frees
  47517410   47504630      12780      12780      12176      12275

seinfo
~]# seinfo

Statistics for policy file: /sys/fs/selinux/policy
Policy Version & Type: v.28 (binary, mls)

   Classes:            77    Permissions:       229
   Sensitivities:       1    Categories:       1024
   Types:            3001    Attributes:        244
   Users:               9    Roles:              13
   Booleans:          158    Cond. Expr.:       193
   Allow:          262796    Neverallow:          0
   Auditallow:         44    Dontaudit:      156710
   Type_trans:      10760    Type_change:        38
   Type_member:        44    Role allow:         20
   Role_trans:        237    Range_trans:      2546
   Constraints:        62    Validatetrans:       0
   Initial SIDs:       27    Fs_use:             22
   Genfscon:           82    Portcon:           373
   Netifcon:            0    Nodecon:             0
   Permissives:        22    Polcap:              2

seinfo -adomain -x | wc -l
~]# seinfo -adomain -x | wc -l
550
seinfo -aunconfined_domain_type -x | wc -l
~]# seinfo -aunconfined_domain_type -x | wc -l
52

seinfo --permissive -x | wc -l
~]# seinfo --permissive -x | wc -l
31

sesearch --role_allow -t httpd_sys_content_t
~]$ sesearch --role_allow -t httpd_sys_content_t
Found 20 role allow rules:
   allow system_r sysadm_r;
   allow sysadm_r system_r;
   allow sysadm_r staff_r;
   allow sysadm_r user_r;
   allow system_r git_shell_r;
   allow system_r guest_r;
   allow logadm_r system_r;
   allow system_r logadm_r;
   allow system_r nx_server_r;
   allow system_r staff_r;
   allow staff_r logadm_r;
   allow staff_r sysadm_r;
   allow staff_r unconfined_r;
   allow staff_r webadm_r;
   allow unconfined_r system_r;
   allow system_r unconfined_r;
   allow system_r user_r;
   allow webadm_r system_r;
   allow system_r webadm_r;
   allow system_r xguest_r;

sesearch --allow | wc -l
~]# sesearch --allow | wc -l
262798

sesearch --dontaudit | wc -l
~]# sesearch --dontaudit | wc -l
156712

ls /etc/selinux/targeted/active/modules
~]# ls /etc/selinux/targeted/active/modules
100  400  disabled
semodule -X 400 -i sandbox.pp
semodule --list-modules=full | grep sandbox
~]# semodule -X 400 -i sandbox.pp
~]# semodule --list-modules=full | grep sandbox
400 sandbox           pp
100 sandbox           pp
semodule -X 400 -r sandbox
~]# semodule -X 400 -r sandbox
libsemanage.semanage_direct_remove_key: sandbox module at priority 100 is now active.
semodule -d MODULE_NAME
semodule -d MODULE_NAME
yum install selinux-policy-mls
~]# yum install selinux-policy-mls
This file controls the state of SELinux on the system.
SELINUX= can take one of these three values:
      enforcing - SELinux security policy is enforced.
      permissive - SELinux prints warnings instead of enforcing.
      disabled - No SELinux policy is loaded.
SELINUXTYPE= can take one of these two values:
      targeted - Targeted processes are protected,
      mls - Multi Level Security protection.
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=mls

setenforce 0
~]# setenforce 0
getenforce
~]$ getenforce
Permissive

fixfiles -F onboot
~]# fixfiles -F onboot
*** Warning -- SELinux mls policy relabel is required.
*** Relabeling could take a very long time, depending on file
*** system size and speed of hard drives.
***********

*** Warning -- SELinux mls policy relabel is required.
*** Relabeling could take a very long time, depending on file
*** system size and speed of hard drives.
***********

grep "SELinux is preventing" /var/log/messages
~]# grep "SELinux is preventing" /var/log/messages
This file controls the state of SELinux on the system.
SELINUX= can take one of these three values:
      enforcing - SELinux security policy is enforced.
      permissive - SELinux prints warnings instead of enforcing.
      disabled - No SELinux policy is loaded.
SELINUXTYPE= can take one of these two values:
      targeted - Targeted processes are protected,
      mls - Multi Level Security protection.
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=mls

getenforce
~]$ getenforce
Enforcing

sestatus |grep mls
~]# sestatus |grep mls
Policy from config file:        mls

useradd -Z staff_u john
~]# useradd -Z staff_u john
prompt~]# passwd john
prompt~]# passwd john
semanage login -l
~]# semanage login -l
Login Name           SELinux User         MLS/MCS Range        Service

__default__          user_u               s0-s0                *
john                 staff_u              s0-s15:c0.c1023      *
root                 root                 s0-s15:c0.c1023      *
staff                staff_u              s0-s15:c0.c1023      *
sysadm               staff_u              s0-s15:c0.c1023      *
system_u             system_u             s0-s15:c0.c1023      *
semanage login --modify --range s2:c100 john
~]# semanage login --modify --range s2:c100 john
semanage login -l
~]# semanage login -l
Login Name           SELinux User         MLS/MCS Range        Service

__default__          user_u               s0-s0                *
john                 staff_u              s2:c100              *
root                 root                 s0-s15:c0.c1023      *
staff                staff_u              s0-s15:c0.c1023      *
sysadm               staff_u              s0-s15:c0.c1023      *
system_u             system_u             s0-s15:c0.c1023      *
chcon -R -l s2:c100 /home/john
~]# chcon -R -l s2:c100 /home/john
tail -n 3 /etc/security/namespace.conf
~]$ tail -n 3 /etc/security/namespace.conf
/tmp     /tmp-inst/            level      root,adm
/var/tmp /var/tmp/tmp-inst/    level      root,adm
$HOME    $HOME/$USER.inst/     level

grep namespace /etc/pam.d/login
~]$ grep namespace /etc/pam.d/login
session    required     pam_namespace.so

filetrans_pattern(unconfined_t, admin_home_t, ssh_home_t, dir, ".ssh")
filetrans_pattern(unconfined_t, admin_home_t, ssh_home_t, dir, ".ssh")
filetrans_pattern(staff_t, user_home_dir_t, httpd_user_content_t, dir, "public_html")
filetrans_pattern(thumb_t, user_home_dir_t, thumb_home_t, file, "missfont.log")
filetrans_pattern(kernel_t, device_t, xserver_misc_device_t, chr_file, "nvidia0")
filetrans_pattern(puppet_t, etc_t, krb5_conf_t, file, "krb5.conf")

filetrans_pattern(staff_t, user_home_dir_t, httpd_user_content_t, dir, "public_html")
filetrans_pattern(thumb_t, user_home_dir_t, thumb_home_t, file, "missfont.log")
filetrans_pattern(kernel_t, device_t, xserver_misc_device_t, chr_file, "nvidia0")
filetrans_pattern(puppet_t, etc_t, krb5_conf_t, file, "krb5.conf")

setsebool -P deny_ptrace on
~]# setsebool -P deny_ptrace on
getsebool deny_ptrace
~]$ getsebool deny_ptrace
deny_ptrace --> on

setsebool -P deny_ptrace off
~]# setsebool -P deny_ptrace off
sesearch -A -p ptrace,sys_ptrace -C | grep -v deny_ptrace | cut -d ' ' -f 5
~]# sesearch -A -p ptrace,sys_ptrace -C | grep -v deny_ptrace | cut -d ' ' -f 5
yum install policycoreutils-devel
~]# yum install policycoreutils-devel
> python
>>> import sepolicy
>>> sepolicy.info(sepolicy.ATTRIBUTE)
Returns a dictionary of all information about SELinux Attributes
>>>sepolicy.search([sepolicy.ALLOW])
Returns a dictionary of all allow rules in the policy.

> python
>>> import sepolicy
>>> sepolicy.info(sepolicy.ATTRIBUTE)
Returns a dictionary of all information about SELinux Attributes
>>>sepolicy.search([sepolicy.ALLOW])
Returns a dictionary of all allow rules in the policy.

sepolicy transition -s httpd_t
~]$ sepolicy transition -s httpd_t
httpd_t @ httpd_suexec_exec_t --> httpd_suexec_t
httpd_t @ mailman_cgi_exec_t --> mailman_cgi_t
httpd_t @ abrt_retrace_worker_exec_t --> abrt_retrace_worker_t
httpd_t @ dirsrvadmin_unconfined_script_exec_t --> dirsrvadmin_unconfined_script_t
httpd_t @ httpd_unconfined_script_exec_t --> httpd_unconfined_script_t
sepolicy transition -s httpd_t -t system_mail_t
~]$ sepolicy transition -s httpd_t -t system_mail_t
httpd_t @ exim_exec_t --> system_mail_t
httpd_t @ courier_exec_t --> system_mail_t
httpd_t @ sendmail_exec_t --> system_mail_t
httpd_t ... httpd_suexec_t @ sendmail_exec_t --> system_mail_t
httpd_t ... httpd_suexec_t @ exim_exec_t --> system_mail_t
httpd_t ... httpd_suexec_t @ courier_exec_t --> system_mail_t
httpd_t ... httpd_suexec_t ... httpd_mojomojo_script_t @ sendmail_exec_t --> system_mail_t
semanage login -l
~]# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *

__default__          unconfined_u         s0-s0:c0.c1023       *

__default__          unconfined_u         s0-s0:c0.c1023       *

id -Z
~]$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

useradd -Z user_u useruuser
~]# useradd -Z user_u useruuser
semanage login -l
~]# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *
useruuser            user_u               s0                   *

passwd useruuser
~]# passwd useruuser
Changing password for user useruuser.
New password: Enter a password
Retype new password: Enter the same password again
passwd: all authentication tokens updated successfully.

id -Z
~]$ id -Z
user_u:user_r:user_t:s0

userdel -Z -r useruuser
~]# userdel -Z -r useruuser
useradd newuser
~]# useradd newuser
semanage login -l
~]# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *

semanage login -a -s user_u newuser
~]# semanage login -a -s user_u newuser
semanage login -l
~]# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
newuser              user_u               s0                   *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *

passwd newuser
~]# passwd newuser
Changing password for user newuser.
New password: Enter a password
Retype new password: Enter the same password again
passwd: all authentication tokens updated successfully.

id -Z
~]$ id -Z
user_u:user_r:user_t:s0
userdel -r newuser
~]# userdel -r newuser
semanage login -d newuser
~]# semanage login -d newuser
semanage login -l
~]# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *

semanage login -m -S targeted -s "user_u" -r s0 __default__
~]# semanage login -m -S targeted -s "user_u" -r s0 __default__
semanage login -l
~]# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          user_u               s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *

semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 __default__
~]# semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 __default__
yum install xguest
~]# yum install xguest
getenforce
~]$ getenforce
Enforcing

setsebool -P guest_exec_content off
~]# setsebool -P guest_exec_content off
setsebool -P xguest_exec_content off
~]# setsebool -P xguest_exec_content off
setsebool -P user_exec_content off
~]# setsebool -P user_exec_content off
setsebool -P staff_exec_content off
~]# setsebool -P staff_exec_content off
setsebool -P staff_exec_content on
~]# setsebool -P staff_exec_content on
yum install policycoreutils-sandbox
~]# yum install policycoreutils-sandbox
sandbox [options] application_under_test
~]$ sandbox [options] application_under_test
sandbox -X evince
~]$ sandbox -X evince
sandbox -H sandbox/home -T sandbox/tmp -X firefox
~]$ sandbox -H sandbox/home -T sandbox/tmp -X firefox
sandbox ‑X ‑t sandbox_web_t firefox
~]$ sandbox ‑X ‑t sandbox_web_t firefox
ps -eZ | grep qemu
~]# ps -eZ | grep qemu

system_u:system_r:svirt_t:s0:c87,c520 27950 ?  00:00:17 qemu-kvm
system_u:system_r:svirt_t:s0:c639,c757 27989 ? 00:00:06 qemu-system-x86

ls -lZ /var/lib/libvirtimages/*
~]# ls -lZ /var/lib/libvirtimages/*

system_u:object_r:svirt_image_t:s0:c87,c520   image1

system_u:system_r:httpd_t:s0
system_u:system_r:httpd_t:s0
unconfined_u:system_r:httpd_t:s0
unconfined_u:system_r:httpd_t:s0
class service
{
       start
       stop
       status
       reload
       kill
       load
       enable
       disable
}

class service
{
       start
       stop
       status
       reload
       kill
       load
       enable
       disable
}

allow NetworkManager_t dnsmasq_unit_file_t : service { start stop status reload kill load } ; 
allow NetworkManager_t nscd_unit_file_t : service { start stop status reload kill load } ; 
allow NetworkManager_t ntpd_unit_file_t : service { start stop status reload kill load } ; 
allow NetworkManager_t pppd_unit_file_t : service { start stop status reload kill load } ; 
allow NetworkManager_t polipo_unit_file_t : service { start stop status reload kill load } ;

allow NetworkManager_t dnsmasq_unit_file_t : service { start stop status reload kill load } ; 
allow NetworkManager_t nscd_unit_file_t : service { start stop status reload kill load } ; 
allow NetworkManager_t ntpd_unit_file_t : service { start stop status reload kill load } ; 
allow NetworkManager_t pppd_unit_file_t : service { start stop status reload kill load } ; 
allow NetworkManager_t polipo_unit_file_t : service { start stop status reload kill load } ;

journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0
~]# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0
Oct 21 10:22:42 localhost.localdomain polkitd[647]: Started polkitd version 0.112
Oct 21 10:22:44 localhost.localdomain polkitd[647]: Loading rules from directory /etc/polkit-1/rules.d
Oct 21 10:22:44 localhost.localdomain polkitd[647]: Loading rules from directory /usr/share/polkit-1/rules.d
Oct 21 10:22:44 localhost.localdomain polkitd[647]: Finished loading, compiling and executing 5 rules
Oct 21 10:22:44 localhost.localdomain polkitd[647]: Acquired the name org.freedesktop.PolicyKit1 on the system bus Oct 21 10:23:10 localhost polkitd[647]: Registered Authentication Agent for unix-session:c1 (system bus name :1.49, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Oct 21 10:23:35 localhost polkitd[647]: Unregistered Authentication Agent for unix-session:c1 (system bus name :1.80 [/usr/bin/gnome-shell --mode=classic], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.utf8)

Forbidden

You don't have permission to access file name on this server

Forbidden

You don't have permission to access file name on this server

grep "SELinux is preventing" /var/log/messages
~]# grep "SELinux is preventing" /var/log/messages
grep "denied" /var/log/audit/audit.log
~]# grep "denied" /var/log/audit/audit.log
semanage fcontext -a -t httpd_sys_content_t "/srv/myweb(/.*)?"
~]# semanage fcontext -a -t httpd_sys_content_t "/srv/myweb(/.*)?"
restorecon -R -v /srv/myweb
~]# restorecon -R -v /srv/myweb
matchpathcon -V /var/www/html/*
~]$ matchpathcon -V /var/www/html/*
/var/www/html/index.html has context unconfined_u:object_r:user_home_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
/var/www/html/page1.html has context unconfined_u:object_r:user_home_t:s0, should be system_u:object_r:httpd_sys_content_t:s0

restorecon -v /var/www/html/index.html
~]# restorecon -v /var/www/html/index.html 
restorecon reset /var/www/html/index.html context unconfined_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0

restorecon -R -v /var/www/html/
~]# restorecon -R -v /var/www/html/
restorecon reset /var/www/html/page1.html context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /var/www/html/index.html context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0

setsebool -P httpd_can_network_connect_db on
~]# setsebool -P httpd_can_network_connect_db on
getsebool -a | grep ftp
~]$ getsebool -a | grep ftp
ftpd_anon_write --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_nfs --> off

ftpd_connect_db --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off

semanage port -l | grep http
~]# semanage port -l | grep http
http_cache_port_t              tcp      3128, 8080, 8118
http_cache_port_t              udp      3130
http_port_t                    tcp      80, 443, 488, 8008, 8009, 8443
pegasus_http_port_t            tcp      5988
pegasus_https_port_t           tcp      5989

systemctl start httpd.service
~]# systemctl start httpd.service
Job for httpd.service failed. See 'systemctl status httpd.service' and 'journalctl -xn' for details.

systemctl status httpd.service
~]# systemctl status httpd.service
httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
   Active: failed (Result: exit-code) since Thu 2013-08-15 09:57:05 CEST; 59s ago
  Process: 16874 ExecStop=/usr/sbin/httpd $OPTIONS -k graceful-stop (code=exited, status=0/SUCCESS)
  Process: 16870 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)

type=AVC msg=audit(1225948455.061:294): avc:  denied  { name_bind } for  pid=4997 comm="httpd" src=9876 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

type=AVC msg=audit(1225948455.061:294): avc:  denied  { name_bind } for  pid=4997 comm="httpd" src=9876 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

semanage port -a -t http_port_t -p tcp 9876
~]# semanage port -a -t http_port_t -p tcp 9876
ls -l /var/www/html/index.html
~]$ ls -l /var/www/html/index.html
-rw-r----- 1 root root 0 2009-05-07 11:06 index.html

chown apache:apache /var/www/html/index.html
~]# chown apache:apache /var/www/html/index.html
semodule -DB
~]# semodule -DB
semodule -B
~]# semodule -B
sesearch --dontaudit -s smbd_t | grep squid
~]$ sesearch --dontaudit -s smbd_t | grep squid
dontaudit smbd_t squid_port_t : tcp_socket name_bind ;
dontaudit smbd_t squid_port_t : udp_socket name_bind ;
semanage permissive -a httpd_t
~]# semanage permissive -a httpd_t
semodule -l | grep permissive
~]# semodule -l | grep permissive
permissive_httpd_t    (null)
permissivedomains     (null)

semanage permissive -d httpd_t
~]# semanage permissive -d httpd_t
semodule -d permissivedomains
~]# semodule -d permissivedomains
semodule --list-modules=full
~]# semodule --list-modules=full
type=AVC msg=audit(1226882736.442:86): avc:  denied  { getattr } for  pid=2427 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file

type=SYSCALL msg=audit(1226882736.442:86): arch=40000003 syscall=196 success=no exit=-13 a0=b9a1e198 a1=bfc2921c a2=54dff4 a3=2008171 items=0 ppid=2425 pid=2427 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1226882736.442:86): avc:  denied  { getattr } for  pid=2427 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file

type=SYSCALL msg=audit(1226882736.442:86): arch=40000003 syscall=196 success=no exit=-13 a0=b9a1e198 a1=bfc2921c a2=54dff4 a3=2008171 items=0 ppid=2425 pid=2427 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1226882925.714:136): avc:  denied  { read } for  pid=2512 comm="httpd" name="file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file

type=SYSCALL msg=audit(1226882925.714:136): arch=40000003 syscall=5 success=yes exit=11 a0=b962a1e8 a1=8000 a2=0 a3=8000 items=0 ppid=2511 pid=2512 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1226882925.714:136): avc:  denied  { read } for  pid=2512 comm="httpd" name="file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file

type=SYSCALL msg=audit(1226882925.714:136): arch=40000003 syscall=5 success=yes exit=11 a0=b962a1e8 a1=8000 a2=0 a3=8000 items=0 ppid=2511 pid=2512 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

ausearch -m avc -c httpd
~]# ausearch -m avc -c httpd
ausearch -m avc -c smbd
~]# ausearch -m avc -c smbd
aureport -a
~]# aureport -a

AVC Report
========================================================
# date time comm subj syscall class permission obj event
========================================================
1. 05/01/2009 21:41:39 httpd unconfined_u:system_r:httpd_t:s0 195 file getattr system_u:object_r:samba_share_t:s0 denied 2
2. 05/03/2009 22:00:25 vsftpd unconfined_u:system_r:ftpd_t:s0 5 file read unconfined_u:object_r:cifs_t:s0 denied 4

setroubleshoot: SELinux is preventing /usr/sbin/httpd from name_bind access on the tcp_socket. For complete SELinux messages. run sealert -l 8c123656-5dda-4e5d-8791-9e3bd03786b7

type=AVC msg=audit(1226874073.147:96): avc:  denied  { getattr } for  pid=2465 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file

type=SYSCALL msg=audit(1226874073.147:96): arch=40000003 syscall=196 success=no exit=-13 a0=b98df198 a1=bfec85dc a2=54dff4 a3=2008171 items=0 ppid=2463 pid=2465 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=6 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1226874073.147:96): avc:  denied  { getattr } for  pid=2465 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file

type=SYSCALL msg=audit(1226874073.147:96): arch=40000003 syscall=196 success=no exit=-13 a0=b98df198 a1=bfec85dc a2=54dff4 a3=2008171 items=0 ppid=2463 pid=2465 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=6 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

hostname setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l 32eee32b-21ca-4846-a22f-0ba050206786

sealert -l 32eee32b-21ca-4846-a22f-0ba050206786
~]$ sealert -l 32eee32b-21ca-4846-a22f-0ba050206786
SELinux is preventing httpd from getattr access on the file /var/www/html/file1.

*****  Plugin restorecon (92.2 confidence) suggests   ************************

If you want to fix the label. 
/var/www/html/file1 default label should be httpd_sys_content_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /var/www/html/file1

*****  Plugin public_content (7.83 confidence) suggests   ********************

If you want to treat file1 as public content
Then you need to change the label on file1 to public_content_t or public_content_rw_t.
Do
# semanage fcontext -a -t public_content_t '/var/www/html/file1'
# restorecon -v '/var/www/html/file1'

*****  Plugin catchall (1.41 confidence) suggests   **************************

If you believe that httpd should be allowed getattr access on the file1 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -i my-httpd.pp

Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:samba_share_t:s0
Target Objects                /var/www/html/file1 [ file ]
Source                        httpd
Source Path                   httpd
Port                          <Unknown>
Host                          hostname.redhat.com
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-166.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     hostname.redhat.com
Platform                      Linux hostname.redhat.com
                              3.10.0-693.el7.x86_64 #1 SMP Thu Jul 6 19:56:57
                              EDT 2017 x86_64 x86_64
Alert Count                   2
First Seen                    2017-07-20 02:52:11 EDT
Last Seen                     2017-07-20 02:52:11 EDT
Local ID                      32eee32b-21ca-4846-a22f-0ba050206786

Raw Audit Messages
type=AVC msg=audit(1500533531.140:295): avc:  denied  { getattr } for  pid=24934 comm="httpd" path="/var/www/html/file1" dev="vda1" ino=31457414 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file

Hash: httpd,httpd_t,samba_share_t,file,getattr
type=AVC msg=audit(1226270358.848:238): avc:  denied  { write } for  pid=13349 comm="certwatch" name="cache" dev=dm-0 ino=218171 scontext=system_u:system_r:certwatch_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir

type=SYSCALL msg=audit(1226270358.848:238): arch=40000003 syscall=39 success=no exit=-13 a0=39a2bf a1=3ff a2=3a0354 a3=94703c8 items=0 ppid=13344 pid=13349 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="certwatch" exe="/usr/bin/certwatch" subj=system_u:system_r:certwatch_t:s0 key=(null)

type=AVC msg=audit(1226270358.848:238): avc:  denied  { write } for  pid=13349 comm="certwatch" name="cache" dev=dm-0 ino=218171 scontext=system_u:system_r:certwatch_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir

type=SYSCALL msg=audit(1226270358.848:238): arch=40000003 syscall=39 success=no exit=-13 a0=39a2bf a1=3ff a2=3a0354 a3=94703c8 items=0 ppid=13344 pid=13349 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="certwatch" exe="/usr/bin/certwatch" subj=system_u:system_r:certwatch_t:s0 key=(null)

audit2allow -w -a
~]# audit2allow -w -a
type=AVC msg=audit(1226270358.848:238): avc:  denied  { write } for  pid=13349 comm="certwatch" name="cache" dev=dm-0 ino=218171 scontext=system_u:system_r:certwatch_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
	Was caused by:
		Missing type enforcement (TE) allow rule.

	You can use audit2allow to generate a loadable module to allow this access.

audit2allow -a
~]# audit2allow -a

#============= certwatch_t ==============
allow certwatch_t var_t:dir write;

audit2allow -a -M mycertwatch
~]# audit2allow -a -M mycertwatch
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i mycertwatch.pp

ls
~]# ls
mycertwatch.pp  mycertwatch.te

semodule -i mycertwatch.pp
~]# semodule -i mycertwatch.pp
grep certwatch /var/log/audit/audit.log | audit2allow -R -M mycertwatch2
~]# grep certwatch /var/log/audit/audit.log | audit2allow -R -M mycertwatch2
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i mycertwatch2.pp

rpm -q httpd
~]$ rpm -q httpd
package httpd is not installed

yum install httpd
~]# yum install httpd
getenforce
~]$ getenforce
Enforcing

systemctl start httpd.service
~]# systemctl start httpd.service
systemctl status httpd.service
~]# systemctl status httpd.service       
httpd.service - The Apache HTTP Server
	  Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
	  Active: active (running) since Mon 2013-08-05 14:00:55 CEST; 8s ago

ps -eZ | grep httpd
~]$ ps -eZ | grep httpd
system_u:system_r:httpd_t:s0    19780 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0    19781 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0    19782 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0    19783 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0    19784 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0    19785 ?        00:00:00 httpd

systemctl status httpd.service
~]# systemctl status httpd.service
httpd.service - The Apache HTTP Server
	  Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
          Active: inactive (dead)

systemctl stop httpd.service
~]# systemctl stop httpd.service
semanage port -l | grep -w http_port_t
~]# semanage port -l | grep -w http_port_t
http_port_t                    tcp      80, 443, 488, 8008, 8009, 8443

Change this to Listen on specific IP addresses as shown below to
prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
# Change this to Listen on specific IP addresses as shown below to 
# prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
#
#Listen 12.34.56.78:80
Listen 127.0.0.1:12345

systemctl start httpd.service
~]# systemctl start httpd.service
Job for httpd.service failed. See 'systemctl status httpd.service' and 'journalctl -xn' for details.

setroubleshoot: SELinux is preventing the httpd (httpd_t) from binding to port 12345. For complete SELinux messages. run sealert -l f18bca99-db64-4c16-9719-1db89f0d8c77

semanage port -a -t http_port_t -p tcp 12345
~]# semanage port -a -t http_port_t -p tcp 12345
systemctl start httpd.service
~]# systemctl start httpd.service
telnet localhost 12345
~]# telnet localhost 12345
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET / HTTP/1.0

HTTP/1.1 200 OK
Date: Wed, 02 Dec 2009 14:36:34 GMT
Server: Apache/2.2.13 (Red Hat)
Accept-Ranges: bytes
Content-Length: 3985
Content-Type: text/html; charset=UTF-8
[...continues...]

ls -dZ /var/www/html
~]$ ls -dZ /var/www/html
drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html

touch /var/www/html/file1
~]# touch /var/www/html/file1
ls -Z /var/www/html/file1
~]$ ls -Z /var/www/html/file1
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/file1

grep httpd /etc/selinux/targeted/contexts/files/file_contexts
~]$ grep httpd /etc/selinux/targeted/contexts/files/file_contexts
mkdir -p /my/website
~]# mkdir -p /my/website
ls -dZ /my
~]$ ls -dZ /my
drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /my

chcon -R -t httpd_sys_content_t /my/
touch /my/website/index.html
ls -Z /my/website/index.html
~]# chcon -R -t httpd_sys_content_t /my/
~]# touch /my/website/index.html
~]# ls -Z /my/website/index.html
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 /my/website/index.html

mkdir -p /my/website
~]# mkdir -p /my/website
semanage fcontext -a -t httpd_sys_content_t "/my(/.*)?"
~]# semanage fcontext -a -t httpd_sys_content_t "/my(/.*)?"
touch /my/website/index.html
~]# touch /my/website/index.html
restorecon -R -v /my/
~]# restorecon -R -v /my/
restorecon reset /my context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /my/website context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /my/website/index.html context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0

setsebool -P httpd_anon_write on
~]# setsebool -P httpd_anon_write on
setsebool -P httpd_anon_write off
~]# setsebool -P httpd_anon_write off
getsebool -a | grep service_name
~]$ getsebool -a | grep service_name
sepolicy booleans -b boolean_name
~]$ sepolicy booleans -b boolean_name
mkdir /mywebsite
~]# mkdir /mywebsite
<html>
<h2>index.html from /mywebsite/</h2>
</html>

<html>
<h2>index.html from /mywebsite/</h2>
</html>

semanage fcontext -a -t httpd_sys_content_t "/mywebsite(/.*)?"
~]# semanage fcontext -a -t httpd_sys_content_t "/mywebsite(/.*)?"
restorecon -R -v /mywebsite
~]# restorecon -R -v /mywebsite
restorecon reset /mywebsite context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /mywebsite/index.html context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0

#DocumentRoot "/var/www/html"
DocumentRoot "/mywebsite"
#DocumentRoot "/var/www/html"
DocumentRoot "/mywebsite"

systemctl status httpd.service
~]# systemctl status httpd.service
httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
   Active: inactive (dead)

systemctl start httpd.service
~]# systemctl start httpd.service
systemctl status httpd.service
~]# systemctl status httpd.service
httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
   Active: active (running) since Wed 2014-02-05 13:16:46 CET; 2s ago

systemctl restart httpd.service
~]# systemctl restart httpd.service
index.html from /mywebsite/

index.html from /mywebsite/

setsebool -P httpd_use_nfs on
~]# setsebool -P httpd_use_nfs on
setsebool -P httpd_use_cifs on
~]# setsebool -P httpd_use_cifs on
mkdir /shares
~]# mkdir /shares
ls -dZ /shares
~]$ ls -dZ /shares
drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /shares

<html>
<body>
<p>Hello</p>
</body>
</html>

<html>
<body>
<p>Hello</p>
</body>
</html>

semanage fcontext -a -t public_content_t "/shares(/.*)?"
~]# semanage fcontext -a -t public_content_t "/shares(/.*)?"
restorecon -R -v /shares/
~]# restorecon -R -v /shares/
restorecon reset /shares context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /shares/index.html context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0

rpm -q samba samba-common samba-client
~]$ rpm -q samba samba-common samba-client
samba-3.4.0-0.41.el6.3.i686
samba-common-3.4.0-0.41.el6.3.i686
samba-client-3.4.0-0.41.el6.3.i686

yum install package-name
~]# yum install package-name
[shares]
comment = Documents for Apache HTTP Server, FTP, rsync, and Samba
path = /shares
public = yes
writable = no

[shares]
comment = Documents for Apache HTTP Server, FTP, rsync, and Samba
path = /shares
public = yes
writable = no

smbpasswd -a testuser
~]# smbpasswd -a testuser
New SMB password: Enter a password
Retype new SMB password: Enter the same password again
Added user testuser.

systemctl start smb.service
~]# systemctl start smb.service
smbclient -U username -L localhost
~]$ smbclient -U username -L localhost
Enter username's password:
Domain=[HOSTNAME] OS=[Unix] Server=[Samba 3.4.0-0.41.el6]

Sharename       Type      Comment
---------       ----      -------
shares          Disk      Documents for Apache HTTP Server, FTP, rsync, and Samba
IPC$            IPC       IPC Service (Samba Server Version 3.4.0-0.41.el6)
username        Disk      Home Directories
Domain=[HOSTNAME] OS=[Unix] Server=[Samba 3.4.0-0.41.el6]

Server               Comment
---------            -------

Workgroup            Master
---------            -------

mkdir /test/
~]# mkdir /test/
mount //localhost/shares /test/ -o user=username
~]# mount //localhost/shares /test/ -o user=username
~]$ cat /test/index.html
<html>
<body>
<p>Hello</p>
</body>
</html>
~]$ cat /test/index.html
<html>
<body>
<p>Hello</p>
</body>
</html>

rpm -q httpd
~]$ rpm -q httpd
httpd-2.2.11-6.i386

yum install httpd
~]# yum install httpd
html]# ln -s /shares/ shares
html]# ln -s /shares/ shares
systemctl start httpd.service
~]# systemctl start httpd.service
rm -i /shares/index.html
~]# rm -i /shares/index.html
touch /shares/file{1,2,3}
ls -Z /shares/
~]# touch /shares/file{1,2,3}
~]# ls -Z /shares/
-rw-r--r--  root root system_u:object_r:public_content_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:public_content_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:public_content_t:s0 file3

systemctl status httpd.service
~]# systemctl status httpd.service
httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
   Active: inactive (dead)

systemctl start httpd.service
~]# systemctl start httpd.service
semanage port -l | grep -w http_port_t
~]# semanage port -l | grep -w http_port_t
http_port_t                    tcp      80, 443, 488, 8008, 8009, 8443

Change this to Listen on specific IP addresses as shown below to
prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
# Change this to Listen on specific IP addresses as shown below to 
# prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
#
#Listen 12.34.56.78:80
Listen 10.0.0.1:12345

semanage port -a -t http_port_t -p tcp 12345
~]# semanage port -a -t http_port_t -p tcp 12345
semanage port -l | grep -w http_port_t
~]# semanage port -l | grep -w http_port_t
http_port_t                    tcp      12345, 80, 443, 488, 8008, 8009, 8443

semanage port -d -t http_port_t -p tcp 12345
~]# semanage port -d -t http_port_t -p tcp 12345
rpm -q samba
~]$ rpm -q samba
package samba is not installed

yum install samba
~]# yum install samba
getenforce
~]$ getenforce
Enforcing

systemctl start smb.service
~]# systemctl start smb.service
systemctl status smb.service
~]# systemctl status smb.service
smb.service - Samba SMB Daemon
   Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled)
   Active: active (running) since Mon 2013-08-05 12:17:26 CEST; 2h 22min ago

ps -eZ | grep smb
~]$ ps -eZ | grep smb
system_u:system_r:smbd_t:s0      9653 ?        00:00:00 smbd
system_u:system_r:smbd_t:s0      9654?        00:00:00 smbd

setroubleshoot: SELinux is preventing smbd (smbd_t) "read" to ./smb.conf (httpd_sys_content_t). For complete SELinux messages. run sealert -l deb33473-1069-482b-bb50-e4cd05ab18af

getsebool -a | grep service_name
~]$ getsebool -a | grep service_name
sepolicy booleans -b boolean_name
~]$ sepolicy booleans -b boolean_name
rpm -q samba samba-common samba-client
~]$ rpm -q samba samba-common samba-client
package samba is not installed
package samba-common is not installed
package samba-client is not installed

yum install package-name
~]# yum install package-name
mkdir /myshare
~]# mkdir /myshare
touch /myshare/file1
~]# touch /myshare/file1
semanage fcontext -a -t samba_share_t "/myshare(/.*)?"
~]# semanage fcontext -a -t samba_share_t "/myshare(/.*)?"
restorecon -R -v /myshare
~]# restorecon -R -v /myshare
restorecon reset /myshare context unconfined_u:object_r:default_t:s0->system_u:object_r:samba_share_t:s0
restorecon reset /myshare/file1 context unconfined_u:object_r:default_t:s0->system_u:object_r:samba_share_t:s0

[myshare]
comment = My share
path = /myshare
public = yes
writable = no

[myshare]
comment = My share
path = /myshare
public = yes
writable = no

smbpasswd -a testuser
~]# smbpasswd -a testuser
New SMB password: Enter a password
Retype new SMB password: Enter the same password again
Added user testuser.

systemctl start smb.service
~]# systemctl start smb.service
smbclient -U username -L localhost
~]$ smbclient -U username -L localhost
Enter username's password:
Domain=[HOSTNAME] OS=[Unix] Server=[Samba 3.4.0-0.41.el6]

Sharename       Type      Comment
---------       ----      -------
myshare         Disk      My share
IPC$            IPC       IPC Service (Samba Server Version 3.4.0-0.41.el6)
username        Disk      Home Directories
Domain=[HOSTNAME] OS=[Unix] Server=[Samba 3.4.0-0.41.el6]

Server               Comment
---------            -------

Workgroup            Master
---------            -------

mkdir /test/
~]# mkdir /test/
mount //localhost/myshare /test/ -o user=username
~]# mount //localhost/myshare /test/ -o user=username
ls /test/
~]$ ls /test/
file1

<html>
<h2>File being shared through the Apache HTTP Server and Samba.</h2>
</html>

<html>
<h2>File being shared through the Apache HTTP Server and Samba.</h2>
</html>

ls -Z /var/www/html/file1.html
~]$ ls -Z /var/www/html/file1.html
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/file1.html

systemctl start httpd.service
~]# systemctl start httpd.service
wget http://localhost/file1.html
~]$ wget http://localhost/file1.html
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 84 [text/html]
Saving to: `file1.html.1'

100%[=======================>] 84          --.-K/s   in 0s      

`file1.html.1' saved [84/84]

[website]
comment = Sharing a website
path = /var/www/html/
public = no
writable = no

[website]
comment = Sharing a website
path = /var/www/html/
public = no
writable = no

setsebool -P samba_export_all_ro on
~]# setsebool -P samba_export_all_ro on
systemctl start smb.service
~]# systemctl start smb.service
rpm -q vsftpd
~]$ rpm -q vsftpd
package vsftpd is not installed

yum install vsftpd
~]# yum install vsftpd
getsebool -a | grep service_name
~]$ getsebool -a | grep service_name
sepolicy booleans -b boolean_name
~]$ sepolicy booleans -b boolean_name
rpm -q nfs-utils
~]$ rpm -q nfs-utils
package nfs-utils is not installed

yum install nfs-utils
~]# yum install nfs-utils
getsebool -a | grep service_name
~]$ getsebool -a | grep service_name
sepolicy booleans -b boolean_name
~]$ sepolicy booleans -b boolean_name
systemctl stop nfs
[nfs-srv]# systemctl stop nfs
systemctl status nfs
[nfs-srv]# systemctl status nfs
nfs-server.service - NFS Server
   Loaded: loaded (/usr/lib/systemd/system/nfs-server.service; disabled)
   Active: inactive (dead)

Optional arguments passed to rpc.nfsd. See rpc.nfsd(8)
# Optional arguments passed to rpc.nfsd. See rpc.nfsd(8)
RPCNFSDARGS="-V 4.2"
systemctl start nfs
[nfs-srv]# systemctl start nfs
systemctl status nfs
[nfs-srv]# systemctl status nfs
nfs-server.service - NFS Server
   Loaded: loaded (/usr/lib/systemd/system/nfs-server.service; disabled)
   Active: active (exited) since Wed 2013-08-28 14:07:11 CEST; 4s ago

mount -o v4.2 server:mntpoint localmountpoint
[nfs-client]# mount -o v4.2 server:mntpoint localmountpoint
ls -Z file
ls -Z file
[nfs-srv]$ ls -Z file
-rw-rw-r--. user user unconfined_u:object_r:svirt_image_t:s0 file
[nfs-client]$ ls -Z file
-rw-rw-r--. user user unconfined_u:object_r:svirt_image_t:s0 file
rpm -q bind
~]$ rpm -q bind
package bind is not installed

yum install bind
~]# yum install bind
zone "testdomain.com" {
			type slave;
			masters { IP-address; };
			file "/var/named/slaves/db.testdomain.com";
		       };

zone "testdomain.com" {
			type slave;
			masters { IP-address; };
			file "/var/named/slaves/db.testdomain.com";
		       };

getsebool -a | grep service_name
~]$ getsebool -a | grep service_name
sepolicy booleans -b boolean_name
~]$ sepolicy booleans -b boolean_name
named[PID]: dumping master file: rename: /var/named/dynamic/zone-name: permission denied

named[PID]: dumping master file: rename: /var/named/dynamic/zone-name: permission denied

setroubleshoot: SELinux is preventing named (named_t) "unlink" to zone-name (named_zone_t)

setroubleshoot: SELinux is preventing named (named_t) "unlink" to zone-name (named_zone_t)

restorecon -R -v /var/named/dynamic
~]# restorecon -R -v /var/named/dynamic
rpm -q cvs
~]$ rpm -q cvs
package cvs is not installed

yum install cvs
~]# yum install cvs
getsebool -a | grep service_name
~]$ getsebool -a | grep service_name
sepolicy booleans -b boolean_name
~]$ sepolicy booleans -b boolean_name
rpm -q cvs xinetd
[cvs-srv]$ rpm -q cvs xinetd
package cvs is not installed
package xinetd is not installed

yum install cvs xinetd
[cvs-srv]# yum install cvs xinetd
groupadd CVS
[cvs-srv]# groupadd CVS
cvspserver	2401/tcp			# CVS client/server operations
cvspserver	2401/udp			# CVS client/server operations

cvspserver	2401/tcp			# CVS client/server operations
cvspserver	2401/udp			# CVS client/server operations

mkdir /cvs
[root@cvs-srv]# mkdir /cvs
chmod -R 777 /cvs
[root@cvs-srv]# chmod -R 777 /cvs
service cvspserver
{
	disable	= no
	port			= 2401
	socket_type		= stream
	protocol		= tcp
	wait			= no
	user			= root
	passenv			= PATH
	server			= /usr/bin/cvs
	env			= HOME=/cvs
	server_args		= -f --allow-root=/cvs pserver
#	bind			= 127.0.0.1

service cvspserver
{
	disable	= no
	port			= 2401
	socket_type		= stream
	protocol		= tcp
	wait			= no
	user			= root
	passenv			= PATH
	server			= /usr/bin/cvs
	env			= HOME=/cvs
	server_args		= -f --allow-root=/cvs pserver
#	bind			= 127.0.0.1

systemctl start xinetd.service
[cvs-srv]# systemctl start xinetd.service
cvs -d /cvs init
[cvsuser@cvs-client]$ cvs -d /cvs init
export CVSROOT=:pserver:cvsuser@192.168.1.1:/cvs

cvs login
[cvsuser@cvs-client]$ export CVSROOT=:pserver:cvsuser@192.168.1.1:/cvs
[cvsuser@cvs-client]$
[cvsuser@cvs-client]$ cvs login
Logging in to :pserver:cvsuser@192.168.1.1:2401/cvs
CVS password: ********
cvs [login aborted]: unrecognized auth response from 192.168.100.1: cvs pserver: cannot open /cvs/CVSROOT/config: Permission denied

semanage fcontext -a -t cvs_data_t '/cvs(/.*)?'
restorecon -R -v /cvs
[root@cvs-srv]# semanage fcontext -a -t cvs_data_t '/cvs(/.*)?'
[root@cvs-srv]# restorecon -R -v /cvs
export CVSROOT=:pserver:cvsuser@192.168.1.1:/cvs

cvs login

[cvsuser@cvs-client]$ export CVSROOT=:pserver:cvsuser@192.168.1.1:/cvs
[cvsuser@cvs-client]$
[cvsuser@cvs-client]$ cvs login
Logging in to :pserver:cvsuser@192.168.1.1:2401/cvs
CVS password: ********
[cvsuser@cvs-client]$

rpm -q squid
~]$ rpm -q squid
package squid is not installed

yum install squid
~]# yum install squid
getenforce
~]$ getenforce
Enforcing

systemctl start squid.service
~]# systemctl start squid.service
systemctl status squid.service
~]# systemctl status squid.service
squid.service - Squid caching proxy
   Loaded: loaded (/usr/lib/systemd/system/squid.service; disabled)
   Active: active (running) since Mon 2013-08-05 14:45:53 CEST; 2s ago
ps -eZ | grep squid
~]$ ps -eZ | grep squid
system_u:system_r:squid_t:s0    27018 ?        00:00:00 squid
system_u:system_r:squid_t:s0    27020 ?        00:00:00 log_file_daemon

systemctl status squid.service
~]# systemctl status squid.service
squid.service - Squid caching proxy
   Loaded: loaded (/usr/lib/systemd/system/squid.service; disabled)
   Active: inactive (dead)

systemctl stop squid.service
~]# systemctl stop squid.service
semanage port -l | grep -w -i squid_port_t
~]# semanage port -l | grep -w -i squid_port_t
squid_port_t                   tcp      3401, 4827
squid_port_t                   udp      3401, 4827

Squid normally listens to port 3128
# Squid normally listens to port 3128
http_port 10000

setsebool -P squid_connect_any 0
~]# setsebool -P squid_connect_any 0
systemctl start squid.service
~]# systemctl start squid.service
Job for squid.service failed. See 'systemctl status squid.service' and 'journalctl -xn' for details.

localhost setroubleshoot: SELinux is preventing the squid (squid_t) from binding to port 10000. For complete SELinux messages. run sealert -l 97136444-4497-4fff-a7a7-c4d8442db982

semanage port -a -t squid_port_t -p tcp 10000
~]# semanage port -a -t squid_port_t -p tcp 10000
systemctl start squid.service
~]# systemctl start squid.service
getsebool -a | grep service_name
~]$ getsebool -a | grep service_name
sepolicy booleans -b boolean_name
~]$ sepolicy booleans -b boolean_name
rpm -q squid
~]$ rpm -q squid
package squid is not installed

yum install squid
~]# yum install squid
cache_dir ufs /var/spool/squid 100 16 256

cache_dir ufs /var/spool/squid 100 16 256

visible_hostname squid.example.com

visible_hostname squid.example.com

systemctl start squid.service
~]# systemctl start squid.service
systemctl status squid.service
~]# systemctl status squid.service
squid.service - Squid caching proxy
   Loaded: loaded (/usr/lib/systemd/system/squid.service; disabled)
   Active: active (running) since Thu 2014-02-06 15:00:24 CET; 6s ago

ls -lZ /var/run/squid.pid
~]# ls -lZ /var/run/squid.pid 
-rw-r--r--. root squid unconfined_u:object_r:squid_var_run_t:s0 /var/run/squid.pid

SELinux is preventing the squid daemon from connecting to network port 10000

SELinux is preventing the squid daemon from connecting to network port 10000

setsebool -P squid_connect_any on
~]# setsebool -P squid_connect_any on
rpm -q mariadb-server
~]$ rpm -q mariadb-server
package mariadb-server is not installed
yum install mariadb-server
~]# yum install mariadb-server
getenforce
~]$ getenforce
Enforcing

systemctl start mariadb.service
~]# systemctl start mariadb.service
systemctl status mariadb.service
~]# systemctl status mariadb.service
mariadb.service - MariaDB database server
   Loaded: loaded (/usr/lib/systemd/system/mariadb.service; disabled)
   Active: active (running) since Mon 2013-08-05 11:20:11 CEST; 3h 28min ago

ps -eZ | grep mysqld
~]$ ps -eZ | grep mysqld
system_u:system_r:mysqld_safe_t:s0 12831 ?     00:00:00 mysqld_safe
system_u:system_r:mysqld_t:s0   13014 ?        00:00:00 mysqld

getsebool -a | grep service_name
~]$ getsebool -a | grep service_name
sepolicy booleans -b boolean_name
~]$ sepolicy booleans -b boolean_name
ls -lZ /var/lib/mysql
~]# ls -lZ /var/lib/mysql
drwx------. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql

mysqlshow -u root -p
~]# mysqlshow -u root -p
Enter password: *******
+--------------------+
|     Databases      |
+--------------------+
| information_schema |
| mysql              |
| test               |
| wikidb             |
+--------------------+

systemctl stop mariadb.service
~]# systemctl stop mariadb.service
mkdir -p /mysql
~]# mkdir -p /mysql
cp -R /var/lib/mysql/* /mysql/
~]# cp -R /var/lib/mysql/* /mysql/
chown -R mysql:mysql /mysql
~]# chown -R mysql:mysql /mysql
ls -lZ /mysql
~]# ls -lZ /mysql
drwxr-xr-x. mysql mysql unconfined_u:object_r:usr_t:s0   mysql

[mysqld]
datadir=/mysql

[mysqld]
datadir=/mysql

systemctl start mariadb.service
~]# systemctl start mariadb.service
Job for mariadb.service failed. See 'systemctl status mariadb.service' and 'journalctl -xn' for details.

SELinux is preventing /usr/libexec/mysqld "write" access on /mysql. For complete SELinux messages. run sealert -l b3f01aff-7fa6-4ebe-ad46-abaef6f8ad71

semanage fcontext -a -t mysqld_db_t "/mysql(/.*)?"
~]# semanage fcontext -a -t mysqld_db_t "/mysql(/.*)?"
grep -i mysql /etc/selinux/targeted/contexts/files/file_contexts.local
~]# grep -i mysql /etc/selinux/targeted/contexts/files/file_contexts.local

/mysql(/.*)?    system_u:object_r:mysqld_db_t:s0

restorecon -R -v /mysql
~]# restorecon -R -v /mysql
systemctl start mariadb.service
~]# systemctl start mariadb.service
ls -lZ /mysql
~]$ ls -lZ /mysql
drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql

rpm -q postgresql-server
~]# rpm -q postgresql-server
yum install postgresql-server
~]# yum install postgresql-server
getenforce
~]$ getenforce
Enforcing

systemctl start postgresql.service
~]# systemctl start postgresql.service
systemctl start postgresql.service
~]# systemctl start postgresql.service
postgresql.service - PostgreSQL database server
   Loaded: loaded (/usr/lib/systemd/system/postgresql.service; disabled)
   Active: active (running) since Mon 2013-08-05 14:57:49 CEST; 12s

ps -eZ | grep postgres
~]$ ps -eZ | grep postgres
system_u:system_r:postgresql_t:s0 395 ?    00:00:00 postmaster
system_u:system_r:postgresql_t:s0 397 ?    00:00:00 postmaster
system_u:system_r:postgresql_t:s0 399 ?    00:00:00 postmaster
system_u:system_r:postgresql_t:s0 400 ?    00:00:00 postmaster
system_u:system_r:postgresql_t:s0 401 ?    00:00:00 postmaster
system_u:system_r:postgresql_t:s0 402 ?    00:00:00 postmaster

getsebool -a | grep service_name
~]$ getsebool -a | grep service_name
sepolicy booleans -b boolean_name
~]$ sepolicy booleans -b boolean_name
ls -lZ /var/lib/pgsql
~]# ls -lZ /var/lib/pgsql
drwx------. postgres postgres system_u:object_r:postgresql_db_t:s0 data

mkdir -p /opt/postgresql/data
~]# mkdir -p /opt/postgresql/data
ls -lZ /opt/postgresql/
~]# ls -lZ /opt/postgresql/
drwxr-xr-x. root root unconfined_u:object_r:usr_t:s0   data

chown -R postgres:postgres /opt/postgresql
~]# chown -R postgres:postgres /opt/postgresql
vi /etc/systemd/system/postgresql.service
~]# vi /etc/systemd/system/postgresql.service
PGDATA=/opt/postgresql/data
PGLOG=/opt/postgresql/data/pgstartup.log

.include /lib/systemd/system/postgresql.service
[Service]

# Location of database directory
Environment=PGDATA=/opt/postgresql/data
Environment=PGLOG=/opt/postgresql/data/pgstartup.log
.include /lib/systemd/system/postgresql.service
[Service]

# Location of database directory
Environment=PGDATA=/opt/postgresql/data
Environment=PGLOG=/opt/postgresql/data/pgstartup.log
su - postgres -c "initdb -D /opt/postgresql/data"
~]$ su - postgres -c "initdb -D /opt/postgresql/data"
systemctl start postgresql.service
~]# systemctl start postgresql.service
Job for postgresql.service failed. See 'systemctl status postgresql.service' and 'journalctl -xn' for details.

semanage fcontext -a -t postgresql_db_t "/opt/postgresql(/.*)?"
~]# semanage fcontext -a -t postgresql_db_t "/opt/postgresql(/.*)?"
grep -i postgresql /etc/selinux/targeted/contexts/files/file_contexts.local
~]# grep -i postgresql /etc/selinux/targeted/contexts/files/file_contexts.local

/opt/postgresql(/.*)?    system_u:object_r:postgresql_db_t:s0

restorecon -R -v /opt/postgresql
~]# restorecon -R -v /opt/postgresql
systemctl start postgresql.service
~]# systemctl start postgresql.service
ls -lZ /opt
~]$ ls -lZ /opt
drwxr-xr-x. root root system_u:object_r:postgresql_db_t:s0 postgresql

ps aux | grep -i postmaster
~]# ps aux | grep -i postmaster

postgres 21564  0.3  0.3  42308  4032 ?        S    10:13   0:00 /usr/bin/postmaster -p 5432 -D /opt/postgresql/data/
rpm -q rsync
~]$ rpm -q rsync
package rsync is not installed

yum install rsync
~]# yum install rsync
getsebool -a | grep service_name
~]$ getsebool -a | grep service_name
sepolicy booleans -b boolean_name
~]$ sepolicy booleans -b boolean_name
getenforce
~]$ getenforce
Enforcing

which rsync
~]$ which rsync
/usr/bin/rsync

log file = /var/log/rsync.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsync.lock
[files]
	path = /srv/rsync
        comment = file area
        read only = false
        timeout = 300

log file = /var/log/rsync.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsync.lock
[files]
	path = /srv/rsync
        comment = file area
        read only = false
        timeout = 300

systemctl start rsyncd.service
~]# systemctl start rsyncd.service
systemctl status rsyncd.service
~]# systemctl status rsyncd.service
rsyncd.service - fast remote file copy program daemon
   Loaded: loaded (/usr/lib/systemd/system/rsyncd.service; disabled)
   Active: active (running) since Thu 2014-02-27 09:46:24 CET; 2s ago
 Main PID: 3220 (rsync)
   CGroup: /system.slice/rsyncd.service
           └─3220 /usr/bin/rsync --daemon --no-detach

ps -eZ | grep rsync
~]$ ps -eZ | grep rsync
system_u:system_r:rsync_t:s0     3220 ?        00:00:00 rsync

systemctl start rsyncd.socket
~]# systemctl start rsyncd.socket
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsync.lock
port = 10000
[files]
        path = /srv/rsync
        comment = file area
        read only = false
	timeout = 300

log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsync.lock
port = 10000
[files]
        path = /srv/rsync
        comment = file area
        read only = false
	timeout = 300

Jul 22 10:46:59 localhost setroubleshoot: SELinux is preventing the rsync (rsync_t) from binding to port 10000. For complete SELinux messages, run sealert -l c371ab34-639e-45ae-9e42-18855b5c2de8

semanage port -a -t rsync_port_t -p tcp 10000
~]# semanage port -a -t rsync_port_t -p tcp 10000
systemctl start rsyncd.service
~]# systemctl start rsyncd.service
netstat -lnp | grep 10000
~]# netstat -lnp | grep 10000
tcp        0      0 0.0.0.0:10000   0.0.0.0:*      LISTEN      9910/rsync

rpm -q postfix
~]$ rpm -q postfix
package postfix is not installed

yum install postfix
~]# yum install postfix
getenforce
~]$ getenforce
Enforcing

systemctl start postfix.service
~]# systemctl start postfix.service
systemctl status postfix.service
~]# systemctl status postfix.service
postfix.service - Postfix Mail Transport Agent
   Loaded: loaded (/usr/lib/systemd/system/postfix.service; disabled)
   Active: active (running) since Mon 2013-08-05 11:38:48 CEST; 3h 25min ago

ps -eZ | grep postfix
~]$ ps -eZ | grep postfix
system_u:system_r:postfix_master_t:s0 1651 ?   00:00:00 master
system_u:system_r:postfix_pickup_t:s0 1662 ?   00:00:00 pickup
system_u:system_r:postfix_qmgr_t:s0 1663 ?     00:00:00 qmgr

grep postfix /etc/selinux/targeted/contexts/files/file_contexts
~]$ grep postfix /etc/selinux/targeted/contexts/files/file_contexts
getsebool -a | grep service_name
~]$ getsebool -a | grep service_name
sepolicy booleans -b boolean_name
~]$ sepolicy booleans -b boolean_name
rpm -q spamassassin
~]$ rpm -q spamassassin
package spamassassin is not installed

yum install spamassassin
~]# yum install spamassassin
semanage port -l | grep spamd
~]# semanage port -l | grep spamd
spamd_port_t		tcp	783

Options to spamd
# Options to spamd
SPAMDOPTIONS="-d -p 10000 -c m5 -H"

systemctl start spamassassin.service
~]# systemctl start spamassassin.service
Job for spamassassin.service failed. See 'systemctl status spamassassin.service' and 'journalctl -xn' for details.

SELinux is preventing the spamd (spamd_t) from binding to port 10000.

semanage port -a -t spamd_port_t -p tcp 10000
~]# semanage port -a -t spamd_port_t -p tcp 10000
systemctl start spamassassin.service
netstat -lnp | grep 10000
~]# systemctl start spamassassin.service

~]# netstat -lnp | grep 10000
tcp	0	0 127.0.0.1:10000	0.0.0.0:*	LISTEN	2224/spamd.pid

rpm -q dhcp
~]# rpm -q dhcp
package dhcp is not installed

yum install dhcp
~]# yum install dhcp
getenforce
~]$ getenforce
Enforcing

systemctl start dhcpd.service
~]# systemctl start dhcpd.service
systemctl status dhcpd.service
~]# systemctl status dhcpd.service
dhcpd.service - DHCPv4 Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/dhcpd.service; disabled)
   Active: active (running) since Mon 2013-08-05 11:49:07 CEST; 3h 20min ago
ps -eZ | grep dhcpd
~]$ ps -eZ | grep dhcpd
system_u:system_r:dhcpd_t:s0 5483 ?        00:00:00 dhcpd

grep dhcp /etc/selinux/targeted/contexts/files/file_contexts
~]$ grep dhcp /etc/selinux/targeted/contexts/files/file_contexts
rpm -q openshift-clients
~]$ rpm -q openshift-clients
package openshift-clients is not installed

getsebool -a | grep service_name
~]$ getsebool -a | grep service_name
sepolicy booleans -b boolean_name
~]$ sepolicy booleans -b boolean_name
mkdir /srv/openshift
~]# mkdir /srv/openshift
ls -Zd /srv/openshift
~]$ ls -Zd /srv/openshift
drwxr-xr-x. root root unconfined_u:object_r:var_t:s0   openshift/

semanage fcontext -a -e /var/lib/openshift /srv/openshift
~]# semanage fcontext -a -e /var/lib/openshift /srv/openshift
restorecon -R -v /srv/openshift
~]# restorecon -R -v /srv/openshift
ls -Zd /srv/openshift
~]$ ls -Zd /srv/openshift
drwxr-xr-x. root root unconfined_u:object_r:openshift_var_lib_t:s0   openshift/

rpm -q ipa-server
~]$ rpm -q ipa-server
package ipa-server is not installed
yum install ipa-server
~]# yum install ipa-server
ipa selinuxusermap-add SELinux_mapping --selinuxuser=staff_u:s0-s0:c0.c1023
~]$ ipa selinuxusermap-add SELinux_mapping --selinuxuser=staff_u:s0-s0:c0.c1023
ipa selinuxusermap-add-user --users=tuser SELinux_mapping
~]$ ipa selinuxusermap-add-user --users=tuser SELinux_mapping
ipa selinuxusermap-add-host --hosts=ipaclient.example.com SELinux_mapping
~]$ ipa selinuxusermap-add-host --hosts=ipaclient.example.com SELinux_mapping
id -Z
[tuser@ipa-client]$ id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023

getsebool -a | grep service_name
~]$ getsebool -a | grep service_name
sepolicy booleans -b boolean_name
~]$ sepolicy booleans -b boolean_name
mkdir /mnt/brick1
~]# mkdir /mnt/brick1
mount /dev/vg-group/gluster /mnt/brick1/
~]# mount /dev/vg-group/gluster /mnt/brick1/
/dev/vg-group/gluster    /mnt/brick1  xfs rw,inode64,noatime,nouuid      1 2
/dev/vg-group/gluster    /mnt/brick1  xfs rw,inode64,noatime,nouuid      1 2
ls -lZd /mnt/brick1/
~]$ ls -lZd /mnt/brick1/
drwxr-xr-x. root root system_u:object_r:unlabeled_t:s0 /mnt/brick1/
semanage fcontext -a -t glusterd_brick_t "/mnt/brick1(/.*)?"
~]# semanage fcontext -a -t glusterd_brick_t "/mnt/brick1(/.*)?"
restorecon -Rv /mnt/brick1
~]# restorecon -Rv /mnt/brick1
ls -lZd /mnt/brick1
~]$ ls -lZd /mnt/brick1
drwxr-xr-x. root root system_u:object_r:glusterd_brick_t:s0 /mnt/brick1/

Feature	Description
booleans	Query the SELinux Policy to see description of Booleans
communicate	Query the SELinux policy to see if domains can communicate with each other
generate	Generate an SELinux policy module template
gui	Graphical User Interface for SELinux Policy
interface	List SELinux Policy interfaces
manpage	Generate SELinux man pages
network	Query SELinux policy network information
transition	Query SELinux policy and generate a process transition report

Type	SELinux Context	Description
Virtual Machine Processes	system_u:system_r:svirt_t:MCS1	MCS1 is a randomly selected MCS field. Currently approximately 500,000 labels are supported.
Virtual Machine Image	system_u:object_r:svirt_image_t:MCS1	Only processes labeled svirt_t with the same MCS fields are able to read/write these image files and devices.
Virtual Machine Shared Read/Write Content	system_u:object_r:svirt_image_t:s0	All processes labeled svirt_t are allowed to write to the svirt_image_t:s0 files and devices.
Virtual Machine Image	system_u:object_r:virt_content_t:s0	System default label used when an image exits. No svirt_t virtual processes are allowed to read files/devices with this label.

`systemd` general system call	SELinux access check
ClearJobs	reboot
FlushDevices	halt
Get	status
GetAll	status
GetJob	status
GetSeat	status
GetSession	status
GetSessionByPID	status
GetUser	status
Halt	halt
Introspect	status
KExec	reboot
KillSession	halt
KillUser	halt
ListJobs	status
ListSeats	status
ListSessions	status
ListUsers	status
LockSession	halt
PowerOff	halt
Reboot	reboot
SetUserLinger	halt
TerminateSeat	halt
TerminateSession	halt
TerminateUser	halt

Daemon	Log Location
auditd on	`/var/log/audit/audit.log`
auditd off; rsyslogd on	`/var/log/messages`
setroubleshootd, rsyslogd, and auditd on	`/var/log/audit/audit.log`. Easier-to-read denial messages also sent to `/var/log/messages`

Searching For	Command
all denials	`ausearch -m avc,user_avc,selinux_err,user_selinux_err`
denials for that today	`ausearch -m avc -ts today`
denials from the last 10 minutes	`ausearch -m avc -ts recent`

User	Role	Domain	X Window System	su or sudo	Execute in home directory and /tmp (default)	Networking
sysadm_u	sysadm_r	sysadm_t	yes	su and sudo	yes	yes
staff_u	staff_r	staff_t	yes	only sudo	yes	yes
user_u	user_r	user_t	yes	no	yes	yes
guest_u	guest_r	guest_t	no	no	yes	no
xguest_u	xguest_r	xguest_t	yes	no	yes	Firefox only

`systemd` unit file method	SELinux access check
DisableUnitFiles	disable
EnableUnitFiles	enable
GetUnit	status
GetUnitByPID	status
GetUnitFileState	status
Kill	stop
KillUnit	stop
LinkUnitFiles	enable
ListUnits	status
LoadUnit	status
MaskUnitFiles	disable
PresetUnitFiles	enable
ReenableUnitFiles	enable
Reexecute	start
Reload	reload
ReloadOrRestart	start
ReloadOrRestartUnit	start
ReloadOrTryRestart	start
ReloadOrTryRestartUnit	start
ReloadUnit	reload
ResetFailed	stop
ResetFailedUnit	stop
Restart	start
RestartUnit	start
Start	start
StartUnit	start
StartUnitReplace	start
Stop	stop
StopUnit	stop
TryRestart	start
TryRestartUnit	start
UnmaskUnitFiles	enable

Este conteúdo não está disponível no idioma selecionado.

SELinux User's and Administrator's Guide

Basic and advanced configuration of Security-Enhanced Linux (SELinux)

Mirek Jahoda

Barbora Ančincová

Ioanna Gkioka

Tomáš Čapek

Part I. SELinuxCopiar o linkLink copiado para a área de transferência!

Chapter 1. IntroductionCopiar o linkLink copiado para a área de transferência!

Additional Resources

1.1. Benefits of running SELinuxCopiar o linkLink copiado para a área de transferência!

1.2. ExamplesCopiar o linkLink copiado para a área de transferência!

1.3. SELinux ArchitectureCopiar o linkLink copiado para a área de transferência!

1.4. SELinux States and ModesCopiar o linkLink copiado para a área de transferência!

1.5. Additional ResourcesCopiar o linkLink copiado para a área de transferência!

Chapter 2. SELinux ContextsCopiar o linkLink copiado para a área de transferência!

2.1. Domain TransitionsCopiar o linkLink copiado para a área de transferência!

2.2. SELinux Contexts for ProcessesCopiar o linkLink copiado para a área de transferência!

2.3. SELinux Contexts for UsersCopiar o linkLink copiado para a área de transferência!

Chapter 3. Targeted PolicyCopiar o linkLink copiado para a área de transferência!

3.1. Confined ProcessesCopiar o linkLink copiado para a área de transferência!

3.2. Unconfined ProcessesCopiar o linkLink copiado para a área de transferência!

3.3. Confined and Unconfined UsersCopiar o linkLink copiado para a área de transferência!

3.3.1. The sudo Transition and SELinux RolesCopiar o linkLink copiado para a área de transferência!

Chapter 4. Working with SELinuxCopiar o linkLink copiado para a área de transferência!

4.1. SELinux PackagesCopiar o linkLink copiado para a área de transferência!

4.2. Which Log File is UsedCopiar o linkLink copiado para a área de transferência!

4.3. Main Configuration FileCopiar o linkLink copiado para a área de transferência!

4.4. Permanent Changes in SELinux States and ModesCopiar o linkLink copiado para a área de transferência!

4.4.1. Enabling SELinuxCopiar o linkLink copiado para a área de transferência!

4.4.1.1. Permissive ModeCopiar o linkLink copiado para a área de transferência!

4.4.1.2. Enforcing ModeCopiar o linkLink copiado para a área de transferência!

4.4.2. Disabling SELinuxCopiar o linkLink copiado para a área de transferência!

4.5. Changing SELinux Modes at Boot TimeCopiar o linkLink copiado para a área de transferência!

4.6. BooleansCopiar o linkLink copiado para a área de transferência!

4.6.1. Listing BooleansCopiar o linkLink copiado para a área de transferência!

4.6.2. Configuring BooleansCopiar o linkLink copiado para a área de transferência!

4.6.3. Shell Auto-CompletionCopiar o linkLink copiado para a área de transferência!

4.7. SELinux Contexts – Labeling FilesCopiar o linkLink copiado para a área de transferência!

4.7.1. Temporary Changes: chconCopiar o linkLink copiado para a área de transferência!

Quick Reference

4.7.2. Persistent Changes: semanage fcontextCopiar o linkLink copiado para a área de transferência!

Quick Reference

Use of regular expressions with semanage fcontext

4.7.3. How File Context is DeterminedCopiar o linkLink copiado para a área de transferência!

4.8. The file_t and default_t TypesCopiar o linkLink copiado para a área de transferência!

4.9. Mounting File SystemsCopiar o linkLink copiado para a área de transferência!

4.9.1. Context MountsCopiar o linkLink copiado para a área de transferência!

4.9.2. Changing the Default ContextCopiar o linkLink copiado para a área de transferência!

4.9.3. Mounting an NFS VolumeCopiar o linkLink copiado para a área de transferência!

4.9.4. Multiple NFS MountsCopiar o linkLink copiado para a área de transferência!

4.9.5. Making Context Mounts PersistentCopiar o linkLink copiado para a área de transferência!

4.10. Maintaining SELinux LabelsCopiar o linkLink copiado para a área de transferência!

4.10.1. Copying Files and DirectoriesCopiar o linkLink copiado para a área de transferência!

4.10.2. Moving Files and DirectoriesCopiar o linkLink copiado para a área de transferência!

4.10.3. Checking the Default SELinux ContextCopiar o linkLink copiado para a área de transferência!

4.10.4. Archiving Files with tarCopiar o linkLink copiado para a área de transferência!

4.10.5. Archiving Files with starCopiar o linkLink copiado para a área de transferência!

4.11. Information Gathering ToolsCopiar o linkLink copiado para a área de transferência!

avcstat

seinfo

sesearch

4.12. Prioritizing and Disabling SELinux Policy ModulesCopiar o linkLink copiado para a área de transferência!

Disabling a System Policy Module

4.13. Multi-Level Security (MLS)Copiar o linkLink copiado para a área de transferência!

4.13.1. MLS and System PrivilegesCopiar o linkLink copiado para a área de transferência!

4.13.2. Enabling MLS in SELinuxCopiar o linkLink copiado para a área de transferência!

4.13.3. Creating a User With a Specific MLS RangeCopiar o linkLink copiado para a área de transferência!

4.13.4. Setting Up Polyinstantiated DirectoriesCopiar o linkLink copiado para a área de transferência!

4.14. File Name TransitionCopiar o linkLink copiado para a área de transferência!

4.15. Disabling ptrace()Copiar o linkLink copiado para a área de transferência!

4.16. Thumbnail ProtectionCopiar o linkLink copiado para a área de transferência!

Chapter 5. The sepolicy SuiteCopiar o linkLink copiado para a área de transferência!

5.1. The sepolicy Python BindingsCopiar o linkLink copiado para a área de transferência!

5.2. Generating SELinux Policy Modules: sepolicy generateCopiar o linkLink copiado para a área de transferência!

5.3. Understanding Domain Transitions: sepolicy transitionCopiar o linkLink copiado para a área de transferência!

5.4. Generating Manual Pages: sepolicy manpageCopiar o linkLink copiado para a área de transferência!

Chapter 6. Confining UsersCopiar o linkLink copiado para a área de transferência!

6.1. Linux and SELinux User MappingsCopiar o linkLink copiado para a área de transferência!

6.2. Confining New Linux Users: useraddCopiar o linkLink copiado para a área de transferência!

Part I. SELinux
Copiar o link

Chapter 1. Introduction
Copiar o link

1.1. Benefits of running SELinux
Copiar o link

1.2. Examples
Copiar o link

1.3. SELinux Architecture
Copiar o link

1.4. SELinux States and Modes
Copiar o link

1.5. Additional Resources
Copiar o link

Chapter 2. SELinux Contexts
Copiar o link

2.1. Domain Transitions
Copiar o link

2.2. SELinux Contexts for Processes
Copiar o link

2.3. SELinux Contexts for Users
Copiar o link

Chapter 3. Targeted Policy
Copiar o link

3.1. Confined Processes
Copiar o link

3.2. Unconfined Processes
Copiar o link

3.3. Confined and Unconfined Users
Copiar o link

3.3.1. The sudo Transition and SELinux Roles
Copiar o link

Chapter 4. Working with SELinux
Copiar o link

4.1. SELinux Packages
Copiar o link

4.2. Which Log File is Used
Copiar o link

4.3. Main Configuration File
Copiar o link

4.4. Permanent Changes in SELinux States and Modes
Copiar o link

4.4.1. Enabling SELinux
Copiar o link

4.4.1.1. Permissive Mode
Copiar o link

4.4.1.2. Enforcing Mode
Copiar o link

4.4.2. Disabling SELinux
Copiar o link

4.5. Changing SELinux Modes at Boot Time
Copiar o link

4.6. Booleans
Copiar o link

4.6.1. Listing Booleans
Copiar o link

4.6.2. Configuring Booleans
Copiar o link

4.6.3. Shell Auto-Completion
Copiar o link

4.7. SELinux Contexts – Labeling Files
Copiar o link

4.7.1. Temporary Changes: chcon
Copiar o link

4.7.2. Persistent Changes: semanage fcontext
Copiar o link

4.7.3. How File Context is Determined
Copiar o link

4.8. The file_t and default_t Types
Copiar o link

4.9. Mounting File Systems
Copiar o link

4.9.1. Context Mounts
Copiar o link

4.9.2. Changing the Default Context
Copiar o link

4.9.3. Mounting an NFS Volume
Copiar o link

4.9.4. Multiple NFS Mounts
Copiar o link

4.9.5. Making Context Mounts Persistent
Copiar o link

4.10. Maintaining SELinux Labels
Copiar o link

4.10.1. Copying Files and Directories
Copiar o link

4.10.2. Moving Files and Directories
Copiar o link

4.10.3. Checking the Default SELinux Context
Copiar o link

4.10.4. Archiving Files with tar
Copiar o link

4.10.5. Archiving Files with star
Copiar o link

4.11. Information Gathering Tools
Copiar o link

4.12. Prioritizing and Disabling SELinux Policy Modules
Copiar o link

4.13. Multi-Level Security (MLS)
Copiar o link

4.13.1. MLS and System Privileges
Copiar o link

4.13.2. Enabling MLS in SELinux
Copiar o link

4.13.3. Creating a User With a Specific MLS Range
Copiar o link

4.13.4. Setting Up Polyinstantiated Directories
Copiar o link

4.14. File Name Transition
Copiar o link

4.15. Disabling ptrace()
Copiar o link

4.16. Thumbnail Protection
Copiar o link

Chapter 5. The sepolicy Suite
Copiar o link

5.1. The sepolicy Python Bindings
Copiar o link

5.2. Generating SELinux Policy Modules: sepolicy generate
Copiar o link

5.3. Understanding Domain Transitions: sepolicy transition
Copiar o link

5.4. Generating Manual Pages: sepolicy manpage
Copiar o link

Chapter 6. Confining Users
Copiar o link

6.1. Linux and SELinux User Mappings
Copiar o link

6.2. Confining New Linux Users: useradd
Copiar o link

6.3. Confining Existing Linux Users: semanage login
Copiar o link

6.4. Changing the Default Mapping
Copiar o link

6.5. xguest: Kiosk Mode
Copiar o link

6.6. Booleans for Users Executing Applications
Copiar o link

Chapter 7. Securing Programs Using Sandbox
Copiar o link

7.1. Running an Application Using Sandbox
Copiar o link

Chapter 8. sVirt
Copiar o link

8.1. Security and Virtualization
Copiar o link

8.2. sVirt Labeling
Copiar o link

Chapter 9. Secure Linux Containers
Copiar o link

Chapter 10. SELinux systemd Access Control
Copiar o link

10.1. SELinux Access Permissions for Services
Copiar o link

10.2. SELinux and journald
Copiar o link

Chapter 11. Troubleshooting
Copiar o link

11.1. What Happens when Access is Denied
Copiar o link