04Selinux - amagerard/TemplateVM GitHub Wiki
| 1- Installation | 2- Network | 3- Firewall | 4- Selinux |
|---|---|---|---|
| 5- Logs | 6- Certificats | 7- Mail | 8- PassphraseSSH |
| 9- Sudo | 10- GnomeShell | 11- CloneVM | 12- Volume |
| 13- Troubleshoot |
Noticed (2024/04/31).
I don't turn selinux off or disabled.
Permissive (permissive) mode can be considered a mode of debugging.
The Selinux rules are questioned, access errors are recorded in the logs,
but access will not be blocked.
When Selinux is disabled (Disabled), access is not limited,
and nothing is saved in the logs.
Switching to selinux "permissive".
Online:
setenforce 0
Or permanent :
vi /etc/crontab
# enable selinux "permissive"
@reboot root setenforce 0
And reboot
Verify that setroubleshoot is present.
rpm -qa| grep setroubleshoot
rpm -qa| grep setools-console
If not present, it will have to be installed.
dnf install setroubleshoot setools-console
getenforce
Permissive
Selinux does not allow read or write access when starting services.
To do this, stop the services and restart them.
Selinux will display the restrictions on the services.
The selinux messages are in:
auditd on - /var/log/audit/audit.log.
auditd off; rsyslogd on - /var/log/messages.
To stop the auditd service.
auditctl --signal stop
To restart the auditd service.
systemctl start auditd
The command that displays the selinux messages is:
journalctl -t setroubeshoot
or
journalctl | grep ausearch
or if auditd is off
journalctl -f
To redo a clean journalctl.
journalctl --user --flush --rotate --vacuum-time=1s
journalctl --flush --rotate --vacuum-time=1s
To temporarily disable dont audit rules, allowing all denials to be logged:
semodule -DB
After re-running your denied scenario and finding denial messages using the previous steps,the following command enables dontaudit rules in the policy again:
semodule -B
You will need two terminal consoles.
One to read selinux messages.
One to authorize selinux rules.
Open a console as root.
journalctl -f
or
journalctl -t setroubleshoot
or
journalctl | grep ausearch
Open another console as root.
The log shows selinux errors and offers solution(s).
systemctl stop <services>
systemctl start <service>
systemctl status <service>
Restart the service as many times until you no longer have selinux alert messages.
View the log which will show selinux errors and offer you a solution.
Example:
When you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
# semodule -X 300 -i my-phpfpm.pp
You must do.
ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
The answer will be.
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i my-phpfpm.pp
Type the answer.
semodule -i my-phpfpm.pp
After fixing all selinux alerts.
Check services.
systemctl start <service>
systemctl status <service>
But this is not enough.
Selinux blocks access to web applications.
You must redo exactly all operations on the web interface and check for selinux errors in the log.
If you managed to delete all the selinux messages, I say congratulations.
Switching to selinux "enforcing".
vi /etc/crontab
# enable selinux enforcing
#@reboot root setenforce 0
restart your server.
reboot ou init 6
If this happens to you, from an Almalinux live cd, modify the file.
vi /etc/selinux/config
SELINUX=disable, without the "d" at the end.
touch /.autorelabel
The error on startup will force selinux to repair.
and you will have access to the administration of your machine.
Then you go back to /etc/selinux/config
SELINUX=enforcing
Selinux creates files that start with my-<..> .pp.
I didn't find the reason why and whose fault it is.
I delete all these files.
cd /
find . -name my-"*".pp -exec rm {} \;