SELinux in RHEL7

SELinux in RHEL7

SELinux

Permissive mode is often used to trouble shoot issues.  In permissive mode, SELinux allows all interact ions,  even  if there  is no  explicit  rule ,  and  it  logs those  interactions it would have  denied in  enforcing  mode. This mode can be used to temporarily allow access to content that SELinux is restricting.  No reboot is required to go from enforcing to permissive or back again.

A third mode, disabled, completely disables SELinux. A system reboot is required to disable SELinux entirely, or to get from disabled mode to enforcing or permissive mode.

Important

Setting the default SELinux mode

 

The configuration file that determines what the SELinux mode is at boot time is

/etc/selinux/config.

 

clip_image001

In older releases of Red Hat Enterprise Linux, the default SELinux mode was set in a file called /etc/sysconfig/selinux. In RHEL7, this file is a symbolic link that points to /etc/selinux/confi.

Changing the current SELinux mode

The setenforce command modifies the current SELinux mode:

clip_image002

Changing the SE Linux context of a file

There are two commands that are used to change the SELinux context  of  files: chcon and restorecon. The chcon command changes the context of the file to the context specified as an argument to the command. Often the -t option is used to specify only the type component of the context

Chcon should not be used to change the SELinux context of file s.  Mistakes can be made when specifying the context explicitly.  File contexts will be changed back to their default context if the system's file systems are relabeled at boot time.

Note:- with chcon apply context only for running session. If server restart or if any one run “restorecon” command then it’s again reset.

Here in this example I create a folder and performed bellow action

  • Check context with “ls –lZ”
  • Change context with “chcon” command
  • Then apply “restorecon” command

 

clip_image004

  • Here we can see the context reset by the “restorecon” command.

Defining SELinux default file context rules

The semanage fcontext command can be used to display or modify the rules that the restorecon command uses to set default file contexts. The res to recon command is part of the policycoreutil package, and semanage  is  part  of the policycoreutil-python package.

In this example we can see in the copy process context is overwrite with default directory context.

clip_image005

When we mv file then context is same, not replaced by other.

clip_image007

In this example we change context of all directory hierarchy ( including file[s]) permanently and after that check with “restorecon” command, it’s change or not.  

Here check context of directory with is “default_t”

clip_image008

Here change context with “semanage” command.

clip_image009

Then try to restore but not success because now it’s permanent context of directory.

               image

Leave a Reply

Your email address will not be published. Required fields are marked *