Your shopping cart is empty.
SELinux
Getting SELinux working can be tough. Here are some commands I found useful.
Is SELinux enabled?
sestatus
Disable SELinux without reboot (and only until the next reboot):
setenforce Permissive
Disable SELinux persistent:
vi /etc/sysconfig/selinux
SELinux=disabled
Show the security context of a file:
ls -lZ
Copy the context from one file to another:
chcon --reference=<source> <destination>
Create a rule from an audit log (contained in /tmp/selinux):
/usr/bin/audit2allow -i /tmp/selinux
Explain an audit log (that appears in dmesg):
/usr/bin/audit2why -d
Reading an audit entry:
Jun 21 16:13:16 soldier kernel: audit(1182456796.114:8413): avc: denied { read } for pid=2692 comm="sendmail" name="[2063705]" dev=eventpollfs ino=2063705 scontext=user_u:system_r:system_mail_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=file
- scontext is the source security context (what SELinux needs to allow access)
- tcontext is for target security context (what was actually on the file)
- tclass is the target security class
Show all SELinux boolean settings:
/usr/sbin/getsebool -a
Set an SELinux boolean (permanently):
/usr/sbin/setsebool -P spamassassin_can_network=1
To relabel based on an RPM's directions:
fixfiles -R mailman restore
To relabel the entire filesystem:
fixfiles relabel
- bobbitt's blog
- Log in to post comments
Included below are some commands that I have found, created or tweaked to help make life easier along the way.
Getting SELinux working can be tough. Here are some commands I found useful.
Is SELinux enabled?
Deactivate all inactive users in the last year:
Yes, some distros still use rpm.
Extract files from an RPM:
Get into the correct directory:
cd /etc/pki/tls/certs