SELinux Tools

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
21 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
21
Video Transcription
00:00
>> Hey, cybrarians, welcome back to
00:00
the Linux plus course here in Cybrary,
00:00
I'm your instructor Rob Gills and in today's lesson,
00:00
we're going to be covering SELinux Tools.
00:00
Upon completion of today's lesson,
00:00
you are going to be able to understand how to view
00:00
SELinux contexts and set modes.
00:00
We'll talk about how to modify file contexts and
00:00
policies and also use the commands setenforce,
00:00
setsebool, chcon, and restorecon.
00:00
Every object managed by
00:00
SELinux has an associated context.
00:00
This is going to be really
00:00
the permission or the context that we have in
00:00
the file that defines
00:00
what subjects can access the object.
00:00
For files to see this,
00:00
we could use the ls -Z command.
00:00
This is going to display the file context
00:00
and the name of the file.
00:00
If we're looking at a process,
00:00
we can use ps -Z,
00:00
and that displays the contexts for the process
00:00
running in the current shell as well as
00:00
>> the process name.
00:00
>> We can also use that -Z option,
00:00
to see the context of other objects,
00:00
Id and netstat are
00:00
two good examples where we can use that as well.
00:00
Now let's talk about context labels for
00:00
a bit because they can be really complicated,
00:00
for example, unconfined_u:object_r:user_home_ts0 file1.
00:00
What? The format of
00:00
a context label is user:role:type:level.
00:00
However, user, role,
00:00
and level, those three we don't care about,
00:00
they're are only used in mls and like I said,
00:00
we don't care about that for Linux plus exam,
00:00
we only care about there for the security plus exam.
00:00
If you go into that direction, maybe you remember that.
00:00
But for right now, we only care
00:00
>> about that third option,
00:00
>> that type Linux plus only looks at
00:00
the targeted policy so we only care about the type.
00:00
Targeted uses that type attribute
00:00
to set the object security and control access.
00:00
In the case of the unconfined example up at the top,
00:00
we really only care about user_home_t,
00:00
because that is the context,
00:00
that is the type context for that object.
00:00
Now, this looks pretty complex and how can you
00:00
ensure that a context is not causing issues,
00:00
or if it's wrong?
00:00
Well, what you can do is you can temporarily suspend
00:00
SELinux enforcement and see
00:00
if it's causing the issue that you're seeing.
00:00
Once you turn off enforcement,
00:00
if it's SELinux and an SELinux
00:00
>> context is causing issue,
00:00
>> it's going to go away because it turns off everything.
00:00
The way that we can do this temporarily
00:00
is by using the setenforce command,
00:00
and the setenforce command can
00:00
be used to change the mode of
00:00
SELinux from enforcing to permissive or vice versa.
00:00
Now it only disables that enforcement until reboot.
00:00
If you need a completely disable SELinux
00:00
or permanently changed that mode,
00:00
you have to edit the SELinux config file
00:00
that we saw on the previous lesson.
00:00
Now, what if you do determine the SELinux is
00:00
the cause of the error and you
00:00
need to change the context?
00:00
Well, this is where the chcon,
00:00
change context command comes in.
00:00
It's used to change an SELinux
00:00
security context on an object.
00:00
The chcon command accepts the following options,
00:00
chcon-u for the user,
00:00
chcon-r for the role,
00:00
chcon-t for the type which can type or hear about,
00:00
and then the file name or the object
00:00
name that we want to modify.
00:00
One cool thing about chcon is we can give it
00:00
a -R option and it recursively
00:00
applies the context change into a directory object.
00:00
For changing the context on the directory,
00:00
we want to change the context of
00:00
everything under that directory.
00:00
We do -R to recursively change everything.
00:00
Now, what if we make a change
00:00
>> and it goes terribly wrong?
00:00
>> Well, this is where restorecon comes in.
00:00
Restorecon to the rescue.
00:00
We can revert a file system or
00:00
an individual object to
00:00
the default settings and restorecon can also
00:00
accept that lovely -R option to recursively
00:00
restore the security context
00:00
on any file that's under a directory.
00:00
Now finally, in SELinux,
00:00
there's also this concept of Booleans.
00:00
Boolean is simply a binary value,
00:00
something that is on or off, true or false.
00:00
The nice thing about Boolean policies is that
00:00
they can be modified without reloading
00:00
SELinux or rebooting and
00:00
we can list all of the Booleans with
00:00
sudo semanage Boolean -l.
00:00
That's going to list all of the Booleans.
00:00
With the Boolean being true or false on or off,
00:00
we can use Booleans to turn on or turn
00:00
off specific policy enforcement,
00:00
and the command we use to do that is setsebool.
00:00
But first, you might want to use a command,
00:00
getsebool to see the status
00:00
of one of the Booleans listed.
00:00
For example, getsebool dhcpd_use_ldap.
00:00
Once we know the status,
00:00
we can turn the Boolean off or on, for example,
00:00
sudo setsebool on,
00:00
and then we would provide the Boolean we
00:00
want to use in this case, dhcpd_use_ldap.
00:00
With that, in this lesson,
00:00
we covered how to view
00:00
SELinux contexts with the -Z option,
00:00
how to see those for files or processes.
00:00
We talked about setting the SELinux mode to
00:00
permissive or enforcing to
00:00
sometimes do a little troubleshooting,
00:00
and we could do that using the setenforced command.
00:00
We talked about how you can change contexts
00:00
with a chcon command and then also
00:00
how you revert contexts when something
00:00
goes wrong with restorecon command.
00:00
Finally, we talked about turning policies on or
00:00
off with setsebool which works with Boolean.
00:00
Thanks so much for being here and I look
00:00
forward to seeing you in the next lesson.
Up Next