Portal:SELinux/Tools

Jump to: navigation, search

SELinux Tools

Many standard tools on openSUSE can show and interact with SELinux labels. The convention is that an extra argument of `-Z` will show you SELinux label/type information.

Common examples are: 

   # ls -alZ
   total 20
   drwx------. 1 admin admin system_u:object_r:user_home_dir_t:s0  128 Jun 22 18:32 .
   dr-xr-xr-x. 1 root  root  system_u:object_r:home_root_t:s0       10 Jun 22 18:32 ..
   -rw-------. 1 admin admin system_u:object_r:user_home_t:s0        8 Jun 22 19:16 .bash_history
   -rw-r--r--. 1 admin admin system_u:object_r:user_home_t:s0      604 Jun 15 04:50 .bashrc

   # ps auxZ
   LABEL                                                 USER PID %CPU %MEM  VSZ  RSS TTY STAT START   TIME COMMAND
   unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1232 200  0.1 8360 3584 pts/0 R+ 16:43   0:00 ps auxZ

In addition SELinux has a number of dedicated tools to view denials (when a type is denied access to another type), create policy and to enable or disable policy selectively.

You can ensure these tools are installed with `zypper in policycoreutils setools-console`

ausearch

ausearch is the audit search tool. This allows you to query audit logs to display denials that match certain conditions. This may hint to actions you can take to resolve the issue.

To show all denials since boot 

   ausearch -ts boot -m avc

To show denials from a timestamp. If the current time was 16:20:00 then we could show the list 5 minutes with: 

   ausearch -ts 16:15:00 -m avc

semanage

`semanage` allows changing some elements of the current policy on a running system. Some common uses are:

List all available policy boolean tunables. Turning some of these "on" may resolve some issues you have without needing to write custom policy modules: 

   semanage boolean -l

List all types / processes that have been put into permissive mode. Rather than setting SELinux to permissive for the whole system, individual types/processes can be made permissive temporarily for analysis. 

   semanage permissive -l
   # put a single type into permissive mode
   semanage permissive -a type
   semanage permissive -a httpd_t
   # remove that type from permissive mode to enforcing
   semanage permissive -d type
   semanage permissive -d httpd_t

semodule

semodule allows dynamical loading of SELinux policy modules. This also has a useful feature to allow auditing of some violations that would otherwise be hidden. SELinux features a concept of dontaudit rules, which prevent logging of specific violations. By default a number of harmless violations are commonly marked as dontaudit, to prevent them cluttering logs. However, sometimes these hidden violations can be important to understand an issue.

To disable dontaudit rules and record all violations in the audit log: 

   semodule -DB

To re-enable dontaudit rules so that harmless violations are hidden again: 

   semodule -B
Retrieved from "https://en.opensuse.org/index.php?title=Portal:SELinux/Tools&oldid=193461"