Packages -------- policycoreutils - restorecon policycoreutils-python - semanage setroubleshoot yum tips --------- yum list installed | grep (...) yum provides (command) checking/setting mode of SELinux --------------------------------- 3 modes: Diabled -- off Permissive -- logs violations, but doesn't stop them Enforcing -- logs and stops violations getenforce -- get current mode of SELinux setenforce -- change current mode of SELinux (can't disable) /etc/selinux/config -- set default mode for system Description ----------- Mandatory Access Control on top of the Discretionary Access Control implented by file permissions SELinux applies labels to every file, process, directory, and port Four kinds of labels, providing a lot (too much) flexibility: - user - role - type <<--!!!!THE MAIN ONE!!!! - sensitivity SELinux also has a set of booleans that govern operations of the system. Kind of like the rules that govern what the labels mean. A 'policy' is all of the settings (booleans and default labels) of what can do what on a system. The default policy is called 'targeted' (set in /etc/selinux/config) Actually policy files are located in /etc/selinux/targeted, but you probably shouldn't ever have to interact with them directly. yum list installed | grep selinux - see what other policies are available on your system yum search selinux-policy - see what other policies are available in your repo Reading labels ------------------- ls -laZ -rw-------. root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfg ps -efZ unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 user 1880 1876 0 18:08 ? 00:00:00 sshd: user@pts/0 Interacting with policy and labels ----------------------------------- semanage -- handy tool for querying and changing default policy (and more) chcon -- changes the current label of an item (but not in the default policy) restorecon -- changes labels back according to the default policy getsebool -- list boolean values setsebool (-P) -- set boolean value