1. What is SELinux?
It is a one type
of security that enhances the security that allows users and administrators
more control over which users and applications can access which resources, such
as files, Standard Linux access controls etc.,
It is mainly used
to protect internal data (not from external data) from system services. In real
time SELinux is disabled and instead of this IP tables are used. It protects
all the services, files and directories by default if SELinux is enabled.
2. In how many ways we can implement
the SELinux? Explain them.
We can implement
the SELinux mainly in 2 modes.
(i) Enabled
(ii) Disabled (default mode)
Enabled :
Enabled means
enabling the SELinux policy and this mode of SELinux is divided into two parts.
(a) Enforcing
(b) Permissive
Disabled :
Disabled means
disabling the SELinux policy.
3. What is Enforcing mode in SELinux?
Enforcing means
SELinux is on. It checks SELinux policy and stored a log. No can access the
services by default but we can change the policy whenever we needed.
4. What is Permissive mode in SELinux?
SELinux is on and
it don't check SELinux policy and stored the log. Everybody can access the
services by default and we can also change the SELinux policy. It is also called
as debugging mode or troubleshooting mode. In this mode SELinux policies and
rules are applied to subjects and objects but actions are not affected.
5. What is Disabled mode in SELinux?
SELinux is turned
off and no warning and log messages will be generated and stored.
6. What are Booleans?
Booleans are
variables that can either be set as true or false. Booleans enhance the effect
of SELinux policies implemented by the System Administrators. A policy may
protects certain deamons or services by applying various access control rules.
7. What is SELinux policy?
The SELinux
policy is the set of rules that guide the SELinux security engine. It defines
types for file objects and domains for process. It uses roles to limit the
domains that can be entered and the user identities to specify the role that
can be attained.
8. What are the required files for
SELinux?
# vim
/etc/selinux/config -----> It is main file for SELinux.
# vim /etc/sysconfig/selinux -----> It is a link file to the above file.
# vim /var/log/audit/audit.log -----> SELinux log messages will be stored in this file.
9. what is the command to see the
SELinux mode?
# getenforce (to check the SELinux
mode)
10. What is command to set the SELinux
mode temporarily?
# setenforce 0 or 1 (to
set the SELinux mode. Where ' 0 '
-----> permissive and ' 1 '
-----> Enforcing)
Note : (i) To
change the SELinux mode from Permissive to Enforcing or
Enforcing to Permissive modes the system
restart is not required.
(ii)
To change Enforcing mode to Disabled mode or
Disabled mode to Enforcing mode the system restart
is required.
(iii) The above commands are changed the
SELinux mode temporarily only. To make the selinux changes permanently
then open /etc/selinux/config and go
to ,
SELINUX=Enforcing or
Permissive or Disabled (save
and exit this file)
11. What is command to see the SELinux
policy details?
# sestatus (to
see the SELinux policy details)
Other useful commands :
# ls -Z (to see the SELinux context of the file)
# ls -ldZ (to see the SELinux context of
the directory)
# ps -efZ
| grep (to see the SELinux context of the process
running on the system)
# ps -efZ
| grep http (to see the SELinux
context of the http process running on the system)
# chcon -t
(to change SELinux context of the file
or directory)
# chcon -t
public_content_t /public (to change the SELinux
context of the /public directory)
# chcon -R
public_content_t /public (to change the SELinux
context of the /public directory and its
contents)
# restorecon -v
(to
restore the previous SELinux context of the file/directory)
# restorecon -v
/public (to
restore the previous SELinux context of
that directory)
# restorecon -Rv
(to
restore the previous SELinux context of the directory and its contents)
# restorecon -Rv
/public (to
restore the previous SELinux context of the /public directory and its contents)
# getsebool -a |
grep (to see the booleans of
the specified service)
# getsebool -a |
grep ftp (to see the booleans
of the ftp service)
# setsebool
# setsebool allow_ftpd_anon_write on (to
change the boolean of the ftpd service temporarily)
# setsebool -P
= <0>
(to change the boolean for the service on or off
permanently)
# setsebool -P
samba_export_all_rw = 1 (to change the boolean for samba
service permanently on)
No comments:
Post a Comment