selinux
This is an old revision of the document!
Check if SELinux is enabled with getenforce or sestatus.
Set it with setenforce enforcing or setenforcing 1.
Disable with setenforce permissive or setenforcing 0.
##### Creating own module
Files used
.te , Type Enforcement file
.fc , File Context file
#### Method 1 ####
checkmodule -M -m -o mymodule.mod mymodule.te semodule_package -o mymodule.pp -m mymodule.mod sudo semodule -i mymodule.pp
#### Method 2 ####
.te file starts with "policy_module(my_module_name, 1.0.0)" make -f /usr/share/selinux/devel/Makefile mymodule.pp sudo semodule -i mymodule.pp
Also see: https://wiki.gentoo.org/wiki/SELinux/Tutorials/Creating_your_own_policy_module_file
sudo ausearch -m avc -ts today
sudo sealert -a /var/log/audit/audit.log
# "avc" is "access vector cache"
#Log message example:
type=AVC msg=audit(1348173901.081:298): avc: denied { write open } for pid=3426 comm="smartd" name="smartd.WDC_WD2500BEKT_75PVMT0-WD_WXC1A21E0454.ata.state" dev=sda6 ino=582390 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:var_lib_t tclass=file
sudo restorecon -Rv /path/to/broken/file/or/directory sudo setsebool -P <boolean_name> on sudo semanage port -l | grep <service_name> sudo semanage port -a -t <port_type_t> -p tcp <port_number>
selinux.1780510960.txt.gz · Last modified: by reddy