Professional Documents
Culture Documents
Tech Skills - Red Hat Enterprise Linux 7 - 3.0 Securing Services
Tech Skills - Red Hat Enterprise Linux 7 - 3.0 Securing Services
0 Securing Services
Filename: techskills-linuxsecurity-3-1-securing_services_with_selinux
Title: Securing Services with SELinux
Subtitle: Linux Security Techniques
SELinux Modes
Enforcing - Access not conforming to ACLs is blocked
Permissive - Access not conforming to ACLs is logged
Disabled - ACLs are not applied
chcon is persistent
restorecon resets the values, erasing the changes
Unfortunately, people use restorecon a lot
Can accidentally erase context
SELinux policy
The SELinux policy tracks the default contexts that restorecon uses
Can be overridden
/etc/selinux/targeted/contexts/files/file_contexts.local
To update the policy, use semanage fcontext...
Part of the policycoreutils-python package
Example
1. ls -dZ /website
2. semanage fcontext -a -t httpd_sys_content_t /website
3. restorecon -Rv /website
4. ls -dZ /website
Making it recursive
1. semanage fcontext -a -t httpd_sys_content_t "/website(/.*)?"