{"id":3958,"date":"2015-09-08T12:35:07","date_gmt":"2015-09-08T12:35:07","guid":{"rendered":"http:\/\/blog.bachi.net\/?p=3958"},"modified":"2015-11-20T13:48:22","modified_gmt":"2015-11-20T13:48:22","slug":"selinux-on-fedora","status":"publish","type":"post","link":"https:\/\/blog.bachi.net\/?p=3958","title":{"rendered":"SELinux on Fedora"},"content":{"rendered":"

SELinux User’s and Administrator’s Guide<\/a> (PDF)<\/p>\n

Wikipedia: SELinux<\/a>
\nCentOS Wiki: SELinux<\/a>
\nIntroduction to SELinux: Don’t let complexity scare you off<\/a>
\nPractical SELinux for the beginner: Contexts and labels<\/a><\/p>\n

Security-Enhanced Linux – User Guide<\/a>
\n2.1. Benefits of running SELinux<\/a>
\n5.4.2. Disabling SELinux<\/a><\/p>\n

TFTP<\/h3>\n

Problem<\/h4>\n
\r\n$ tftp 10.20.30.40 -c get \/app-nand.bin\r\nError code 0: Permission denied\r\n<\/pre>\n
Solution<\/h4>\n
\r\n$ cd \/var\/lib\/tftpboot\r\n$ ls -alZ \r\ndrwxrwxrwx. root root system_u:object_r:tftpdir_rw_t:s0 .\r\ndrwxr-xr-x. root root system_u:object_r:var_lib_t:s0   ..\r\n-rwxrwxrwx. root root system_u:object_r:user_home_t:s0 app-nand.bin\r\n\r\n$ cd ..\r\n$ restorecon -Rv tftpboot\r\nrestorecon reset \/var\/lib\/tftpboot\/app-nand.bin context system_u:object_r:user_home_t:s0->system_u:object_r:tftpdir_rw_t:s0\r\nrestorecon set context \/var\/lib\/tftpboot\/app-nand.bin->system_u:object_r:tftpdir_rw_t:s0 failed:'Operation not permitted'\r\n\r\n$ sudo restorecon -Rv tftpboot\r\nrestorecon reset \/var\/lib\/tftpboot\/app-nand.bin context system_u:object_r:user_home_t:s0->system_u:object_r:tftpdir_rw_t:s0\r\n\r\n$ cd tftpboot\r\n$ ls -alZ \r\ndrwxrwxrwx. root root system_u:object_r:tftpdir_rw_t:s0 .\r\ndrwxr-xr-x. root root system_u:object_r:var_lib_t:s0   ..\r\n-rwxrwxrwx. root root system_u:object_r:tftpdir_rw_t:s0 app-nand.bin\r\n\r\n$ tftp 172.21.6.53 -c get \/app-nand.bin\r\n$\r\n<\/pre>\n
Configuration examples<\/a>
\nSELinux Contexts – Labeling Files<\/a><\/p>\n
Discretionary Access Control (DAC)<\/a>, bei allen Linux Systemen f\u00fcr Files\/Directories
\nRole Based Access Control (RBAC)<\/a>, bei SELinux f\u00fcr Prozesse<\/p>\n
\r\n$ ls -Z file1\r\n-rw-rw-r--  user1  group1  unconfined_u:object_r:user_home_t:s0  file1\r\n       DAC: <user> <group> <user>       <role>   <type>    <level>\r\n<\/pre>\n
[code]
\n$ cat \/etc\/selinux\/targeted\/contexts\/files\/file_contexts.homedirs
\n# User-specific file contexts, generated via libsemanage
\n# use semanage command to manage system users to change the file_context<\/p>\n
# Home Context for user unconfined_u
\n\/home\/[^\/]*\/.+              unconfined_u:object_r:user_home_t:s0
\n\/home\/[^\/]*\/.maildir(\/.*)?  unconfined_u:object_r:mail_home_rw_t:s0
\n\/home\/[^\/]*     -d          unconfined_u:object_r:user_home_dir_t:s0
\n\/home\/[^\/]*     -l          unconfined_u:object_r:user_home_dir_t:s0
\n\/home\/[^\/]*\/abc —          unconfined_u:object_r:mozilla_home_t:s0
\n\/home\/[^\/]*\/tmp -d          unconfined_u:object_r:user_tmp_t:s0<\/p>\n
\r\n$ system-config-selinux\r\n\r\n$ yum install policycoreutils-devel\r\n$ yum install policycoreutils-gui\r\n$ sepolicy gui\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
SELinux User’s and Administrator’s Guide (PDF) Wikipedia: SELinux CentOS Wiki: SELinux Introduction to SELinux: Don’t let complexity scare you off Practical SELinux for the beginner: Contexts and labels Security-Enhanced Linux – User Guide 2.1. Benefits of running SELinux 5.4.2. Disabling SELinux TFTP Problem $ tftp 10.20.30.40 -c get \/app-nand.bin Error code 0: Permission denied Solution […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3958","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/blog.bachi.net\/index.php?rest_route=\/wp\/v2\/posts\/3958","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.bachi.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.bachi.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.bachi.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.bachi.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3958"}],"version-history":[{"count":12,"href":"https:\/\/blog.bachi.net\/index.php?rest_route=\/wp\/v2\/posts\/3958\/revisions"}],"predecessor-version":[{"id":4322,"href":"https:\/\/blog.bachi.net\/index.php?rest_route=\/wp\/v2\/posts\/3958\/revisions\/4322"}],"wp:attachment":[{"href":"https:\/\/blog.bachi.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3958"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.bachi.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3958"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.bachi.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3958"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}