SELINUX
DAC =Discretionary access control
MAC =Mandatory access control
DAC ->chmod,acl,sudo,visudo
MAC ->selinux
3 states of selinux
1. ENABLED = DAC + MAC both are implemented
2. PERMISSIVE = DAC + warning messages of MAC
3. DISABLED = ONLY DAC
TO show status of selinux
1. cat /etc/sysconfig/selinux
2. sestatus
3. getenforce
TO Change status of selinux from or to permissive/enabled
1. setenforce 0 ->set to permissive from enforcing
2. setenforce 1 ->set to enforcing from permissive
TO Change status of selinux from or to disabled/enabled
1. vim /etc/sysconfig/selinux OR
2. system-config-selinux
Once u change from disable-enable or enable-disable you haf
to reboot for changes
To enable/disable booleans for services
1. getsebool -a |grep <service> ->show status of service
2. setsebool -P <service> <on/off> ->Change status of service
To check status of selinux on files
1. ls -Z <file> ->show sestatus for files
To change context of selinux on files
1. chcon -t <policy> <file> OR
2. chcon -R --reference <srcfile> <dstfile>
To restore context/policy to originals
1. restorecon <srcfile>
Log Messages of selinux are stored in
1. tailf /var/log/audit/audit.log
2. sealert -b /var/log/audit/audit.log ->>gui mode
DAC =Discretionary access control
MAC =Mandatory access control
DAC ->chmod,acl,sudo,visudo
MAC ->selinux
3 states of selinux
1. ENABLED = DAC + MAC both are implemented
2. PERMISSIVE = DAC + warning messages of MAC
3. DISABLED = ONLY DAC
TO show status of selinux
1. cat /etc/sysconfig/selinux
2. sestatus
3. getenforce
TO Change status of selinux from or to permissive/enabled
1. setenforce 0 ->set to permissive from enforcing
2. setenforce 1 ->set to enforcing from permissive
TO Change status of selinux from or to disabled/enabled
1. vim /etc/sysconfig/selinux OR
2. system-config-selinux
Once u change from disable-enable or enable-disable you haf
to reboot for changes
To enable/disable booleans for services
1. getsebool -a |grep <service> ->show status of service
2. setsebool -P <service> <on/off> ->Change status of service
To check status of selinux on files
1. ls -Z <file> ->show sestatus for files
To change context of selinux on files
1. chcon -t <policy> <file> OR
2. chcon -R --reference <srcfile> <dstfile>
To restore context/policy to originals
1. restorecon <srcfile>
Log Messages of selinux are stored in
1. tailf /var/log/audit/audit.log
2. sealert -b /var/log/audit/audit.log ->>gui mode
If you found this post useful, I would really love it, if you can Like the Page, or share it with your Facebook/Google+/Twitter Friends... It will keep me motivated. Thank you!
No comments:
Post a Comment