Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [selinux]

NSA Security-Enhanced Linux (SELinux) is an implementation of a flexible mandatory access control architecture in the Linux operating system.

The SELinux architecture provides general support for the enforcement of many kinds of mandatory access control policies, including those based on the concepts of Type Enforcement®, Role- Based Access Control, and Multi-Level Security. Background information and technical documentation about SELinux can be found at http://www.nsa.gov/selinux.

681 questions
13
votes
1 answer

SELinux reset root password

Disclaimer: This question is not to solve the problem of changing root password while SELinux is active because there are a lot of guides to solve that already. This is more of how SELinux does that internally. I'm a recent user of SELinux but…
Jorge Heleno
  • 230
  • 3
  • 10
13
votes
3 answers

Real life SELinux security example?

Can anyone give a real life example of where SELinux saved their security bacon? (or AppArmour if you wish). If not your own, a pointer to someone with a credible experience? Not a lab test, not a white paper, not a best practice, not a CERT…
kmarsh
  • 3,103
  • 16
  • 22
12
votes
1 answer

How can I query for all selinux rules/default file contexts/etc affecting a type

I need to know everything related to a selinux type on a running system's current rules: allow, allowaudit, dontaudit rules. files labeled with a context using the type. transitions. ...and any other info. Is there any command(s) I can use to…
Yanko Hernández Álvarez
  • 574
  • 2
  • 8
  • 18
11
votes
4 answers

Does SELinux make Redhat more secure?

Does SELinux make Redhat more secure? I can't remember the number of times when I have disabled SELinux because it kept frustrating my ability to get stuff running. Lots of times to there was no obvious reason why stuff wasn't working and I had to…
vfclists
  • 1,632
  • 5
  • 22
  • 37
10
votes
3 answers

SELinux: How to create a new file type

On RHEL/CentOS 7 I'm trying to create a new SELinux security context for files to support a new service that I'm writing. I've created a Type Enforcement file for my new service, but I can't manage to create a new type that the system will recognize…
Guss
  • 2,670
  • 5
  • 34
  • 59
9
votes
1 answer

How to disallow the Docker Daemon to mount host's root file system into the container

I have the following Container Setup. On a bare metal server two Docker Daemons are installed and running. Main Docker Daemon Runs my application containers exposing 80/443 to the outside world. Plugin Docker Daemon Runs some containers provided…
Vad1mo
  • 268
  • 2
  • 15
9
votes
1 answer

CentOS 7 - Directories created through VSFTPD not inheriting SELinux contexts

Our company has a webserver with CentOS 7 and our customers manage their websites through FTP (vsftpd). SELinux is in enforcing mode. The issue is that data created/uploadad through VSFTPD is not inheriting the appropriate SELinux context. Let me…
Juan Pablo Barrios
  • 103
  • 5
9
votes
1 answer

SSH - 1s hang at "Entering interactive session" (Not DNS; possibly SELinux related)

I'm having an issue on CentOS 6.7 where SSH logins are 1s more than any non-6.7 machines on this network (e.g. 7.2, 5.11). Running debugging on the client side showed the hang at "Entering interactive session". The command I'm using to base this…
Morgon
  • 203
  • 1
  • 6
9
votes
4 answers

Write once, read many (WORM) using Linux file system

I have a requirement to write files to a Linux file system that can not be subsequently overwritten, appended to, updated in any way, or deleted. Not by a sudo-er, root, or anybody. I am attempting to meet the requirements of the financial services…
phil_ayres
  • 191
  • 1
  • 3
  • 12
9
votes
3 answers

SELinux - canonical way of automatically applying a context on file creation

My current understanding is that you have to manually use restorecon to apply the desired context to a newly created file or directory unless you are happy with the context that it inherits from its parent directory. I am wondering if it is possible…
Adrian Frühwirth
  • 376
  • 5
  • 16
9
votes
2 answers

How can I use SELinux to confine PHP scripts?

I want to compartmentalize different PHP applications on my SL6.4 (RHEL 6.4 rebuild) web server so that they cannot access each others' data. It seems that SELinux might be able to do this, but I am not sure on the details. My question has two…
Michael Ekstrand
  • 253
  • 2
  • 8
9
votes
2 answers

What is the difference between httpd_read_user_content and httpd_enable_homedirs?

The apache module of SELinux has two similar boolean parameters: httpd_read_user_content and httpd_enable_homedirs. Man page says the former allows httpd to read user content and the latter allow httpd to read home directories. What is the…
Tsutomu
  • 288
  • 4
  • 10
9
votes
2 answers

How to run PhantomJS on CentOS with SELinux?

I'm trying to make a screenshot using PhantomJS on my CentOS 5 machine, but I can't get it to work together with SELinux. It works on an identical machine with SELinux disabled, so I really suspect that SELinux is responsible for this. Here's what…
Dennis Bunskoek
  • 256
  • 2
  • 4
9
votes
1 answer

CentOS is ignoring my public key

I am trying to connect to my own CentOS server using SSH; I am able to connect fine with a password; I am trying to connect with my public key, but the server does not attempt public key authentication. I have followed all instructions on this page…
ILikeFood
  • 399
  • 1
  • 5
  • 12
9
votes
1 answer

Linux - CentOS6 - semanage - command not found

I am trying to solve an issue where my HTTPD is denied access to binding custom ports and I believe it has to do with SELinux. Whilst doing some googling I came across some posts where users were typing semanage followed with flags and commands to…
Mike Purcell
  • 1,708
  • 7
  • 32
  • 54
1
2
3
45 46