(: August 10, 2016)
SELinux man pages for installed SELinux Policy are not installed by default on RHEL 7 and CentOS 7. You have to install necessary tools and generate the man pages yourself.
In this tutorial, I’ll take you through all the steps required to configure SELinux environment and adding man pages for easy reference and stress free SELinux troubleshooting.
For a freshly installed CentOS 7, you can have a look at: Top Things to do after fresh installation of CentOS 7.x minimal
In case you want to check if your SELinux is running, type the command below on the terminal
[[email protected] ~]# getenforce Enforcing
From the output above, you can see that my SELinux is running and enforcing all Policy rules. I’ve permanently setup selinux by editing /etc/selinux/config
[[email protected] ~]# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
If you want to permanently enable SELinux without manually editing the file, just open your terminal window as root user and type command given below:
[[email protected] ~]# sed -i 's/SELINUX=disabled/SELINUX=enforcing/' /etc/selinux/config
You can enable automatic relabeling on next boot up by typing the command below:
[[email protected] ~]# touch /.autorelabel
Then reboot your system for the changes to be effective.
[[email protected] ~]# reboot
After successful reboot, check status of SELlinux and it should be running in an enforcing mode
[[email protected] ~]# getenforce Enforcing
Installing necessary SELinux packages
Since SELinux is now able to enforce policy rules, lets install packages that will help us administer selinux efficiently.
- Install setroubleshoot-server package.
– This package provides tools to help diagnose SELinux problems.
– When AVC messages are generated an alert can be generated that will give information about the problem and help track its resolution
– To install it, type the command below
[[email protected] ~]# yum install setroubleshoot-server -y
- The policycoreutils-python package contains the management tools use to manage an SELinux environment.
– If you installed setroubleshoot-server, it installs policycoreutils-python as a dependency, hence you can skip this step if you installed setroubleshoot-server package.
[[email protected] ~]# yum install policycoreutils-python
- Another package to install is policycoreutils-devel
– Policycoreutils-devel package contains the management tools use to develop policy in an SELinux environment.
– This package helps us to generate selinux man pages
– You can have a look at what provides sepolicy which actually is SELinux man pages generating utility provided by policycoreutils-devel package.
[[email protected] ~]# yum provides */sepolicy [[email protected] ~]# yum install policycoreutils-devel
Now that you have all the required packages. Let;s generate SELinux man pages.
Generating SELinux man pages
The command sepolicy manpage is used to generate a man page based on the installed SELinux Policy.
– The common options available are:
– Generate selinux man pages by typing:
[[email protected] ~]# sepolicy manpage -a -p /usr/share/man/man8/
From the options used above, we told sepolicy manpage to generate Man Pages for all domains and the path to store the man pages is /usr/share/man/man8/
After generating man pages, now it’s time to update the man page database so that we can make use of the man pages generated by sepolicy manpage command.
You can now update man pages database. we are going to use the command mandb, which is used to initialise or manually update index database caches that are usually maintained by man
[[email protected] ~]# mandb
If you now search for all selinux man pages, you’ll get a long list, try it yourself by typing the command below:
[[email protected] ~]# man -k _selinux
To strip down the search a little bit, pipe the output to grep command, look at the examples below
man -k _selinux | grep httpd > To search for selinux httpd related man pages
man -k _selinux | egrep ‘samba|smb’ > To search for samba related selinux man pages
man -k _selinux | egrep *nfs > To search for nfs daemon related selinux man pages
You’ve seen how easy it can be to get SELinux man page you want using grep.
[[email protected] ~]# man -k _selinux | grep httpd apache_selinux (8) - Security Enhanced Linux Policy for the httpd processes httpd_helper_selinux (8) - Security Enhanced Linux Policy for the httpd_helper processes httpd_passwd_selinux (8) - Security Enhanced Linux Policy for the httpd_passwd processes httpd_php_selinux (8) - Security Enhanced Linux Policy for the httpd_php processes httpd_rotatelogs_selinux (8) - Security Enhanced Linux Policy for the httpd_rotatelogs processes httpd_selinux (8) - Security Enhanced Linux Policy for the httpd processes httpd_suexec_selinux (8) - Security Enhanced Linux Policy for the httpd_suexec processes httpd_sys_script_selinux (8) - Security Enhanced Linux Policy for the httpd_sys_script processes httpd_unconfined_script_selinux (8) - Security Enhanced Linux Policy for the httpd_unconfined_script processes httpd_user_script_selinux (8) - Security Enhanced Linux Policy for the httpd_user_script processes
That’s all for today. In our next article, we’ll look at how we can manage files and ports on a Linux system with SELinux running in enforcing mode. I hope this article was helpful and thank you for reading. If you encounter any problem or difficulty, let me know by dropping comment on the comment section.