SELinux: differenze tra le versioni
Nessun oggetto della modifica |
Nessun oggetto della modifica |
||
Riga 3: | Riga 3: | ||
=RHEL= |
=RHEL= |
||
==Cambiare contesto a file e filesystem== |
|||
<code> |
|||
[root@vm-amq-tst02 opt]# mount /mount/activemq |
|||
[root@vm-amq-tst02 opt]# ls -lartZ /mount/activemq |
|||
total 1 |
|||
drwxrwxrwx. 2 root root system_u:object_r:nfs_t:s0 64 Nov 2 16:43 . |
|||
drwxr-xr-x. 3 root root unconfined_u:object_r:default_t:s0 22 Nov 13 18:52 .. |
|||
[root@vm-amq-tst02 opt]# |
|||
[root@vm-amq-tst02 opt]# semanage fcontext -a -t usr_t /mount/activemq |
|||
[root@vm-amq-tst02 opt]# |
|||
[root@vm-amq-tst02 opt]# restorecon -p -r /mount/activemq |
|||
[root@vm-amq-tst02 opt]# ls -lartZ /mount/activemq |
|||
total 1 |
|||
drwxrwxrwx. 2 root root system_u:object_r:nfs_t:s0 64 Nov 2 16:43 . |
|||
drwxr-xr-x. 3 root root unconfined_u:object_r:default_t:s0 22 Nov 13 18:52 .. |
|||
[root@vm-amq-tst02 opt]# |
|||
</code> |
|||
Versione delle 21:21, 13 nov 2022
Tutorial
https://debian-handbook.info/browse/it-IT/stable/sect.selinux.html
RHEL
Cambiare contesto a file e filesystem
[root@vm-amq-tst02 opt]# mount /mount/activemq
[root@vm-amq-tst02 opt]# ls -lartZ /mount/activemq
total 1
drwxrwxrwx. 2 root root system_u:object_r:nfs_t:s0 64 Nov 2 16:43 .
drwxr-xr-x. 3 root root unconfined_u:object_r:default_t:s0 22 Nov 13 18:52 ..
[root@vm-amq-tst02 opt]#
[root@vm-amq-tst02 opt]# semanage fcontext -a -t usr_t /mount/activemq
[root@vm-amq-tst02 opt]#
[root@vm-amq-tst02 opt]# restorecon -p -r /mount/activemq
[root@vm-amq-tst02 opt]# ls -lartZ /mount/activemq
total 1
drwxrwxrwx. 2 root root system_u:object_r:nfs_t:s0 64 Nov 2 16:43 .
drwxr-xr-x. 3 root root unconfined_u:object_r:default_t:s0 22 Nov 13 18:52 ..
[root@vm-amq-tst02 opt]#
semanage fcontext --list
grep nginx /etc/selinux/targeted/contexts/files/file_contexts
ls -laZ /etc/nginx/html/
https://www.cloudinsidr.com/content/tip-of-the-day-how-to-find-the-correct-selinux-security-contexts-and-adjust-selinux-labels-on-your-linux-system/
https://www.systutorials.com/docs/linux/man/8-systemd_selinux/
Porcata:
Easy but bad solution, allow init_t to run in permissive mode. At least you don't have to run the whole system in permissive mode...
Enable: # semanage permissive -a init_t
Disable: # semanage permissive -d init_t
systemd
Systemd consente di modificare il contesto in cui gira un processo.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-security-enhanced_linux-systemd_access_control