-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathselinux
115 lines (83 loc) · 2.17 KB
/
selinux
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
two demons for netfilter
1:iptable(deprected)
2:firewall d(new )
not run same time in same system
systemctl status iptable
softwares::
iptables
below written python
firewalld
firewall-config
firewalld zones
collection on connection types
list of zones in firewall
allowed services in firewall congig::
:: firewall-cmd --add-service=servicename for remove :: firewall-cmd --remove-service='name'
apache service(http ,https),mail service(smtp,smtps,imap etc.)
xmpp service ,smb service,nfs,ftp,sftp,
sftp service is subset of ssh,,Tftp,ftp is not recommanded due to security issues
firewall-cmd --panic-on
firewall panic mode so it cannt be accessible
SElinux:: comes with fedora
enforcing mode by default.
different modes of selinux
installations::
setroubleshoot-server installation
policycoreutils-python
gen2 linux
cd etc/httpd/ mode_data.so
chcon ::for changing context
installing selinux man pages::
sudo -s
dnf//apt install policycoreutils-devel
man man for man documentation
ls /usr/share/man
sepolicy manpage -a -p /usr/share/man/manxyz
mandb (update every thing)
man -k selinux
understanding of boolean::
website nsa.gov
getsebool -a
setsebool name 1/0 (1 for on 0 for off)
after restart it goes away
how to do this thing permantly::
setsebool -P name=1
for trouble shooting
dnf/apt install settroubleshootx-server
install policycoreutils-python
install policycoreutils-python-gui
system-config-selinux
seportutils
semanage
adding port
semanage -a -t http_port_t -p tcp 82(adding port)
semanage -l |grep -w http_port_t(list ports)
semanage port -d -t http_port_t -p tcp 82(remove port)
copying and moving
cp
mv
preservecontext
restoreconfig
error logs in selinux::
cd var/log
cd /audit
permissive mode note denied logs
domain adding
semanage permissive -a httpd_t
semanage -l|grep permissive
semanage permissive -d httpd_t(remove module)
disabling and enable selinux:::
always in permissive mode note enforcing mode for missbehaving
cd etc/selinux
in config file
replace enforcing to disabled
command
getenforce
reboot
for reenable
just replace disabled to permissive
reboot
further learing
http://fedoraproject.org
nsa.gov/ selinux documentation
access.redhat.com doc selinux