70


Chapter 5. Controlling and Maintaining SELinux


5.2.17. When to Reboot


Your primary reason for rebooting with SELinux is to get your file system properly labeled using the


/.autorelabel


file. Another reason might be to completely enable or disable SELinux.


Otherwise, you can safely make SELinux permissive by using


setenforce 0


.


5.3. Analyst Control of SELinux


This section presents some common tasks that a security analyst might need to do on an SELinux


system.


5.3.1. Enable Kernel Auditing


You may wish to have the full kernel level auditing available when doing analysis or troubleshooting.


This can be quite verbose, since it generates one or more additional audit message(s) for each AVC


audit message. To enable, append the parameter audit=1 to your kernel boot line, either through


/etc/grub.conf


or via the GRUB menu during boot.


This is an example of a full audit log entry when


httpd


is denied access to


~/public_html


because


the directory is not labeled as Web content:


# Notice that the time and serial number stamps in the audit(...)


# field are identical, making it easier to track a specific


# event in the audit logs:


Jan 15 08:03:56 hostname kernel: audit(1105805036.075:2392892): \


avc:


denied


{ getattr } for


pid=2239 exe=/usr/sbin/httpd \


path=/home/auser/public_html dev=hdb2 ino=921135 \


scontext=user_u:system_r:httpd_t \


tcontext=system_u:object_r:user_home_t tclass=dir


# This audit message tells more about the source, including the


# kind of syscall involved, showing that httpd tried to stat the


# directory:


Jan 15 08:03:56 hostname kernel: audit(1105805036.075:2392892): \


syscall=195 exit=4294967283 a0=9ef88e0 a1=bfecc0d4 a2=a97ff4 \


a3=bfecc0d4 items=1 pid=2239 loginuid= 1 uid=48 gid=48 euid=48 \


suid=48 fsuid=48 egid=48 sgid=48 fsgid=48


# This message tells more about the target:


Jan 15 08:03:56 hostname kernel: audit(1105805036.075:2392892): \


item=0 name=/home/auser/public_html inode=921135 dev=00:00


By design, the serial number stamp is always identical for a particular audited event. The time stamp


may not always be identical but most often is identical.


Note


If you are using an audit daemon for troubleshooting, the daemon may capture audit messages into


another location than /var/log/messages, such as /var/log/audit.log. Red Hat Enterprise Linux


4 does not ship with an audit daemon, but work on this is ongoing.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      adult web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved