Questions tagged [selinux]

NSA Security-Enhanced Linux (SELinux) is an implementation of a flexible mandatory access control architecture in the Linux operating system.

The SELinux architecture provides general support for the enforcement of many kinds of mandatory access control policies, including those based on the concepts of Type Enforcement®, Role- Based Access Control, and Multi-Level Security. Background information and technical documentation about SELinux can be found at http://www.nsa.gov/selinux.

668 questions
48
votes
3 answers

SElinux: allow httpd to connect to a specific port

My system is running CentOS 6.4 with apache2.2.15. SElinux is enforcing and I'm trying to connect to a local instance of redis through my python/wsgi app. I get Error 13, Permission denied. I could fix this via the command: setsebool -P…
savagecitizen
  • 481
  • 1
  • 4
  • 3
41
votes
7 answers

Reasons to disable / enable SELinux

In the line of this question on StackOverflow and the completely different crowd we have here, I wonder: what are your reasons to disable SELinux (assuming most people still do)? Would you like to keep it enabled? What anomalies have you experienced…
wzzrd
  • 10,269
  • 2
  • 32
  • 47
38
votes
6 answers

Where is the sshd log file on Red Hat Linux stored?

Can someone please tell me where to find the SSHD log on RedHat and SELinux.... I would like to view the log to see who is logging into my account..
user150591
  • 407
  • 1
  • 4
  • 6
30
votes
6 answers

How do I allow MySQL connections through SELinux?

I'd like to for once leave SELinux running on a server for the alleged increased security. I usually disable SELinux to get anything to work. How do I tell SELinux to allow MySQL connections? The most I've found in the documentation is this line…
xivix
  • 543
  • 2
  • 8
  • 15
29
votes
3 answers

How do I get SELinux to allow Apache and Samba on the same folder?

In the configuration I have setup I wish to allow samba and apache to access /var/www I am able to set a context to allow samba access, but then httpd doesn't have access. Using setenforce to 0 eliminates issues so I know that it is SELinux. In…
Joshua Enfield
  • 3,404
  • 8
  • 41
  • 58
21
votes
9 answers

Trying to SSH in to remote computer but still asking for password

Trying to SSH in to remote computer but still asking for password. I have a number of computers running SElinux and only one of them is giving me a hard time using ssh without the password. I did a ssh-copy-id and I can see my key in the…
JMS1969SF
  • 211
  • 1
  • 2
  • 3
21
votes
2 answers

What does the .autorelabel file do in Linux?

What does the .autorelabel file located at the file root / do in Linux? I know its something to do with SELinux but I can't find any information as to what it actually does. I am running CentOS 6. Thanks in advance.
21
votes
2 answers

How do I view the contents of a SELinux policy package

As the title says, how do I view the contents of a SELinux policy package? The resulting files end with .pp. I'm running on centos 6, but I guess it's the same way on "all" distros. For example cp /usr/share/selinux/targeted/cobbler.pp.bz2 ~ …
Arlukin
  • 1,203
  • 6
  • 18
  • 27
18
votes
2 answers

SElinux error :ValueError: Port tcp/5000 already defined

I have been trying to add an exception to SELinux for apache on port 5000.So I used the command: # semanage port -a -t http_port_t -p tcp 5000 But returns the error, ValueError: Port tcp/5000 already defined I tried to check if this is so with…
16
votes
5 answers

Why do we need SELinux?

I could not get much idea where the SELinux has been used and what it saves from attacker. I have gone through SELinux web site and read the basic but still not getting clue about SELinux. For the Linux system which provides the SSH shell, Apache…
Krish
  • 311
  • 1
  • 3
  • 9
16
votes
1 answer

How to enable SELinux inside of a CentOS Docker container?

I am trying to install SELinux inside of a Docker container in order to distribute an application that uses SELinux internally. The default CentOS image does not have SELinux installed: $ docker run -it centos:latest /bin/bash [root@38ae5a98273d /]#…
sffc
  • 382
  • 1
  • 3
  • 11
15
votes
3 answers

SELinux preventing Apache from writing to a file

SELinux is preventing the apache user from writing to a log file which it owns. When I do setenforce 0 it works. Otherwise it shows this error IOError: [Errno 13] Permission denied: '/var/www/webapp/k/site/k.log' The security context of the file: $…
Clodoaldo
  • 395
  • 2
  • 3
  • 9
14
votes
3 answers

How can I tell SELinux to permit nginx access to a unix socket without audit2allow?

I have nginx forwarding requests to gunicorn via a unix socket at /run/gunicorn/socket. By default, this behavior is not permitted by SELinux: grep nginx /var/log/audit/audit.log type=SERVICE_START msg=audit(1454358912.455:5390): pid=1 uid=0…
drs
  • 345
  • 1
  • 3
  • 11
14
votes
1 answer

How do I assign an SELinux label to a symlink with semanage so it persists after a relabel?

My apache DocumentRoot /var/www is a symbolic link to another path. The target has the appropriate file context label (httpd_sys_content_t) so that apache can read it with SELinux enabled. However, the symbolic link itself is labeled with…
Steven T. Snyder
  • 1,063
  • 2
  • 10
  • 19
13
votes
3 answers

Real life SELinux security example?

Can anyone give a real life example of where SELinux saved their security bacon? (or AppArmour if you wish). If not your own, a pointer to someone with a credible experience? Not a lab test, not a white paper, not a best practice, not a CERT…
kmarsh
  • 3,103
  • 15
  • 22
1
2 3
44 45