Selinux in Linux
- Enforcing: The default mode which will enable and enforce the SELinux security policy on the system, denying access and logging actions
- Permissive: In Permissive mode, SELinux is enabled but will not enforce the security policy, only warn and log actions. Permissive mode is useful for troubleshooting SELinux issues
- Disabled: SELinux is turned off
The SELinux mode can be viewed and changed by using the SELinux Management GUI tool available on the Administration menu or from the command line by running ‘system-config-selinux’ (the SELinux Management GUI tool is part of the policycoreutils-gui package and is not installed by default).
Users who prefer the command line may use the ‘sestatus’ command to view the current SELinux status:
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
The ‘setenforce’ command may be used to switch between Enforcing andPermissive modes on the fly but note that these changes do not persist through a system reboot.
To make changes persistent through a system reboot, edit the SELINUX= line in /etc/selinux/config for either ‘enforcing’, ‘permissive’, or ‘disabled’. For example, SELINUX=permissive.
SELinux has 3 forms of access control:
- Type Enforcement (TE): Type Enforcement is the primary mechanism of access control used in the targeted policy
- Role-Based Access Control (RBAC): Based around SELinux users (not necessarily the same as the Linux user), but not used in the default targeted policy
- Multi-Level Security (MLS): Not used and often hidden in the default targeted policy.
Now lets look at the SELinux security context of the Apache web server process, httpd:
$ ps axZ | grep httpd
system_u:system_r:httpd_t 3234 ? Ss 0:00 /usr/sbin/httpd
Finally, lets look at the SELinux security context of a file in our home directory:
$ ls -Z /home/phil/myfile.txt
-rw-r–r– phil phil user_u:object_r:user_home_t /home/phil/myfile.txt
where we see the type is user_home_t, the default type for files in a users home directory.
The SELinux Troubleshooting tool is provided by the setroubleshoot package and is installed by default. The tool may be launched from the System menu or from the command line:
$ sealert -b
Those not running an X server may generate human-readable reports from the command line:
sealert -a /var/log/audit/audit.log > /path/to/mylogfile.txt
Lets look at some examples.
Using Apache as an example, suppose you want to change the DocumentRoot to serve web pages from a location other than the default /var/www/html directory. Suppose we create a directory (or maybe a mount point) at /html and create our index.html file there:
# mkdir /html
# touch /html/index.html
# ls -Z /html/index.html
-rw-r–r– root root user_u:object_r:default_t /html/index.html
# ls -Z | grep html
drwxr-xr-x root root user_u:object_r:default_t html
we see that both the directory /html and file /html/index.html have the security context type default_t. If we start our web browser and try to view the page SELinux will deny access and log the error because the directory and file(s) have the wrong security context. We need to set the correct security context type for Apache of httpd_sys_content_t:
# chcon -v –type=httpd_sys_content_t /html
context of /html changed to user_u:object_r:httpd_sys_content_t
# chcon -v –type=httpd_sys_content_t /html/index.html
context of /html/index.html changed to user_u:object_r:httpd_sys_content_t
# ls -Z /html/index.html
-rw-r–r– root root user_u:object_r:httpd_sys_content_t /html/index.html
# ls -Z | grep html
drwxr-xr-x root root user_u:object_r:httpd_sys_content_t html
Equally we could have set both in one go using the -R recursive switch:
# chcon -Rv –type=httpd_sys_content_t /html
Modifying security contexts in this manner will persist between reboots unless the complete filesystem is relabeled (see later). To make the security context changes permanent, even through a complete filesystem relabel, we can use the SELinux Management Tool or the ‘semanage’ command from the command line:
semanage fcontext -a -t httpd_sys_content_t “/html(/.*)?”
The ‘restorecon’ command may be used to restore file(s) default SELinux security contexts.
To restore just the index.html file, we would use:
# restorecon -v /var/www/html/index.html
or to recursively restore the default security contexts for the whole directory:
# restorecon -Rv /var/www/html
we can use restorecon with the -n switch to prevent any relabelling occurring:
# restorecon -Rv -n /var/www/html
RELABEL COMPLETE FILESYSTEM
Sometimes it is necessary to relabel the complete filesystem although this should only be necessary when enabling SELinux after it has been disabled or when changing the SELinux policy from the default targeted policy to strict. To automatically relabel the complete filesystem upon reboot, do:
# touch /.autorelabel
# reboot
We may want a service such as Apache to be allowed to bind and listen for incoming connections on a non-standard port. By default, the SELinux policy will only allow services access to recognized ports associated with those services. If we wanted to allow Apache to listen on tcp port 81, we can add a rule to allow that using the ‘semanage’ command:
# semanage port -a -t http_port_t -p tcp 81
A full list of ports that services are permitted access by SELinux can be obtained with:
There is a separate Wiki page dealing with booleans.
WHICH BOOLEAN DO I NEED?
getsebool -a
will show you all available booleans on your system which can be changed by you. So take a look at the list that gives you and check the booleans which might be interesting for you against the list below to see if it really does what you think it does.
httpd_unified --> on
httpd_can_network_connect looks interesting – let us check with the list below:
httpd_can_network_connect (HTTPD Service):: Allow HTTPD scripts and modules to connect to the network.
Looks like it could be the one you need …
setsebool -P httpd_can_network_connect on
will turn that on for you. Et voilà – it works.
system-config-selinux from the policycoreutils-gui package has the same list as the one below. So if you have a GUI available you probably are better off installing that package and making the changes there.
For all others: Here is the
- acct_disable_trans (SELinux Service Protection)
- Disable SELinux protection for acct daemon
- allow_cvs_read_shadow (CVS)
- Allow cvs daemon to read shadow
- allow_daemons_dump_core (Admin)
- Allow all daemons to write corefiles to /.
- allow_daemons_use_tty (Admin)
- Allow all daemons the ability to use unallocated ttys.
- allow_execheap (Memory Protection)
- Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
- allow_execmem (Memory Protection)
- Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla
- allow_execmod (Memory Protection)
- Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t
- allow_execstack (Memory Protection)
- Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
- allow_ftpd_full_access (FTP)
- Allow ftpd to full access to the system
- allow_ftpd_anon_write (FTP)
- Allow ftpd to upload files to directories labeled public_content_rw_t
- allow_ftpd_use_cifs (FTP)
- Allow ftp servers to use cifs used for public file transfer services.
- allow_ftpd_use_nfs (FTP)
- Allow ftp servers to use nfs used for public file transfer services.
- allow_gpg_execstack (Memory Protection)
- Allow gpg executable stack
- allow_gssd_read_tmp (NFS)
- Allow gssd to read temp directory.
- allow_httpd_anon_write (HTTPD Service)
- Allow httpd daemon to write files in directories labeled public_content_rw_t
- allow_httpd_mod_auth_pam (HTTPD Service)
- Allow Apache to use mod_auth_pam.
- allow_httpd_sys_script_anon_write (HTTPD Service)
- Allow httpd scripts to write files in directories labeled public_content_rw_t
- allow_java_execstack (Memory Protection)
- Allow java executable stack
- allow_kerberos (Kerberos)
- Allow daemons to use kerberos files
- allow_mount_anyfile (Mount)
- Allow mount to mount any file
- allow_mounton_anydir (Mount)
- Allow mount to mount any dir
- allow_mplayer_execstack (Memory Protection)
- Allow mplayer executable stack
- allow_nfsd_anon_write (NFS)
- Allow nfs servers to modify public files used for public file transfer services.
- allow_polyinstantiation (Polyinstatiation)
- Enable polyinstantiated directory support.
- allow_ptrace (Compatibility)
- Allow sysadm_t to debug or ptrace applications
- allow_rsync_anon_write (rsync)
- Allow rsync to write files in directories labeled public_content_rw_t
- allow_smbd_anon_write (Samba)
- Allow Samba to write files in directories labeled public_content_rw_t
- allow_ssh_keysign (SSH)
- Allow ssh to run ssh-keysign
- allow_unconfined_execmem_dyntrans (Memory Protection)
- Allow unconfined to dyntrans to unconfined_execmem
- allow_user_mysql_connect (Databases)
- Allow user to connect to mysql socket
- allow_user_postgresql_connect (Databases)
- Allow user to connect to postgres socket
- allow_write_xshm (XServer)
- Allow clients to write to X shared memory
- allow_ypbind (NIS)
- Allow daemons to run with NIS
- allow_zebra_write_config (Zebra)
- Allow zebra daemon to write it configuration files
- amanda_disable_trans (SELinux Service Protection)
- Disable SELinux protection for amanda
- amavis_disable_trans (SELinux Service Protection)
- Disable SELinux protection for amavis
- apmd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for apmd daemon
- arpwatch_disable_trans (SELinux Service Protection)
- Disable SELinux protection for arpwatch daemon
- auditd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for auditd daemon
- automount_disable_trans (Mount)
- Disable SELinux protection for automount daemon
- avahi_disable_trans (SELinux Service Protection)
- Disable SELinux protection for avahi
- bluetooth_disable_trans (SELinux Service Protection)
- Disable SELinux protection for bluetooth daemon
- canna_disable_trans (SELinux Service Protection)
- Disable SELinux protection for canna daemon
- cardmgr_disable_trans (SELinux Service Protection)
- Disable SELinux protection for cardmgr daemon
- ccs_disable_trans (SELinux Service Protection)
- Disable SELinux protection for Cluster Server
- cdrecord_read_content (User Privs)
- Allow cdrecord to read various content. nfs, samba, removable devices, user temp and untrusted content files
- ciped_disable_trans (SELinux Service Protection)
- Disable SELinux protection for ciped daemon
- clamd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for clamd daemon
- clamscan_disable_trans (SELinux Service Protection)
- Disable SELinux protection for clamscan
- clvmd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for clvmd
- comsat_disable_trans (SELinux Service Protection)
- Disable SELinux protection for comsat daemon
- courier_authdaemon_disable_trans (SELinux Service Protection)
- Disable SELinux protection for courier daemon
- courier_pcp_disable_trans (SELinux Service Protection)
- Disable SELinux protection for courier daemon
- courier_pop_disable_trans (SELinux Service Protection)
- Disable SELinux protection for courier daemon
- courier_sqwebmail_disable_trans (SELinux Service Protection)
- Disable SELinux protection for courier daemon
- courier_tcpd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for courier daemon
- cpucontrol_disable_trans (SELinux Service Protection)
- Disable SELinux protection for cpucontrol daemon
- cpuspeed_disable_trans (SELinux Service Protection)
- Disable SELinux protection for cpuspeed daemon
- cron_can_relabel (Cron)
- Allow system cron jobs to relabel filesystem for restoring file contexts.
- crond_disable_trans (Cron)
- Disable SELinux protection for crond daemon
- cupsd_config_disable_trans (Printing)
- Disable SELinux protection for cupsd backend server
- cupsd_disable_trans (Printing)
- Disable SELinux protection for cupsd daemon
- cupsd_lpd_disable_trans (Printing)
- Disable SELinux protection for cupsd_lpd
- cvs_disable_trans (CVS)
- Disable SELinux protection for cvs daemon
- cyrus_disable_trans (SELinux Service Protection)
- Disable SELinux protection for cyrus daemon
- dbskkd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for dbskkd daemon
- dbusd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for dbusd daemon
- dccd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for dccd
- dccifd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for dccifd
- dccm_disable_trans (SELinux Service Protection)
- Disable SELinux protection for dccm
- ddt_client_disable_trans (SELinux Service Protection)
- Disable SELinux protection for ddt daemon
- devfsd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for devfsd daemon
- dhcpc_disable_trans (SELinux Service Protection)
- Disable SELinux protection for dhcpc daemon
- dhcpd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for dhcpd daemon
- dictd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for dictd daemon
- direct_sysadm_daemon (Admin)
- Allow sysadm_t to directly start daemons
- disable_evolution_trans (Web Applications)
- Disable SELinux protection for Evolution
- disable_games_trans (Games)
- Disable SELinux protection for games
- disable_mozilla_trans (Web Applications)
- Disable SELinux protection for the web browsers
- disable_thunderbird_trans (Web Applications)
- Disable SELinux protection for Thunderbird
- distccd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for distccd daemon
- dmesg_disable_trans (SELinux Service Protection)
- Disable SELinux protection for dmesg daemon
- dnsmasq_disable_trans (SELinux Service Protection)
- Disable SELinux protection for dnsmasq daemon
- dovecot_disable_trans (SELinux Service Protection)
- Disable SELinux protection for dovecot daemon
- entropyd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for entropyd daemon
- fcron_crond (Cron)
- Enable extra rules in the cron domain to support fcron.
- fetchmail_disable_trans (SELinux Service Protection)
- Disable SELinux protection for fetchmail
- fingerd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for fingerd daemon
- freshclam_disable_trans (SELinux Service Protection)
- Disable SELinux protection for freshclam daemon
- fsdaemon_disable_trans (SELinux Service Protection)
- Disable SELinux protection for fsdaemon daemon
- ftpd_disable_trans (FTP)
- Disable SELinux protection for ftpd daemon
- ftpd_is_daemon (FTP)
- Allow ftpd to run directly without inetd
- ftp_home_dir (FTP)
- Allow ftp to read/write files in the user home directories
- global_ssp (Admin)
- This should be enabled when all programs are compiled with ProPolice/SSP stack smashing protection. All domains will be allowed to read from /dev/urandom.
- gpm_disable_trans (SELinux Service Protection)
- Disable SELinux protection for gpm daemon
- gssd_disable_trans (NFS)
- Disable SELinux protection for gss daemon
- hald_disable_trans (SELinux Service Protection)
- Disable SELinux protection for hal daemon
- hide_broken_symptoms (Compatibility)
- Do not audit things that we know to be broken but which are not security risks
- hostname_disable_trans (SELinux Service Protection)
- Disable SELinux protection for hostname daemon
- hotplug_disable_trans (SELinux Service Protection)
- Disable SELinux protection for hotplug daemon
- howl_disable_trans (SELinux Service Protection)
- Disable SELinux protection for howl daemon
- hplip_disable_trans (Printing)
- Disable SELinux protection for cups hplip daemon
- httpd_builtin_scripting (HTTPD Service)
- Allow HTTPD to support built-in scripting
- httpd_can_network_connect_db (HTTPD Service)
- Allow HTTPD scripts and modules to network connect to databases.
- httpd_can_network_connect (HTTPD Service)
- Allow HTTPD scripts and modules to connect to the network.
- httpd_can_network_relay (HTTPD Service)
- Allow httpd to act as a relay.
- httpd_disable_trans (HTTPD Service)
- Disable SELinux protection for httpd daemon
- httpd_enable_cgi (HTTPD Service)
- Allow HTTPD cgi support
- httpd_enable_ftp_server (HTTPD Service)
- Allow HTTPD to run as a ftp server
- httpd_enable_homedirs (HTTPD Service)
- Allow HTTPD to read home directories
- httpd_rotatelogs_disable_trans (SELinux Service Protection)
- Disable SELinux protection for httpd rotatelogs
- httpd_ssi_exec (HTTPD Service)
- Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
- httpd_suexec_disable_trans (HTTPD Service)
- Disable SELinux protection for http suexec
- httpd_tty_comm (HTTPD Service)
- Unify HTTPD to communicate with the terminal. Needed for handling certificates.
- httpd_unified (HTTPD Service)
- Unify HTTPD handling of all content files.
- hwclock_disable_trans (SELinux Service Protection)
- Disable SELinux protection for hwclock daemon
- i18n_input_disable_trans (SELinux Service Protection)
- Disable SELinux protection for i18n daemon
- imazesrv_disable_trans (SELinux Service Protection)
- Disable SELinux protection for imazesrv daemon
- inetd_child_disable_trans (SELinux Service Protection)
- Disable SELinux protection for inetd child daemons
- inetd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for inetd daemon
- innd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for innd daemon
- iptables_disable_trans (SELinux Service Protection)
- Disable SELinux protection for iptables daemon
- ircd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for ircd daemon
- irqbalance_disable_trans (SELinux Service Protection)
- Disable SELinux protection for irqbalance daemon
- iscsid_disable_trans (SELinux Service Protection)
- Disable SELinux protection for iscsi daemon
- jabberd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for jabberd daemon
- kadmind_disable_trans (Kerberos)
- Disable SELinux protection for kadmind daemon
- klogd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for klogd daemon
- krb5kdc_disable_trans (Kerberos)
- Disable SELinux protection for krb5kdc daemon
- ktalkd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for ktalk daemons
- kudzu_disable_trans (SELinux Service Protection)
- Disable SELinux protection for kudzu daemon
- locate_disable_trans (SELinux Service Protection)
- Disable SELinux protection for locate daemon
- lpd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for lpd daemon
- lrrd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for lrrd daemon
- lvm_disable_trans (SELinux Service Protection)
- Disable SELinux protection for lvm daemon
- mailman_mail_disable_trans (SELinux Service Protection)
- Disable SELinux protection for mailman
- mail_read_content (Web Applications)
- Allow evolution and thunderbird to read user files
- mdadm_disable_trans (SELinux Service Protection)
- Disable SELinux protection for mdadm daemon
- monopd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for monopd daemon
- mozilla_read_content (Web Applications)
- Allow the mozilla browser to read user files
- mrtg_disable_trans (SELinux Service Protection)
- Disable SELinux protection for mrtg daemon
- mysqld_disable_trans (Databases)
- Disable SELinux protection for mysqld daemon
- nagios_disable_trans (SELinux Service Protection)
- Disable SELinux protection for nagios daemon
- named_disable_trans (Name Service)
- Disable SELinux protection for named daemon
- named_write_master_zones (Name Service)
- Allow named to overwrite master zone files
- nessusd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for nessusd daemon
- NetworkManager_disable_trans (SELinux Service Protection)
- Disable SELinux protection for NetworkManager
- nfsd_disable_trans (NFS)
- Disable SELinux protection for nfsd daemon
- nfs_export_all_ro (NFS)
- Allow NFS to share any file/directory read only
- nfs_export_all_rw (NFS)
- Allow NFS to share any file/directory read/write
- nmbd_disable_trans (Samba)
- Disable SELinux protection for nmbd daemon
- nrpe_disable_trans (SELinux Service Protection)
- Disable SELinux protection for nrpe daemon
- nscd_disable_trans (Name Service)
- Disable SELinux protection for nscd daemon
- nsd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for nsd daemon
- ntpd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for ntpd daemon
- oddjob_disable_trans (SELinux Service Protection)
- Disable SELinux protection for oddjob
- oddjob_mkhomedir_disable_trans (SELinux Service Protection)
- Disable SELinux protection for oddjob_mkhomedir
- openvpn_disable_trans (SELinux Service Protection)
- Disable SELinux protection for openvpn daemon
- pam_console_disable_trans (SELinux Service Protection)
- Disable SELinux protection for pam daemon
- pegasus_disable_trans (SELinux Service Protection)
- Disable SELinux protection for pegasus
- perdition_disable_trans (SELinux Service Protection)
- Disable SELinux protection for perdition daemon
- portmap_disable_trans (SELinux Service Protection)
- Disable SELinux protection for portmap daemon
- portslave_disable_trans (SELinux Service Protection)
- Disable SELinux protection for portslave daemon
- postfix_disable_trans (SELinux Service Protection)
- Disable SELinux protection for postfix
- postgresql_disable_trans (Databases)
- Disable SELinux protection for postgresql daemon
- pppd_can_insmod (pppd)
- Allow pppd daemon to insert modules into the kernel
- pppd_disable_trans (pppd)
- Disable SELinux protection for pppd daemon
- pppd_disable_trans (pppd)
- Disable SELinux protection for the mozilla ppp daemon
- pppd_for_user (pppd)
- Allow pppd to be run for a regular user.
- pptp_disable_trans (SELinux Service Protection)
- Disable SELinux protection for pptp
- prelink_disable_trans (SELinux Service Protection)
- Disable SELinux protection for prelink daemon
- privoxy_disable_trans (SELinux Service Protection)
- Disable SELinux protection for privoxy daemon
- ptal_disable_trans (SELinux Service Protection)
- Disable SELinux protection for ptal daemon
- pxe_disable_trans (SELinux Service Protection)
- Disable SELinux protection for pxe daemon
- pyzord_disable_trans (SELinux Service Protection)
- Disable SELinux protection for pyzord
- quota_disable_trans (SELinux Service Protection)
- Disable SELinux protection for quota daemon
- radiusd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for radiusd daemon
- radvd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for radvd daemon
- rdisc_disable_trans (SELinux Service Protection)
- Disable SELinux protection for rdisc
- readahead_disable_trans (SELinux Service Protection)
- Disable SELinux protection for readahead
- read_default_t (Admin)
- Allow programs to read files in non-standard locations default_t
- read_untrusted_content (Web Applications)
- Allow programs to read untrusted content without relabel
- restorecond_disable_trans (SELinux Service Protection)
- Disable SELinux protection for restorecond
- rhgb_disable_trans (SELinux Service Protection)
- Disable SELinux protection for rhgb daemon
- ricci_disable_trans (SELinux Service Protection)
- Disable SELinux protection for ricci
- ricci_modclusterd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for ricci_modclusterd
- rlogind_disable_trans (SELinux Service Protection)
- Disable SELinux protection for rlogind daemon
- rpcd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for rpcd daemon
- rshd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for rshd
- rsync_disable_trans (rsync)
- Disable SELinux protection for rsync daemon
- run_ssh_inetd (SSH)
- Allow ssh to run from inetd instead of as a daemon
- samba_enable_home_dirs (Samba)
- Allow Samba to share users home directories
- samba_share_nfs (Samba)
- Allow Samba to share nfs directories
- allow_saslauthd_read_shadow (SASL authentication server)
- Allow sasl authentication server to read /etc/shadow
- saslauthd_disable_trans (SASL authentication server)
- Disable SELinux protection for saslauthd daemon
- scannerdaemon_disable_trans (SELinux Service Protection)
- Disable SELinux protection for scannerdaemon daemon
- secure_mode (Admin)
- Do not allow transition to sysadm_t, sudo and su effected
- secure_mode_insmod (Admin)
- Do not allow any processes to load kernel modules
- secure_mode_policyload (Admin)
- Do not allow any processes to modify kernel SELinux policy
- sendmail_disable_trans (SELinux Service Protection)
- Disable SELinux protection for sendmail daemon
- setrans_disable_trans (SELinux Service Protection)
- Disable SELinux protection for setrans
- setroubleshootd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for setroublesoot daemon
- slapd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for slapd daemon
- slrnpull_disable_trans (SELinux Service Protection)
- Disable SELinux protection for slrnpull daemon
- smbd_disable_trans (Samba)
- Disable SELinux protection for smbd daemon
- snmpd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for snmpd daemon
- snort_disable_trans (SELinux Service Protection)
- Disable SELinux protection for snort daemon
- soundd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for soundd daemon
- sound_disable_trans (SELinux Service Protection)
- Disable SELinux protection for sound daemon
- spamassassin_can_network (Spam Assassin)
- Allow Spam Assasin daemon network access
- spamd_disable_trans (spam Protection)
- Disable SELinux protection for spamd daemon
- spamd_enable_home_dirs (spam Protection)
- Allow spamd to access home directories
- spammassasin_can_network (spam Protection)
- Allow spammassasin to access the network
- speedmgmt_disable_trans (SELinux Service Protection)
- Disable SELinux protection for speedmgmt daemon
- squid_connect_any (Squid)
- Allow squid daemon to connect to the network
- squid_disable_trans (Squid)
- Disable SELinux protection for squid daemon
- ssh_keygen_disable_trans (SSH)
- Disable SELinux protection for ssh daemon
- ssh_sysadm_login (SSH)
- Allow ssh logins as sysadm_r:sysadm_t
- staff_read_sysadm_file (Admin)
- Allow staff_r users to search the sysadm home dir and read files such as ~/.bashrc
- stunnel_disable_trans (Universal SSL tunnel)
- Disable SELinux protection for stunnel daemon
- stunnel_is_daemon (Universal SSL tunnel)
- Allow stunnel daemon to run as standalone, outside of xinetd
- swat_disable_trans (SELinux Service Protection)
- Disable SELinux protection for swat daemon
- sxid_disable_trans (SELinux Service Protection)
- Disable SELinux protection for sxid daemon
- syslogd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for syslogd daemon
- system_crond_disable_trans (SELinux Service Protection)
- Disable SELinux protection for system cron jobs
- tcpd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for tcp daemon
- telnetd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for telnet daemon
- tftpd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for tftpd daemon
- transproxy_disable_trans (SELinux Service Protection)
- Disable SELinux protection for transproxy daemon
- udev_disable_trans (SELinux Service Protection)
- Disable SELinux protection for udev daemon
- uml_switch_disable_trans (SELinux Service Protection)
- Disable SELinux protection for uml daemon
- unlimitedInetd (Admin)
- Allow xinetd to run unconfined, including any services it starts that do not have a domain transition explicitly defined.
- unlimitedRC (Admin)
- Allow rc scripts to run unconfined, including any daemon started by an rc script that does not have a domain transition explicitly defined.
- unlimitedRPM (Admin)
- Allow rpm to run unconfined.
- unlimitedUtils (Admin)
- Allow privileged utilities like hotplug and insmod to run unconfined.
- updfstab_disable_trans (SELinux Service Protection)
- Disable SELinux protection for updfstab daemon
- uptimed_disable_trans (SELinux Service Protection)
- Disable SELinux protection for uptimed daemon
- use_lpd_server (Printing)
- Use lpd server instead of cups
- use_nfs_home_dirs (NFS)
- Support NFS home directories
- user_canbe_sysadm (User Privs)
- Allow user_r to reach sysadm_r via su, sudo, or userhelper. Otherwise, only staff_r can do so.
- user_can_mount (Mount)
- Allow users to execute the mount command
- user_direct_mouse (User Privs)
- Allow regular users direct mouse access only allow the X server
- user_dmesg (User Privs)
- Allow users to run the dmesg command
- user_net_control (User Privs)
- Allow users to control network interfaces also needs USERCTL=true
- user_ping (User Privs)
- Allow normal user to execute ping
- user_rw_noexattrfile (User Privs)
- Allow user to r/w noextattrfile FAT, CDROM, FLOPPY
- user_rw_usb (User Privs)
- Allow users to rw usb devices
- user_tcp_server (User Privs)
- Allow users to run TCP servers bind to ports and accept connection from the same domain and outside users disabling this forces FTP passive mode and may change other protocols
- user_ttyfile_stat (User Privs)
- Allow user to stat ttyfiles
- use_samba_home_dirs (Samba)
- Allow users to login with CIFS home directories
- uucpd_disable_trans (SELinux Service Protection)
- Disable SELinux protection for uucpd daemon
- vmware_disable_trans (SELinux Service Protection)
- Disable SELinux protection for vmware daemon
- watchdog_disable_trans (SELinux Service Protection)
- Disable SELinux protection for watchdog daemon
- winbind_disable_trans (Samba)
- Disable SELinux protection for winbind daemon
- write_untrusted_content (Web Applications)
- Allow web applications to write untrusted content to disk implies read
- xdm_disable_trans (SELinux Service Protection)
- Disable SELinux protection for xdm daemon
- xdm_sysadm_login (XServer)
- Allow xdm logins as sysadm_r:sysadm_t
- xend_disable_trans (SELinux Service Protection)
- Disable SELinux protection for xen daemon
- xen_use_raw_disk (XEN)
- Allow xen to read/write physical disk devices
- xfs_disable_trans (SELinux Service Protection)
- Disable SELinux protection for xfs daemon
- xm_disable_trans (SELinux Service Protection)
- Disable SELinux protection for xen constrol
- ypbind_disable_trans (NIS)
- Disable SELinux protection for ypbind daemon
- yppasswdd_disable_trans (NIS)
- Disable SELinux protection for NIS Password Daemon
- ypserv_disable_trans (SELinux Service Protection)
- Disable SELinux protection for ypserv daemon
- ypxfr_disable_trans (NIS)
- Disable SELinux protection for NIS Transfer Daemon
- zebra_disable_trans (SELinux Service Protection)
- Disable SELinux protection for zebra daemon
- httpd_use_cifs (HTTPD Service)
- Allow httpd to access samba/cifs file systems.
- httpd_use_nfs (HTTPD Service)
- Allow httpd to access nfs file systems.
- samba_domain_controller (Samba)
- Allow samba to act as the domain controller, add users, groups and change passwords
- samba_export_all_ro (Samba)
- Allow Samba to share any file/directory read only
- samba_export_all_rw (Samba)
- Allow Samba to share any file/directory read/write
- webadm_manage_users_files (HTTPD Service)
- Allow httpd to access nfs file systems.
- webadm_read_users_files (HTTPD Service)
- Allow httpd to access nfs file systems.
The Linux Stuff: Selinux In Linux >>>>> Download Now
ReplyDelete>>>>> Download Full
The Linux Stuff: Selinux In Linux >>>>> Download LINK
>>>>> Download Now
The Linux Stuff: Selinux In Linux >>>>> Download Full
>>>>> Download LINK Y3