SeLinux commands
Allow all
| Bash |
|---|
| # setenforce 0 means anything will be allowed
$> setenforce 0
|
Turn on selinux
| Bash |
|---|
| # setenforce 1 means selinux will start blocking anything not defined in a policy.
$> setenforce 1
|
View list of currently defined records
| Bash |
|---|
| # List all ports managed by SELinux
$> semanage port -l
# Narrow the list down
$> semanage port -l | grep ssh
# Narrow the list down to show only customizations
$> semanage port -lC
|
Modify an entry
| Bash |
|---|
| # Change the http_port_t from 80 to 8080
$> semanage port -m -t http_port_t -p tcp 8080
|
Delete an entry
| Bash |
|---|
| $> semanage port -d -t http_port_t -p tcp 8080
|
| Bash |
|---|
| # This is the main option I use:
$> cat /var/log/audit/audit.log | audit2allow
# or
$> sealert -a /var/log/audit/audit.log
# or
$> ausearch -m avc -ts recent | audit2allow
|
Creating custom policies
See: Chapter 8. Writing a custom SELinux policy Red Hat Enterprise Linux 8 | Red Hat Customer Portal