Linux/SELinux/GUI: Unterschied zwischen den Versionen
Keine Bearbeitungszusammenfassung |
Keine Bearbeitungszusammenfassung |
||
| Zeile 4: | Zeile 4: | ||
If SELinux is not installed on Linux system then it can be installed from command prompt | If SELinux is not installed on Linux system then it can be installed from command prompt | ||
$ yum install selinux-policy-devel$ yum install setools-devel$ | $ yum install selinux-policy-devel$ yum install setools-devel$ | ||
yum install setools-gui'''Opening SELinux Management GUI Tool in Fedora'''Open the system menu – > Administration -> SELinux Management | yum install setools-gui | ||
'''Opening SELinux Management GUI Tool in Fedora'''Open the system menu – > Administration -> SELinux Management | |||
[[Image:SELinuxGUI01.png|top]] | [[Image:SELinuxGUI01.png|top]] | ||
Version vom 22. März 2026, 09:50 Uhr
SELinux GUI
Fedora and some other Linux operating system shipped with SELinux Administration GUI, Policy Generation Tool (polgengui)and SELinux Troubleshooter which provides user a better interface to handle SELinux.
If SELinux is not installed on Linux system then it can be installed from command prompt
$ yum install selinux-policy-devel$ yum install setools-devel$ yum install setools-gui
Opening SELinux Management GUI Tool in FedoraOpen the system menu – > Administration -> SELinux Management
SELinux’s system-config interfaceFrom Status tab, you can check/change mode of SELinux
To view the policies set on the individual files and processes, click the File Labeling link. To view the policies for the port assignments for the subsystems, click the Network Port link
To check user mapping with MCS/MLS range click the User Mapping link
To find out the roles of each user we can check SELinux User link
To check the version of the Certificate System SELinux policy installed, click the Policy Module link.
SELinux Management Tool
SELinux Management tool allows user to perform different activities related to management of SELinux. It reduces user’s work and if you use this you don’t need to remember all the commands required to handle SELinux. To open SELinux Management GUI we follow given steps:System menu – > Administration -> SELinux ManagementSELinux’s system-config interface
SELinux Policy Generation ToolThis tool provides simplest way to generate policies on some Linux system. This tool generates four files Type Enforcement File (*.te file): This file contains all the code required to confine intended application File Context File (*.fc file): This file contains the mapping between files and file context. Interface File ( *.if file): This file contains information of all the interfaces that other domain might want to use to communicate with our domain and the file types created by our application Shell Script (*.sh file) :This file is used to compile, install and fix the labeling on the test systemTo open SELinux Policy Generation Tool follow steps given below:
Application -> System Tools -> SELinux Policy Generation Tool
This opens a wizard that creates policy in eight steps:
To begin building policy module follow the given procedure
i. Select type of the application/user role to be confined: This screen asks user to identify the type of application. This allows us to setup all the policy to correctly transition from domain.
ii. Enter name of application or user role to be confined: This screen prompts for a name for given application and the path to the executable used to start it. The tool will use this information to create two SELinux types, Arpit_t and Arpit_exec_t. The running process domain will use type and file context on the disk will use Arpit_exec_t.
iii. Enter network ports that application/user role listens to: This screen allows us to enter a space separated list of network ports that the application will bind/listen on for incoming connection.
iv. Enter network ports that application/user role connects to: This screen allows us to specify TCP and UDP ports that the confined application needs to connect to.
v. Select common application traits: This screen allows us to specify some common traits that application exhibit. Checking given boxes will add policy to user’s application to perform the selected functions. We can leave them blank also if we are not sure about application whether we need them or not.
vi. Select file/directories that the application manages: This screen looks at the paths that we enter and uses them to establish the name of the type to use.
vii. Select Booleans that the application uses: This screen allows us to add/delete Boolean values for This field we can leave blank also
viii. Select directory to generate policy in: This screen asks user where to put the tool’s output. It will default to the current working directory, but often it is better off putting our policy files in a separate directory.
Now that we have the policy files, it’s time to apply them to the current policy. We can use a terminal window, log in as root, and execute the shell script generated by SELinux Policy Generation Tool.The shell script compiles the module that we just created, and then loads it into the kernel.
SELinux Troubleshooter
Sooner or later we may run into situations where SELinux denies access to something and we need to troubleshoot the issue. There are a number of fundamental reasons why SELinux may deny access to a file, process or resource:
• A mislabeled file.• A process running under the wrong SELinux security context.• A bug in policy. An application requires access to a file that wasn’t anticipated when the policy was written and generates an error.On the command line it’s difficult to understand what an error message says. This tool watches the audit log files for AVC messages. When an AVC messages arrives the tool runs through the SELinux plugins database looking for a match and then sends a message to the user with a description, and a suggested fix.
To open SELinux Troubleshooter follow steps given below:
Application -> System Tools -> SELinux Troubleshooter
