Linux Cheatsheet
pseudo files
a line of random values to stdout:
head -1 /dev/urandom >&1
to a file:
head -10 /dev/urandom > test_urandom
the lines are getting as long as there apperars a ‘\n’. verify:
wc -l test_urandom
10 test_urandom
Searching and Finding
apropos
locate / find
Permissions
- DAC = Discretionary Access Control
- MAC = Mandatory Access Control
- ACL = Access Control List
The ACL specifies the controls to be applied by the method of control, DAC or MAC. MAC is explicit, centrally controlled, and does not allow users to grant authority to an object unless they have explicit permissions to do so, whereas DAC allows users to grant other users access to objects they can access. MAC ACLs will always be applied to a request first, and if access is denied processing stops. If access is permitted then the DAC ACLs are applied, and again if access is denied processing stops. Only if access is granted by both MAC and DAC ACLs can the user access the object they requested. SELinux is a MAC implementation for Linux (there are others), while the traditional rwx file permissions, combined with the owning user and group form the complete DAC ACL. The SELinux ‘policy’ is essentially the MAC ACL. setfacl extends the basic filesystem ACLs to allow more than a single user or group to be assigned an to ACL for files and directories. This is also a DAC implementation, and is therefore applied after the SELinux MAC ACLs.
Discretionary Access Control (DAC)
The non-numerical way:
d = direcrory user, group, anyone
ls -al
drwxr-xr-x 1 toob toob 4096 May 18 18:15 .
drwxr-xr-x 1 root root 4096 Jun 28 2021 ..
drwxr-xr-x 1 toob toob 4096 Nov 14 2022 .ansible
-rw------- 1 toob toob 9043 Dec 1 2021 .bash_history
-rw-r--r-- 1 toob toob 220 Jun 28 2021 .bash_logout
setting permissions:
The “who” values we can use are:
u: User, meaning the owner of the file.
g: Group, meaning members of the group the file belongs to.
o: Others, meaning people not governed by the u and g permissions.
a: All, meaning all of the above.
If none of these are used, chmod behaves as if “a” had been used.
The “what” values we can use are:
–: Minus sign. Removes the permission.
+: Plus sign. Grants the permission. The permission is added to the existing permissions. If you want to have this permission and only this permission set, use the = option, described below.
=: Equals sign. Set a permission and remove others.
The “which ” values we can use are:
r: The read permission.
w: The write permission.
x: The execute permission.
chmod u=rw,og=r new_file.txt
Numerical way
0: (000) No permission.
1: (001) Execute permission.
2: (010) Write permission.
3: (011) Write and execute permissions.
4: (100) Read permission.
5: (101) Read and execute permissions.
6: (110) Read and write permissions.
7: (111) Read, write, and execute permissions.
An example:
chmod 664 *.page
Mandatory Access Control (MAC)
Remember that SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first, which means that no SELinux denial is logged if the traditional DAC rules prevent the access.
Basics + troubleshooting
To get file contexts and just for curiosity, one can read following file. But do not edit or change it there. This would be overwritten by the next update.
less /etc/selinux/targeted/contexts/files/file_contexts
...
/dev/.* system_u:object_r:device_t:s0
/etc/.* system_u:object_r:etc_t:s0
/lib/.* system_u:object_r:lib_t:s0
/opt/.* system_u:object_r:usr_t:s0
/run/.* system_u:object_r:var_run_t:s0
/srv/.* system_u:object_r:var_t:s0
/tmp/.* <<none>>
/usr/.* system_u:object_r:usr_t:s0
/var/.* system_u:object_r:var_t:s0
/root(/.*)? system_u:object_r:admin_home_t:s0
/opt/.*\.cgi -- system_u:object_r:httpd_sys_script_exec_t:s0
/usr/.*\.cgi -- system_u:object_r:httpd_sys_script_exec_t:s0
/run/.*\.*pid <<none>>
/dev/[0-9].* -c system_u:object_r:usb_device_t:s0
/mnt/[^/]*/.* <<none>>
/opt/(.*/)?etc -d system_u:object_r:etc_t:s0
/opt/(.*/)?var -d system_u:object_r:var_t:s0
/rhev(/[^/]*)? -d system_u:object_r:mnt_t:s0
/dev/.*mouse.* -c system_u:object_r:mouse_device_t:s0
/dev/.*tty[^/]* -c system_u:object_r:tty_device_t:s0
/etc/.*l2tp(/.*)? system_u:object_r:l2tp_conf_t:s0
/etc/[mg]dm(/.*)? system_u:object_r:xdm_etc_t:s0
/opt/(.*/)?etc/.* system_u:object_r:etc_t:s0
/opt/(.*/)?var/.* system_u:object_r:var_t:s0
...
With the Z argument you can get selinux labels with tools like ps, ls, id, netstat, lsof, etc.
[root@podman tob]# sudo ls -Zal /var
total 20
drwxr-xr-x. 20 root root system_u:object_r:var_t:s0 4096 Jan 16 10:32 .
dr-xr-xr-x. 18 root root system_u:object_r:root_t:s0 235 Jan 16 10:28 ..
drwxr-xr-x. 2 root root system_u:object_r:acct_data_t:s0 19 Jan 16 10:29 account
drwxr-xr-x. 2 root root system_u:object_r:var_t:s0 6 Aug 9 2021 adm
drwxr-xr-x. 12 root root system_u:object_r:var_t:s0 150 Jan 16 15:47 cache
drwxr-xr-x. 2 root root system_u:object_r:kdump_crash_t:s0 6 Apr 21 10:29 crash
drwxr-xr-x. 3 root root system_u:object_r:system_db_t:s0 18 Jan 16 10:29 db
drwxr-xr-x. 2 root root system_u:object_r:var_t:s0 6 Aug 9 2021 empty
drwxr-xr-x. 2 root root system_u:object_r:public_content_t:s0 6 Aug 9 2021 ftp
drwxr-xr-x. 2 root root system_u:object_r:games_data_t:s0 6 Aug 9 2021 games
drwxr-xr-x. 3 root root system_u:object_r:var_t:s0 18 Feb 22 18:13 kerberos
drwxr-xr-x. 38 root root system_u:object_r:var_lib_t:s0 4096 Jan 16 10:44 lib
drwxr-xr-x. 2 root root system_u:object_r:var_t:s0 6 Aug 9 2021 local
lrwxrwxrwx. 1 root root system_u:object_r:var_lock_t:s0 11 Jan 16 10:28 lock -> ../run/lock
drwxr-xr-x. 10 root root system_u:object_r:var_log_t:s0 4096 May 19 12:34 log
lrwxrwxrwx. 1 root root system_u:object_r:mail_spool_t:s0 10 Aug 9 2021 mail -> spool/mail
drwxr-xr-x. 2 root root system_u:object_r:var_t:s0 6 Aug 9 2021 nis
drwxr-xr-x. 2 root root system_u:object_r:var_t:s0 6 Aug 9 2021 opt
drwxr-xr-x. 2 root root system_u:object_r:var_t:s0 6 Aug 9 2021 preserve
lrwxrwxrwx. 1 root root system_u:object_r:var_run_t:s0 6 Jan 16 10:28 run -> ../run
drwxr-xr-x. 8 root root system_u:object_r:var_spool_t:s0 82 Jan 16 10:29 spool
drwxrwxrwt. 5 root root system_u:object_r:tmp_t:s0 4096 May 19 20:20 tmp
-rw-r--r--. 1 root root system_u:object_r:etc_runtime_t:s0 208 Jan 16 10:28 .updated
drwxr-xr-x. 2 root root system_u:object_r:var_yp_t:s0 6 Aug 9 2021 yp
Install this on dev/test systems to troubleshoot
yum install setroubleshoot
Then you will find useful infos in journalctl!
For Example:
May 20 22:42:21 rocky9 setroubleshoot[14100]: SELinux is preventing /usr/sbin/httpd from getattr access on the file /home/toob/public_html/index.html.
***** Plugin catchall_boolean (32.5 confidence) suggests ******************
If you want to allow httpd to enable homedirs
Then you must tell SELinux about this by enabling the 'httpd_enable_homedirs' boolean.
Do
setsebool -P httpd_enable_homedirs 1
***** Plugin catchall_boolean (32.5 confidence) suggests ******************
If you want to allow httpd to unified
Then you must tell SELinux about this by enabling the 'httpd_unified' boolean.
Do
setsebool -P httpd_unified 1
***** Plugin public_content (32.5 confidence) suggests ********************
If you want to treat index.html as public content
Then you need to change the label on index.html to public_content_t or public_content_rw_t.
Do
# semanage fcontext -a -t public_content_t '/home/toob/public_html/index.html'
# restorecon -v '/home/toob/public_html/index.html'
***** Plugin catchall (4.5 confidence) suggests ***************************
If you believe that httpd should be allowed getattr access on the index.html file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -X 300 -i my-httpd.pp
Adjust labels on a moved file, for example in a http dir:
change the type label of a file:
chcon -t httpd_system_content_t /var/www/html/index.html
Inherit labels from existing file:
chcon -reference /var/www/html /var/www/html/index.html
If you are in a completely different directory you have to do it differently, otherwise if someone relabels
the system it will get to the old state, becuase SELinux does not know apout it (it only knows the contexts
of less /etc/selinux/targeted/contexts/files/file_contexts
)
For example you have a web directory in /opt/some_web/
, you would do as follows:
Firstly tell SELinux ho it is supposed to be.
semanage fcontext -a -e /var/www/html /opt/some_web
And then let SELinux relabel it accordingly:
restorecon -vR /opt/some_web/
Write a custom policy
In the following I added a custom tomcat installation with all the necessary binaries and also specific location of dependent files. SELinux can not know about such changes, so one has to implement custom plicies for such a case.
As you can see my process tomcat-master is unconfined by SELinux:
system_u:system_r:unconfined_service_t:s0 tomcat 39805 1.6 74.0 7886076 1346928 ? Sl 13:36 0:45 /opt/java/openjdk-8u342-b07/bin/java -Djava.util.logging.config.file=/opt/instances-tomcat/tomcat-m
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 toob 39924 0.0 0.2 22360 5176 ? Ss 13:53 0:00 /usr/lib/systemd/systemd --user
Let’s change it. To be continued or find it here1.