ENTREGA RÁPIDA O COURIER

•

Confined SELinux users and their associated domains:

–

guest_u: The domain for the user is guest_t.

–

staff_u: The domain for the user is staff_t.

–

user_u: The domain for the user is user_t.

–

xguest_x: The domain for the user is xguest_t.

•

SELinux can confine Linux users by mapping Linux users

to SELinux users.

•

Use semanage to map a Linux user to an SELinux user:

–

# semanage login -a -s user_u newuser

•

Booleans are available to change user behavior when

running applications in home directories and in /tmp.

Oracle University and (Oracle Corporation) use only.

Linux users in the xguest_t, user_t, and staff_t domains can log in using the X Window System and a terminal.

By default, Linux users in the staff_t domain do not have permissions to execute applications with the sudo command.

By default, Linux users in the guest_t and xguest_t domains cannot execute applications in their home directories or /tmp, preventing them from executing applications in directories they have write access to. This helps prevent flawed or malicious applications from modifying files that users own.

By default, Linux users in the user_t and staff_t domains can execute applications in their home directories and /tmp.

Mapping Linux Users to SELinux Users

Use the semanage login –a command to map a Linux user to an SELinux user. For

example, to map Linux newuser user to the SELinux user_u user, run the following command: # semanage login -a -s user_u newuser

The -a option adds a new record and the -s option specifies the SELinux user. The last argument, newuser, is the Linux user that you want mapped to the specified SELinux user.

Booleans for Users Executing Applications

Some Booleans are available to change user behavior when running applications in their home directories and in /tmp. Use the setsebool –P <boolean> on|off command:

To allow Linux users in the guest_t domain to execute applications in their home directories and /tmp:

# setsebool -P allow_guest_exec_content on

To allow Linux users in the xguest_t domain to execute applications in their home directories and /tmp:

# setsebool -P allow_xguest_exec_content on

To prevent Linux users in the user_t domain from executing applications in their home directories and /tmp:

# setsebool -P allow_user_exec_content off

To prevent Linux users in the staff_t domain from executing applications in their home directories and /tmp:

# setsebool -P allow_staff_exec_content off

Oracle University and (Oracle Corporation) use only.

This slide lists some of the more commonly used command line utilities for managing and operating SELinux. More utilities are provided. The policycoreutils package installs the following utilities:

• fixfiles: Fixes the security context on filesystems

• load_policy: Loads a new SELinux policy into the kernel

• restorecon: Resets the security context on one or more files

• setfiles: Initializes the security context on one or more files

• secon: Displays the SELinux context from a file, program, or user input

• semodule_deps: Displays the dependencies between SELinux policy packages

• semodule_expand: Expands an SELinux policy module package

• semodule_link: Links SELinux policy module packages together

• semodule_package: Creates an SELinux policy module package

• restorecond: Is a daemon that watches for file creation and sets the default file

context

• semodule: Manages SELinux policy modules

• sestatus: Displays SELinux status

• setsebool: Sets SELinux Boolean value

Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

SELinux Utilities: Summary

•

sestatus: Displays SELinux status

•

semanage: Is an SELinux policy management tool

•

semodule: Manages SELinux policy modules

•

setsebool: Sets SELinux Boolean value

•

avcstat: Displays SELinux AVC statistics

•

getenforce: Reports the current SELinux mode

•

getsebool: Reports SELinux Boolean values

•

seinfo: Is an SELinux policy query tool

•

sesearch: Is an SELinux policy query tool

•

fixfiles: Fixes the security context on filesystems

•

restorecon: Resets the security context on files

Oracle University and (Oracle Corporation) use only.

The libselinux-utils package installs the following utilities: • avcstat: Displays SELinux AVC statistics

• getenforce: Reports the current SELinux mode

• getsebool: Reports SELinux Boolean values

• matchpathcon: Queries the system policy and displays the default security context

associated with the file path

• selinuxconlist: Displays all SELinux context reachable for a user

• selinuxdefcon: Displays the default SELinux context for a user

• selinuxenabled: Indicates whether SELinux is enabled

• setenforce: Modifies the SELinux mode

• togglesebool: Flips the current value of an SELinux Boolean

The setools-console package installs the following utilities: • findcon: An SELinux file context search tool

• indexcon: An SELinux file context indexing tool

• replcon: An SELinux file context replacement tool

• seaudit-report: An SELinux audit log reporting tool

• sechecker: An SELinux policy checking tool

• sediff: An SELinux policy difference tool

• seinfo: An SELinux policy query tool

• sesearch: An SELinux policy query tool

The policycoreutlis-python package installs the following utilities: • semanage: Is an SELinux policy management tool

• audit2allow, audit2why: Generates SELinux policy allow/don’t_audit rules from logs

of denied operations

• chcat: Changes or removes the security category for each file or user.

• sandbox: Runs a command in an SELinux sandbox

The policycoreutlis-gui package installs the following utilities: • system-config-selinux: SELinux Administration GUI

Oracle University and (Oracle Corporation) use only.

Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

Quiz

A given SELinux policy can be customized by enabling or

In document REGLAMENTO DEL CÓDIGO ADUANERO UNIFORME CENTROAMERICANO (RECAUCA) RESOLUCIÓN No (COMIECO-XLIX). Aprobada el 25 de Abril del 2008 (página 126-129)