FelixSELinux (1/4)
Since I get asked a lot here are my answers (on an inveted example):
"I can't ping 8.8.8.8 and salute google"
We use #audit2why to find out
SELinux (2/4)
The image shows searching available #booleans.
Set the corresponding one and you can ping.
setsebool -P selinuxuser_ping 1
#selinux #security #enhanced #linux
see also: https://www.redhat.com/sysadmin/change-selinux-settings-boolean
SELinux (3/4)
I don't recommend this but it is always better than disabling SELinux completely
(or fucking things up) to not restrict a domain in its actions (and hence disable
SELinux for this service only)
semanage permissive -a squid_t
#selinux #security #enhanced #linux
see also: https://www.redhat.com/sysadmin/semanage-keep-selinux-enforcing
SELinux (4/4)
You trust the application running in the permissive domain and are sure it won't
get exploited but you might want to check which types can transition into the permissive
domain.
sepolicy transition -s source_t -t target_t
#selinux #security #enhanced #linux
see also: https://access.redhat.com/documentation/de-de/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/security-enhanced_linux-the-sepolicy-suite-sepolicy_transition
