[blag-users] SELinux Primer

Delete this message

Reply to this message
Author: sinuhe
To: blag-users
Subject: [blag-users] SELinux Primer
Fedora and Red Hat have led the development in MAC (Mandatory Access Control) based, NSA security. BLAG inherits this from Fedora. The following might be of interest as a *very brief* introduction for the security minded who want to use SELinux, but don't know where to start.

Red Hat and Fedora have provided what is called targeted policies to make life easy for you. (A target is a policy targetted at a service, such as the web server Apache, or a MTA such as sendmail, postfix, or exim.) This means that a package not provided by Fedora (or inherited into BLAG) is automatically "unconfined." To enable SELinux under BLAG, add a symbolic link under /etc/sysconfig as "selinux" to /etc/selinux/config, and change SELINUX to "enforcing" in that file. You will need to add the packages selinux-policy and selinux-policy-targeted (there's also selinux-policy-mls). The first time you do this, you will get errors, because selinux is not yet enabled. Do not despair, just reboot (selinux will label your filesystem, so this make take a minute the first time you reboot). selinux-doc will also be helpful, as well as _selinux man pages that will describe the targets.

Make life easy on yourself and use system-config-selinux. However, {get,set}sebool, semanage, sesearch (for audit log searching), setroubleshootd (for sealert helps logged to /var/log/messages), {get,set}enforce will be helpful.

Some things to understand.  First, every file on the system, and every process, is labeled with a security context (provided by the user_xattr filesystem option).  There are five fields, colon delimited.  For instance, an ls -Z of the network config file will show: 
-rw-r--r--  root root system_u:object_r:etc_t          /etc/sysconfig/network

Field one is _u (the user), a description of what is requesting the resource described in field two (_r, the role). (More specifically, this is a generic file system object used by the system.) The third field is the pointer to the policy, called the type enforcement. There are two more fields S and C (sensitivity and category). Think of sensitivity as the level of security access (top secret!), and the category is what office, or department, gets this access.

With getsebool -a you can view the booleans (like with sysctl -a) that modify policy behaviour. To get a full list of the security contexts, type semanage fcontext -l.

To put this into the real world, if you have a ftp server, you have files shared with public_content_t and public_content_rw_t (like for an incoming directory). If you label your /var/ftp files right, the ftp server (such as vsftpd) has no problem accessing the files. If you run into problems, disable enforcement with the _trans boolean (ftpd_disable_trans) by toggling it on (setsebool -P ftpd_disable_trans on), verifying your server works right, then toggling it off to troubleshoot your selinux configuration (typically, a boolean you didn't set right, or file context that isn't set right). To change your security context use chcon with an option matching the letter (-u, -r, -t, etc.). If you panic, use restorecon on the file, and selinux will try and automatically do it for you. Finally, if you are running the setroubleshooter (see the setroubleshoot-server package, setroubleshoot init script), it will give you a sealert command in /var/log/messages that will help you figure out why something isn't working.

This document was written for the BLAG forums.

Copyright (c) 2008 D E Evans. Verbatim copying, or modification, etc., under the GFDL is permitted, as long as this noticed is preserved.

-------------------- m2f --------------------

Sent using Mail2Forum (http://www.mail2forum.com).

Read this topic online here:

-------------------- m2f --------------------