Re: [blag-users] SELinux Primer

Delete this message

Reply to this message
Author: Yaakov Nemoy
Date:  
To: blag-users
Subject: Re: [blag-users] SELinux Primer
On Wed, Oct 1, 2008 at 8:49 PM, sinuhe <sinuhe@???> wrote:
> Fedora and Red Hat have led the development in MAC (Mandatory Access
> Control) based, NSA security. BLAG inherits this from Fedora. The following
> might be of interest as a *very brief* introduction for the security minded
> who want to use SELinux, but don't know where to start.
>
> Red Hat and Fedora have provided what is called targeted policies to make
> life easy for you. (A target is a policy targetted at a service, such as the
> web server Apache, or a MTA such as sendmail, postfix, or exim.) This means
> that a package not provided by Fedora (or inherited into BLAG) is
> automatically "unconfined." To enable SELinux under BLAG, add a symbolic
> link under /etc/sysconfig as "selinux" to /etc/selinux/config, and change
> SELINUX to "enforcing" in that file. You will need to add the packages
> selinux-policy and selinux-policy-targeted (there's also
> selinux-policy-mls). The first time you do this, you will get errors,
> because selinux is not yet enabled. Do not despair, just reboot (selinux
> will label your filesystem, so this make take a minute the first time you
> reboot). selinux-doc will also be helpful, as well as _selinux man pages
> that will describe the targets.
>
> Make life easy on yourself and use system-config-selinux. However,
> {get,set}sebool, semanage, sesearch (for audit log searching),
> setroubleshootd (for sealert helps logged to /var/log/messages),
> {get,set}enforce will be helpful.
>
> Some things to understand. First, every file on the system, and every
> process, is labeled with a security context (provided by the user_xattr
> filesystem option). There are five fields, colon delimited. For instance, an
> ls -Z of the network config file will show:
> Code:
> -rw-r--r-- root root system_u:object_r:etc_t
> /etc/sysconfig/network
>
> Field one is _u (the user), a description of what is requesting the resource
> described in field two (_r, the role). (More specifically, this is a generic
> file system object used by the system.) The third field is the pointer to
> the policy, called the type enforcement. There are two more fields S and C
> (sensitivity and category). Think of sensitivity as the level of security
> access (top secret!), and the category is what office, or department, gets
> this access.
>
> With getsebool -a you can view the booleans (like with sysctl -a) that
> modify policy behaviour. To get a full list of the security contexts, type
> semanage fcontext -l.
>
> To put this into the real world, if you have a ftp server, you have files
> shared with public_content_t and public_content_rw_t (like for an incoming
> directory). If you label your /var/ftp files right, the ftp server (such as
> vsftpd) has no problem accessing the files. If you run into problems,
> disable enforcement with the _trans boolean (ftpd_disable_trans) by toggling
> it on (setsebool -P ftpd_disable_trans on), verifying your server works
> right, then toggling it off to troubleshoot your selinux configuration
> (typically, a boolean you didn't set right, or file context that isn't set
> right). To change your security context use chcon with an option matching
> the letter (-u, -r, -t, etc.). If you panic, use restorecon on the file, and
> selinux will try and automatically do it for you. Finally, if you are
> running the setroubleshooter (see the setroubleshoot-server package,
> setroubleshoot init script), it will give you a sealert command in
> /var/log/messages that will help you figure out why something isn't working.
>


Don't forget about 'audit2why' which can help explain things more easily.

-Yaakov