Page 1 Red Hat Enterprise Linux 4 Red Hat SELinux Guide...
Page 2 All other trademarks referenced herein are the property of their respective owners. The GPG ﬁngerprint of the security@redhat.com key is: CA 20 86 86 2B D6 9D FC 65 F6 EC C4 21 91 80 CD DB 42 A6 0E...
Page 3: Table Of Contents
Table of Contents Introduction to the Red Hat SELinux Guide ..................i 1. What Is SELinux? ........................i 2. Prerequisites for This Guide ....................ii 3. Conventions for SELinux Directories and Files ..............iii 4. Document Conventions......................iii 5. Code Presentation Conventions ................... vi 6.
Page 4 8. Customizing and Writing Policy..................95 8.1. General Policy Troubleshooting Guidelines ............95 8.2. Minor Customizations of the Existing Policy............95 8.3. Writing New Policy for a Daemon ..............99 8.4. Deploying Customized Binary Policy ............... 101 9. References ............................ 103 III.
Page 5: Introduction To The Red Hat Selinux Guide
Introduction to the Red Hat SELinux Guide Welcome to the Red Hat SELinux Guide. This guide addresses the complex world of SELinux policy, and has the goal of teaching you how to understand, use, administer, and troubleshoot SELinux in a Red Hat Enterprise Linux environment. SELinux, an implementation of mandatory access control (MAC) in the Linux kernel, adds the ability to administratively deﬁne policies on all subjects (pro- cesses) and objects (devices, ﬁles, and signaled processes).
Page 6: Prerequisites For This Guide
Introduction to the Red Hat SELinux Guide SELinux is implemented in the Linux kernel using the LSM (Linux Security Modules) framework. This is only the latest implementation of an ongoing project, as detailed in Appendix A Brief Back- ground and History of SELinux. To support ﬁne-grained access control, SELinux implements two technologies: Type Enforcement™...
Page 7: Conventions For Selinux Directories And Files
Some additional patience. SELinux is a different way of handling access control than many admin- • istrators and users are familiar with. Information about Red Hat training can be obtained via http://www.redhat.com/training/. 3. Conventions for SELinux Directories and Files There are two main directories for SELinux policy in /etc/selinux/ —...
Page 8 Introduction to the Red Hat SELinux Guide command Linux commands (and other operating system commands, when used) are represented this way. This style should indicate to you that you can type the word or phrase on the command line and press [Enter] to invoke a command. Sometimes a command contains words that would be displayed in a different style on their own (such as ﬁle names).
Page 9 Introduction to the Red Hat SELinux Guide button on a GUI screen or window This style indicates that the text can be found on a clickable button on a GUI screen. For example: Click on the Back button to return to the webpage you last viewed. computer output Text in this style indicates text displayed to a shell prompt such as error messages and responses to commands.
Page 10: Code Presentation Conventions
Introduction to the Red Hat SELinux Guide Important If you modify the DHCP conﬁguration ﬁle, the changes do not take effect until you restart the DHCP daemon. Caution Do not perform routine tasks as root — use a regular user account unless you need to use the root account for system administration tasks.
Page 11: Activate Your Subscription
If you can not complete registration during the Setup Agent (which requires network access), you can alternatively complete the Red Hat registration process online at http://www.redhat.com/register/. 6.1. Provide a Red Hat Login...
Page 12: Provide Your Subscription Number
7.1. Send in Your Feedback If you spot a typo in the SELinux Guide, or if you have thought of a way to make this manual better, we would love to hear from you. Please submit a report in Bugzilla (http://bugzilla.redhat.com/bugzilla) against the component rhel-selg Be sure to mention the manual’s identiﬁer:...
Page 13: Understanding Selinux
I. Understanding SELinux This part provides an overview and theory of SELinux in general and policy in particular. Table of Contents 1. SELinux Architectural Overview ....................1 2. SELinux Policy Overview....................... 5 3. Targeted Policy Overview......................29 4. Example Policy Reference - ....................
Page 15: Selinux Architectural Overview
Chapter 1. SELinux Architectural Overview This chapter is an overview of the SELinux architecture, building upon what was discussed in Section 1 What Is SELinux?. The technical information you learn here helps you accomplish your goals in an SELinux environment. This chapter discusses the interaction of SELinux policy, the kernel, and the rest of the OS.
Page 16 Chapter 1. SELinux Architectural Overview decisions, or policy logic obtained in real time. These computations are all handled by the policy engine and cached, leaving the policy enforcement code available to handle requests. One other Flask ﬂexibility is that any of these subsystems can be swapped out for a new or different system, and none of the other systems are even aware of the change.
Page 17: Selinux, An Implementation Of Flask
Chapter 1. SELinux Architectural Overview 3. The policy server ﬁrst checks the AVC, and returns a decision to the enforcement server. If the AVC does not have a policy decision cached, it turns to the security server, which uses the binary policy that is loaded into the kernel during initialization.
Page 18 Chapter 1. SELinux Architectural Overview 2. The term security server is still used for the sake of clarity, but it is no longer a stand-alone service. The security server, the AVC, and the policy engine are now all parts of the kernel.
Page 19: Selinux Policy Overview
Chapter 2. SELinux Policy Overview This chapter is an overview of SELinux policy, some of its internals, and how it works. This chapter discusses the policy in a more general way, where Chapter 3 Targeted Policy Overview focuses on the details of the targeted policy as it ships in Red Hat Enterprise Linux.
Page 20: Where Is The Policy
Chapter 2. SELinux Policy Overview For example, the binary executable ﬁle object at has the type of /usr/bin/postgres . All of the targeted daemons have their own type for their postgresql_exec_t *_exec_t executable applications. In fact, the entire set of PostgreSQL executables such as createlang , and have the same type,...
Page 21: Policy Role In Boot
Chapter 2. SELinux Policy Overview — various contexts used by applications, such as the *_context* default_type • used by userhelper_context userhelper — the ﬁle contains the default contexts for the whole ﬁle system. files/* file_contexts • This is what references when relabeling. The ﬁle contains the default con- restorecon media...
Page 22: File System Security Contexts
Chapter 2. SELinux Policy Overview then re-executes itself so that it can transition to a different domain, if the policy deﬁnes init it. For the targeted policy, there is no transition deﬁned and remains in the init unconfined_t domain. 8. At this point, continues with its normal boot.
Page 23 Chapter 2. SELinux Policy Overview genfscon iso9660 / system_u:object_r:iso9660_t The ﬁle has labels to associate with the most common mounted ﬁle systems that genfs_contexts do not support xattrs. You can set the context at the time of mounting the ﬁle system with the option .
Page 24: Object Classes And Permissions
Chapter 2. SELinux Policy Overview The way SELinux implements its label in the xattr is different from other labeling schemes. SELinux stores its labels in human-readable strings. This provides a meaningful label with the ﬁle that can help in backup, restoration, and moving ﬁles between systems. Standard attributes do not provide a label that has continuous meaning for the ﬁle.
Page 25 Chapter 2. SELinux Policy Overview The object classes have matching declarations in the kernel, meaning that it is not trivial to add or change object class details. The same thing is true for permissions. Development work is ongoing to make it possible to register and unregister classes and permissions dynamically. Permissions are the actions that a subject can take on an object, if the policy allows it.
Page 26: Te Rules - Attributes
Chapter 2. SELinux Policy Overview send_msg name_bind # Define a common prefix for ipc access vectors. common ipc create destroy getattr setattr read write associate unix_read unix_write Following the common sets are all the access vector deﬁnitions. The deﬁnition is structured this way: class_name common_name permission_name...
Page 27 Chapter 2. SELinux Policy Overview # assigned to a process. This attribute is used in TE rules # that should be applied to all domains, e.g. permitting # init to kill all processes. attribute domain; # Identifies all default types assigned to packets received # on network interfaces.
Page 28 Chapter 2. SELinux Policy Overview , and netif_type port_type node_type These attributes relate to network activity by domains. The identiﬁes the types netif_type associated with network interfaces, allowing policy to control sending, receiving, and various operations on the interface: netif_t netif_eth0_t netif_eth1_t netif_eth2_t...
Page 29 Chapter 2. SELinux Policy Overview futexfs_t bdev_t usbfs_t nfsd_fs_t rpc_pipefs_t binfmt_misc_fs_t tmpfs_t autofs_t usbdevfs_t sysfs_t iso9660_t romfs_t ramfs_t dosfs_t cifs_t: sambafs_t nfs_t proc_t security_t exec_type This attribute groups together all types that are assigned to entry point executables. Any TE rules and assertions that should be applied to all entry point executables use this attribute.
Page 30 Chapter 2. SELinux Policy Overview mta_delivery_agent This attribute allows for ﬂexibility in choosing a mail transfer agent (MTA) such as sendmail . Rules allow it to perform mail handling and take tasks from . However, postfix mailman this attribute is not used in the targeted policy since none of the MTAs are targeted daemons for Red Hat Enterprise Linux 4.
Page 31: Te Rules - Types
Chapter 2. SELinux Policy Overview http_port_t smtp_port_t rndc_port_t ntp_port_t portmap_port_t snmp_port_t syslogd_port_t 2.7. TE Rules - Types SELinux uses types in various ways. After they are declared, they can be used to make rules for the transition decision process, type changing process, and access vector decisions and assertions. Note Deﬁning the type transitions does not enable them.
Page 32 Chapter 2. SELinux Policy Overview Type Transitions A type transition results in a new process running in a new domain different from the executing process, or a new object being labeled with a type different from the source doing the labeling. The rules deﬁne what domain and ﬁle type transitions occur by default.
Page 33: Te Rules - Access Vectors
Chapter 2. SELinux Policy Overview type_transition named_t var_run_t:sock_file named_var_run_t; # When a process in the domain named_t creates a socket file # in a directory of the type var_run_t, the socket file is # given the type named_var_run_t. The directory with the # type var_run_t is defined in the policy as /var/run/.
Page 34 Chapter 2. SELinux Policy Overview not affecting the application doing its tasks. This AV lets you silently deny and ignore the access violation. For example, this rule says to ignore when the domain attempts to dontaudit named_t read or get attributes on a ﬁle with the type.
Page 35: Policy Macros
Chapter 2. SELinux Policy Overview hostname The hostname of the system. kernel: audit(1105758604.519:420): This is the kernel audit log message pointer. The timestamp consists of a long number, which is the unformatted current time, and a short number, which is the milliseconds, that is, .
Page 36 Chapter 2. SELinux Policy Overview policy writers gain ﬂexibility, modularity, shared quality control, and central management for complex pieces of policy. Macros do not exist in the ﬁle, as that ﬁle represents the exploded macro policy.conf policy code. It is possible to work backward in ﬁnding where a particular policy.conf entry exists.
Page 37 Chapter 2. SELinux Policy Overview The allow rule says, is permitted to start a child process that transitions to httpd_t . The rule deﬁnes two things: the circumstances, httpd_suexec_t type_transition that is, when the domain is executing a ﬁle of the type httpd_t httpd_suexec_exec_t );...
Page 38: Selinux Users And Roles
Chapter 2. SELinux Policy Overview domain_auto_trans($1, $2_exec_t, $2_t) Recall that the variables fed into were ) and daemon_sub_domain() httpd_t httpd_suexec ). When runs, it inputs the parameters in the order received, so becomes httpd_t becomes , and . Notice that $2_exec_t httpd_suexec_exec_t $2_t...
Page 39 Chapter 2. SELinux Policy Overview This is why, when discussing interaction of processes and ﬁles, the type component is what you focus 2.10.1. SELinux Roles Roles deﬁne which SELinux user identities can have access to what domains. Roles are created by the existence of one or more declarations in a TE rules ﬁle in $SELINUX_SRC/domains/* Simply being in a role is not enough to allow domain transition.
Page 40: Te Rules - Constraints
Chapter 2. SELinux Policy Overview 2.10.2. SELinux Users SELinux user identities are different from UNIX identities. They are applied as part of the security label and can be changed in real time under limited conditions. SELinux identities are not primarily used in the targeted policy.
Page 41: Special Interfaces And File Systems
Chapter 2. SELinux Policy Overview # name_list : name | name_list name# # Restrict the ability to transition to other users # or roles to a few privileged types. constrain process transition ( u1 == u2 or t1 == privuser ); constrain process transition ( r1 == r2 or t1 == privrole );...
Page 42 Chapter 2. SELinux Policy Overview Security ﬁle contexts are stored in the values in the security.selinux parameter of the ﬁle’s • extended attributes. This ﬁeld is read when any subject makes a request for the SELinux type of a ﬁle. Extended attribute support is extremely limited for pseudo ﬁle systems at this time. Currently only devpts has support for xattrs, but work is ongoing to add further support for more pseudo ﬁle systems.
Page 43: Targeted Policy Overview
Chapter 3. Targeted Policy Overview This chapter is an overview and examination of the targeted policy, which is the supported policy for Red Hat Enterprise Linux. Much of the content in this chapter is applicable to all the kinds of SELinux policy, in terms of ﬁle locations and type of content in those ﬁles.
Page 44: Files And Directories Of The Targeted Policy
Chapter 3. Targeted Policy Overview — this policy is dissected and explained in Chapter 4 Example Policy Reference - dhcpd • dhcpd • httpd • mysqld • named • nscd • ntpd • portmap • postgres • snmpd • squid •...
Page 45 Chapter 3. Targeted Policy Overview would then change to . An /etc/selinux/targeted/booleans squid_disable_trans=1 easier technique for changing Booleans is to use the command. setsebool If you change the value in , the change takes effect upon /etc/selinux/targeted/booleans next policy load, such as a reboot or (refer to Chapter 7 Compiling SELinux Policy).
Page 46 Chapter 3. Targeted Policy Overview $SELINUX_SRC/appconfig/ This directory contains application conﬁguration ﬁles that provide contexts or partial contexts for certain daemons and utilities. A partial context is when the user identity is not included. This identity is inferred from the user who runs the utility. The kind of utilities that rely upon the contexts are , and...
Page 47 Chapter 3. Targeted Policy Overview system_u:system_r:unconfined_t $SELINUX_SRC/types/* These ﬁles are the type declarations for general sets of types. The types are grouped by simi- larities such as being a ﬁle, being related to security, network, or devices. The name of the type declaration ﬁle reﬂects its contents.
Page 48 Chapter 3. Targeted Policy Overview $SELINUX_SRC/genfs_contexts As explained in Section 2.4 File System Security Contexts, this ﬁle supplies the contexts for mountpoint labeling, where a mounted ﬁle system is given a single, overarching context instead of an individual context for each ﬁle. $SELINUX_SRC/initial_sid_contexts These security...
Page 49 Chapter 3. Targeted Policy Overview $SELINUX_SRC/tunables/ The tunable is a way of switching on or off certain settings that have global effect. For example, the ﬁle has only one Linux distribution deﬁned, the others are distro.tun dnl define define(‘distro_redhat’) The existence of this deﬁnition triggers conditional statements in the TE ﬁles for httpd , and , as well...
Page 50 Chapter 3. Targeted Policy Overview Warning Removing the wrong ﬁle can result in your system being unable to boot in enforcing mode. Policy compilation can fail if dependencies are not available. Be sure you know the consequences of re- moving any of the ﬁles from *.te /etc/selinux/targeted/src/policy/...
Page 51 Chapter 3. Targeted Policy Overview |-- file_contexts |-- misc |-- program |-- apache.fc |-- dhcpd.fc |-- hotplug.fc |-- init.fc |-- initrc.fc |-- ldconfig.te |-- mailman.fc |-- modutil.fc |-- mta.fc |-- mysqld.fc |-- named.fc |-- nscd.fc |-- ntpd.fc |-- portmap.fc |-- postgresql.fc |-- rpm.fc |-- snmpd.fc |-- squid.fc...
Page 52: Understanding The File Contexts Files
Chapter 3. Targeted Policy Overview |-- procfs.te |-- security.te ‘-- x.te ‘-- users 3.3. Understanding the File Contexts Files The ﬁles in declare the security contexts that are applied to ﬁles $SELINUX_SRC/file_contexts/ when the policy is installed. You can read more about what a ﬁle context is at Section 2.4 File System Security Contexts.
Page 53: Common Macros In The Targeted Policy
Chapter 3. Targeted Policy Overview /selinux(/.*)? none /etc(/.*)? system_u:object_r:etc_t /etc/passwd\.lock -- system_u:object_r:shadow_t /etc/group\.lock -- system_u:object_r:shadow_t /etc/shadow.* -- system_u:object_r:shadow_t /usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t /usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t Similarly, there are speciﬁc ﬁle contexts ﬁles for all domains, depending on their special needs. The ﬁles are present in the policy source, but are only used if there is an associated ﬁle in *.fc...
Page 54 Chapter 3. Targeted Policy Overview , and daemon_domain daemon_base_domain daemon_core_rules The macro is in , and is com- daemon_domain $SELINUX_SRC/macros/global_macros.te mon to all of the targeted daemons. The purpose of is to group together per- daemon_domain mission needs common to all daemons. These needs include creating a process ID (PID) ﬁle and running to check disk usage.
Page 55 Chapter 3. Targeted Policy Overview macro handles the control between the two domains. In addition, can_unix_connect the socket needs write permission to the ﬁle associated with the socket. For this reason the macro is paired with other rules in the policy: can_unix_connect allow # From $SELINUX_SRC/domains/program/syslogd.te...
Page 56 Chapter 3. Targeted Policy Overview # file_type_auto_trans(creator_domain, parent_directory_type, \ file_type, object_class) # the object class will default to notdevfile_class_set if not # specified as the fourth parameter define(‘file_type_auto_trans’,‘ ifelse(‘$4’, ‘’, ‘ file_type_trans($1,$2,$3) type_transition $1 $2:dir $3; type_transition $1 $2:notdevfile_class_set $3; ’, ‘...
Page 57: Understanding The Roles And Users In The Targeted Policy
Chapter 3. Targeted Policy Overview 3.5. Understanding the Roles and Users in the Targeted Policy Building on your understanding from reading Section 2.10 SELinux Users and Roles, this section covers the speciﬁc roles enabled for the targeted policy. As explained previously, roles are not very active in the targeted policy, but can be an essential part of a localized SELinux installation.
Page 58 Chapter 3. Targeted Policy Overview object_r In SELinux, roles are not utilized for objects when RBAC is being used. Roles are strictly for subjects. This is because roles are task-oriented and they group together doers, which are sub- jects. For this reason, all objects universally have the role , and the role is only used object_r as a placeholder in the label.
Page 59 Chapter 3. Targeted Policy Overview # root is retained as a separate user identity simply as a # compatibility measure with the "strict" policy. It could # be dropped and mapped to user_u but this allows existing # file contexts that have "root" as the user identity to # remain valid.
Page 60 Chapter 3. Targeted Policy Overview...
Page 61: Example Policy Reference
Chapter 4. Example Policy Reference - dhcpd This chapter provides an understanding of how the policy works with the daemon. This daemon dhcpd ships as part of the package. This chapter ﬁrst discusses the locations and purposes of key dhcp policy ﬁles, and then policy types are explained.
Page 62 dhcpd Chapter 4. Example Policy Reference - 4.2. Policy Types - dhcpd This section discusses the types associated with the policy. dhcpd Note SELinux policy uses a number of macros written in the m4 macro language to make policy writing easier.
Page 63 dhcpd Chapter 4. Example Policy Reference - connect getopt setopt shutdown }; allow dhcpd_t self : unix_stream_socket { create \ ioctl read getattr write setattr append bind \ connect getopt setopt shutdown }; As a network service, is allowed to open a TCP or UDP socket to send and receive •...
Page 64 dhcpd Chapter 4. Example Policy Reference - fully control just the DHCP lease ﬁles in and not, for example, the /var/lib/dhcp/ dhclient ﬁles in the same directory. This shows a case where the policy explicitly does not want a ﬁle to gain the default label from the parent directory.
Page 65: Boolean Values For
dhcpd Chapter 4. Example Policy Reference - allow dhcpd_t dhcpd_var_run_t : dir { read getattr lock \ search ioctl add_name remove_name write }; type_transition dhcpd_t var_run_t : file dhcpd_var_run_t; dhcp_etc_t The two direct rules using this type allow the domain to read and get attributes on ﬁles dhcpd_t of the type , as well as search directories of the same type.
Page 66 dhcpd Chapter 4. Example Policy Reference -...
Page 67: Working With Selinux
II. Working With SELinux This part discusses how to work with SELinux. Table of Contents 5. Controlling and Maintaining SELinux ..................55 6. Tools for Manipulating and Analyzing SELinux ............... 73 7. Compiling SELinux Policy ......................91 8. Customizing and Writing Policy....................95...
Page 69: Controlling And Maintaining Selinux
Chapter 5. Controlling and Maintaining SELinux SELinux presents both a new security paradigm and a new set of practices and tools for administrators and some end-users. The tools and techniques discussed in this chapter focus on standard operations performed by administrators, end-users, and analysts. More complex operations, such as compiling a policy after a local change, are covered in Chapter 7 Compiling SELinux Policy.
Page 70 Chapter 5. Controlling and Maintaining SELinux Moving ﬁles with retains the type the ﬁle started with. This may cause problems, for example, if you move ﬁles with the type into is not able to serve user_home_t ~/public_html httpd them until you relabel the ﬁle. You can read about ﬁle relabeling in Section 5.1.3 Relabel a File or Directory’s Security Context.
Page 71 Chapter 5. Controlling and Maintaining SELinux , the option is only usable by itself, it cannot be combined with other options. In this example, the change to root using did not cause a change in role. In a stricter policy, is capable of making a role change as well, i.e., from .
Page 72 Chapter 5. Controlling and Maintaining SELinux Since most of SELinux permission control in the targeted policy is type enforcement, you can primarily ignore the user and role information in a security label and focus on just changing the type. This saves you some keystrokes, and keeps you from worrying about the roles and users settings on your ﬁles.
Page 73 Chapter 5. Controlling and Maintaining SELinux If the ﬁle has no label, such as a ﬁle created while SELinux was disabled in the kernel, you need to give it a full label with . If you don’t, you get an error chcon system_u:object_r:shlib_t foo.so about applying a partial context to an unlabeled ﬁle.
Page 74 Chapter 5. Controlling and Maintaining SELinux -rw-rw-r-- auser auser system_u:object_r:user_home_t 4.html -rw-rw-r-- auser auser system_u:object_r:user_home_t 5.html -rw-rw-r-- auser auser system_u:object_r:user_home_t index.html 5.1.4. Make Backups or Archives That Retain Security Contexts utility does not yet support archiving and restoring extended attributes in Red Hat Enterprise Linux 4.
Page 75 Chapter 5. Controlling and Maintaining SELinux -rw-rw-r-- auser auser user_u:object_r:tmp_t 3.html -rw-rw-r-- auser auser user_u:object_r:tmp_t 4.html -rw-rw-r-- auser auser user_u:object_r:tmp_t 5.html -rw-rw-r-- auser auser user_u:object_r:tmp_t index.html /tmp/web_files/: -rw-rw-r-- auser auser user_u:object_r:tmp_t 1.html -rw-rw-r-- auser auser user_u:object_r:tmp_t 2.html -rw-rw-r-- auser auser user_u:object_r:tmp_t 3.html -rw-rw-r--...
Page 76: Administrator Control Of Selinux
Chapter 5. Controlling and Maintaining SELinux 5.2. Administrator Control of SELinux Administrators can expect to do most of the same things that users do in Section 5.1 End User Control of SELinux, plus a number of additional tasks that are usually done only at the root level. Using the targeted policy makes tasks measurably easier for the administrator.
Page 77 Chapter 5. Controlling and Maintaining SELinux There is one good method for relabeling the ﬁle system. You may also hear about two other methods, both of which are not recommended. Here they are in order: 1. The best and cleanest method to relabel is to let do it for you on boot.
Page 78 Chapter 5. Controlling and Maintaining SELinux 5.2.4. Grant Access to a Directory or a Tree Just as with regular Linux DAC permissions, a targeted daemon must have SELinux permissions to be able to descend the directory tree from the root. This does not mean that a directory and its contents need to have the same type.
Page 79 Chapter 5. Controlling and Maintaining SELinux warning: /etc/selinux/targeted/policy/policy.18 created as \ /etc/selinux/targeted/policy/policy.18.rpmnew 2:selinux-policy-targeted########################## [100%] mv /etc/selinux/targeted/policy/policy.18.rpmnew \ /etc/selinux/targeted/policy/policy.18 Otherwise, install the new policy source and load a new policy. This situation occurs as a protection against an updated policy package overwriting a custom binary policy.
Page 80 Chapter 5. Controlling and Maintaining SELinux You can conﬁgure all of these settings using system-conﬁg-securitylevel. The same conﬁguration ﬁles are used, so changes show up bidirectionally. To set SELinux to enforcing, choose the SELinux tab and select the checkboxes next to Enabled •...
Page 81 Chapter 5. Controlling and Maintaining SELinux 5.2.9. Enable or Disable SELinux Important Changes you make to ﬁles while SELinux is disabled may give them an unexpected security label, and new ﬁles do not have a label. You may need to relabel part or all of the ﬁle system after enabling SELinux again.
Page 82 4. If you think the interaction should be allowed and represents a policy bug, you can insert policy to allow it. Read Chapter 8 Customizing and Writing Policy for information on doing this, and ﬁle a bug report at http://bugzilla.redhat.com. 5.2.12. Read an...
Page 83 Chapter 5. Controlling and Maintaining SELinux runcon -t httpd_t ~/bin/contexttest -ARG1 -ARG2 # You can also specify the entire context runcon user_u:system_r:httpd_t ~/bin/contexttest 5.2.15. Useful Commands for Scripts You many need access to SELinux information and capabilities for scripts you write in administrating your system.
Page 84: Analyst Control Of Selinux
Chapter 5. Controlling and Maintaining SELinux 5.2.17. When to Reboot Your primary reason for rebooting with SELinux is to get your ﬁle system properly labeled using the ﬁle. Another reason might be to completely enable or disable SELinux. /.autorelabel Otherwise, you can safely make SELinux permissive by using setenforce 0 5.3.
Page 85: Policy Writer Control Of Selinux
Chapter 5. Controlling and Maintaining SELinux 5.3.2. Dump or View Policy While there is no formal way to dump the policy in memory, there are several tools which make it easier to view and analyze policy. Here are three ways of viewing the policy. The binary policy directory at contains information on Booleans and ﬁle •...
Page 86 Chapter 5. Controlling and Maintaining SELinux...
Page 87: Tools For Manipulating And Analyzing Selinux
Chapter 6. Tools for Manipulating and Analyzing SELinux An administrator’s job may include analyzing and possibly manipulating the SELinux policy, as well as doing performance analysis and tuning. This chapter discusses analysis and tuning. For policy manipulation, you may wish to support a new daemon or discover and ﬁx a problem, as discussed in Chapter 8 Customizing and Writing Policy.
Page 88 Chapter 6. Tools for Manipulating and Analyzing SELinux # This shows one second intervals: avcstat 1 lookups hits misses allocs reclaims frees 194670327 194657424 12903 12903 12402 # With these five second intervals, you see the accumulation # of lookups and hits over the course of the interval. avcstat 5 lookups hits...
Page 89 Chapter 6. Tools for Manipulating and Analyzing SELinux Classes: Permissions: Types: Attributes: Users: Roles: Booleans: Cond. Expr.: Allow: 11134 Neverallow: Auditallow: Dontaudit: Type_trans: Type_change: Role allow: Role trans: Initial SIDs: sesearch provides light information gathering functionality from apol on Similar to the way that seinfo the command line, lets you search for a particular type in the policy.
Page 90: Using Seaudit For Audit Log Analysis
Chapter 6. Tools for Manipulating and Analyzing SELinux Option Behavior Show all rules. You must specify one of the rule types in --all your search terms: --allow --audit , or --neverallow --type In the search results, specify the line number in --lineno .
Page 91 Chapter 6. Tools for Manipulating and Analyzing SELinux Figure 6-1. seaudit Showing $AUDIT_LOG 6.2.1. Arranging Your Views in seaudit There are several features to seaudit that make it easier to work with the audit messages. The ﬁrst happens simply by loading a log into seaudit. You ﬁnd only the SELinux log entries are displayed, with all of the data ﬁelds in the log message divided into columns.
Page 92 Chapter 6. Tools for Manipulating and Analyzing SELinux Figure 6-2. seaudit View Filter The View window is where you create ﬁlters to help organize and analyze log entries. Clicking on the Add or Edit button brings up the Edit ﬁlter window: Figure 6-3.
Page 93 Chapter 6. Tools for Manipulating and Analyzing SELinux interface, source executable, path to the target, and hostname. Criteria matching is all or any. When you choose a context for a ﬁlter, such as under Target Type clicking on Types:, the Select Target Types window pops up with the available types, as shown in Figure 6-4.
Page 94 Chapter 6. Tools for Manipulating and Analyzing SELinux Glob Type Behavior When the opens the expression, it signiﬁes a complement [!...] of the character or range that follows. This globbing pattern uses a list. Complementation is a mathematical term, and in this cases means, "not the character or range that follows."...
Page 95 Chapter 6. Tools for Manipulating and Analyzing SELinux Figure 6-5. seaudit Query policy Window Full regular expression support is enabled for the Query policy window. The globbing expression behavior used in the Modify view ﬁltering is not available. In the Query policy window, the policy.conf tab displays the currently active from the policy.conf active policy.
Page 96 Chapter 6. Tools for Manipulating and Analyzing SELinux <standard-section id ="PolicyBooleans" title="Policy \ boolean changes"></standard-section> <standard-section id ="AllowListing" title="Allow \ Listing"></standard-section> <standard-section id ="DenyListing" title="Deny \ Listing"></standard-section> </seaudit-report> You can remove reports by removing the XML tag-set for it, and you can put custom views obtained from saved views in seaudit into a .
Page 97: Using Apol For Policy Analysis
Chapter 6. Tools for Manipulating and Analyzing SELinux avc: granted { setbool } for pid=3803 exe=/usr/sbin/togglesebool \ scontext=root:system_r:unconfined_t \ tcontext=system_u:object_r:security_t tclass=security Deny Listing ------------ Number of messages: 8 Feb 06 19:42:45 urania kernel: audit(1107747765.871:7550947): \ avc: denied { getattr } for pid=2479 exe=/usr/sbin/httpd \ path=/home/auser/public_html dev=hdb2 ino=921135 \ scontext=user_u:system_r:httpd_t \ tcontext=system_u:object_r:user_home_t tclass=dir...
Page 98 Chapter 6. Tools for Manipulating and Analyzing SELinux Note ﬁles can be analyzed by apol. Much of the Both the source and binary policy. XY policy.conf results are similar, but there are noteworthy differences. This is because the binary compilation pro- cess strips out attributes as well as the initial SIDs.
Page 99 Chapter 6. Tools for Manipulating and Analyzing SELinux Note There are declared types that do not have any rules written for them or ﬁle contexts set for them. For example, is declared in , so it appears in the Types swapfile_t $SELINUX_SRC/types/file.te menu within the Types tab.
Page 100 Chapter 6. Tools for Manipulating and Analyzing SELinux Figure 6-7. Policy Rules and TE Rules Search The Search Options menu lets you pick search parameters. The selection for Only search for en- abled rules refers to the Boolean value for a rule, or if a conditional expression ( statement) is ifdef true.
Page 101 Chapter 6. Tools for Manipulating and Analyzing SELinux are explanations inserted for this guide and are not part of the standard apol following the mark output. 278 rules match the search criteria Number of enabled conditional rules: 23 Number of disabled conditional rules: 34 (3813) allow httpd_t var_log_t:dir { read getattr lock \ search ioctl add_name write };...
Page 102 Chapter 6. Tools for Manipulating and Analyzing SELinux Each rule is marked if it is , which shows the current state of that con- [enabled] [disabled] ditional in the policy. Changing a value in the Booleans tab within the Policy Components tab is reﬂected in the Conditional Expressions Display by running your search again.
Page 103: Performance Tuning
Chapter 6. Tools for Manipulating and Analyzing SELinux Figure 6-8. Direct Information Flow Analysis Information ﬂow analysis can be a challenging and daunting task. The policy holds thousands or tens of thousands of rules with hundreds of types, all interacting in multiple ways. The help ﬁle is essential reading for understand- /usr/share/doc/setooles- version /iflow_help.txt ing information ﬂow analysis in SELinux.
Page 104 Chapter 6. Tools for Manipulating and Analyzing SELinux cat /selinux/avc/cache_threshold echo 768 > /selinux/avc/cache_threshold # Check to be sure the change took hold. Be sure you are # root when using the targeted policy. cat /selinux/avc/cache_threshold Caution The default value of 512 for the cache threshold in Red Hat Enterprise Linux is set from extensive optimization benchmarking.
Page 105: Compiling Selinux Policy
Chapter 7. Compiling SELinux Policy Warning The commands and steps covered in this chapter may render your system inoperable or unable to be supported. Nothing in this chapter should be performed on a production system without having been thoroughly tested in a development or sandbox environment ﬁrst. If you are going to compile and install a custom policy, be prepared to take the actions you need to safeguard your data and installation.
Page 106 Chapter 7. Compiling SELinux Policy 2. Policy compiles if there are new or changed ﬁles in certain locations in the source tree. Those ﬁles must have a later timestamp than . If you want to compile the policy but cannot policy.conf because of the timestamp, you can force a compile.
Page 107: What Happens During Policy Build
Chapter 7. Compiling SELinux Policy When enabled, the number of denial messages may be very large. You return to a dontaudit state by running and then make clean make load $SELINUX_SRC/ makes some decisions based on the timestamps of the two policy Makefile ﬁles ﬁle...
Page 108 Chapter 7. Compiling SELinux Policy During the compilation, several ﬁles and a directory are created or updated. The most important is . Also in the directory is $SELINUX_SRC/policy.conf $SELINUX_SRC/ , which contains temporary build ﬁles, including . This ﬁle is a zero-byte ﬁle that tmp/ load is used by the...
Page 109: Customizing And Writing Policy
Chapter 8. Customizing and Writing Policy Warning The commands and steps covered in this chapter may render your system inoperable or unable to be supported. Nothing in this chapter should be performed on a production system without having been thoroughly tested in a development or sandbox environment ﬁrst.
Page 110: Minor Customizations Of The Existing Policy
Chapter 8. Customizing and Writing Policy 8.2. Minor Customizations of the Existing Policy You may ﬁnd it useful to resolve SELinux denials by using new policy rules to allow the behavior. The ramiﬁcations on security are impossible to predict. At the worst, you are back to standard Linux security.
Page 111 Chapter 8. Customizing and Writing Policy 3. Tell to look in for denial messages, only since the last ran, audit2allow dmesg load_policy and write that to domains/misc/local.te audit2allow -d -l -o domains/misc/local.te Look in to be sure you don’t have any duplicate rules. This is one reason for having local.te generate rules since the last , to keep from creating duplicates.
Page 112 Chapter 8. Customizing and Writing Policy tcontext=system_u:system_r:syslogd_t tclass=capability Jan 10 16:20:35 example kernel: audit(1009284205.210:0): \ avc: denied { fsetid } for pid=6109 exe=/sbin/syslog-ng \ capability=4 scontext=system_u:system_r:syslogd_t \ tcontext=system_u:system_r:syslogd_t tclass=capability Jan 10 16:20:35 example kernel: audit(1009284205.422:0): \ avc: denied { search } for pid=1411 exe=/bin/bash \ name=sbin dev=dm-0 ino=7356417 \ scontext=system_u:system_r:syslogd_t \...
Page 113: Writing New Policy For A Daemon
Chapter 8. Customizing and Writing Policy permission. The macro includes the permission , which grants a com- can_exec() rx_file_perms mon set of read and execute permissions to a ﬁle. Now you can make this substitution: # these related rules ... allow syslogd_t bin_t:dir search;...
Page 114 Chapter 8. Customizing and Writing Policy New Policy Writing Procedure 1. Work with a proper daemon under Red Hat Enterprise Linux. This means it has an initscript in and can be managed using . For example, this procedure assumes /etc/init.d/ chkconfig you are going to use the command to control starting and stopping the daemon.
Page 115: Deploying Customized Binary Policy
Chapter 8. Customizing and Writing Policy 13. If the domain tries to access , which relates to port_t tclass=tcp_socket in the AVC log message, you need to determine what port number tclass=udp_socket needs to use. To diagnose, put these rules in foo.te allow foo_t port_t:tcp_socket name_bind;...
Page 116 Chapter 8. Customizing and Writing Policy 2. Build and test your policy. You can test locally on your development machine, or follow the outline of this procedure to deploy custom binary policy ﬁles to your test environment. Use apol to analyze your policy, as described in Section 6.3 Using apol for Policy Analysis.
Page 117: References
The following references are pointers to additional information that is relevant to SELinux and Red Hat Enterprise Linux but beyond the scope of this guide. Tutorials and Help Understanding and Customizing the Apache HTTP SELinux Policy http://fedora.redhat.com/docs/selinux-apache-fc3/ Tutorials and talks from Russell Coker http://www.coker.com.au/selinux/talks/ibmtu-2004/ Generic Writing SE Linux policy HOWTO https://sourceforge.net/docman/display_doc.php?docid=21959&group_id=21266...
Page 118 Chapter 9. References A Security Policy Conﬁguration for the Security-Enhanced Linux http://www.nsa.gov/selinux/papers/policy-abs.cfm Community SELinux community page http://selinux.sourceforge.net irc.freenode.net, #rhel-selinux History Quick history of Flask http://www.cs.utah.edu/ﬂux/ﬂuke/html/ﬂask.html Full background on Fluke http://www.cs.utah.edu/ﬂux/ﬂuke/html/index.html...
Page 119: Appendix
III. Appendix Table of Contents A. Brief Background and History of SELinux ................107...
Page 121: Brief Background And History Of Selinux
Appendix A. Brief Background and History of SELinux SELinux was originally a development project from the National Security Agency (NSA) and others. It is an implementation of the Flask operating system security architecture . The Flask architecture implements MAC, which focuses on providing an administratively-deﬁned security policy that can control all subjects and objects, basing decisions on all security-relevant information.
Page 122 Appendix A. Brief Background and History of SELinux...
Page 123: Index
Index explained, 30 how to change, 66 settings, 30 Symbols boot policy role in, 7 $SELINUX_POLICY/ building what is, iii (See compiling) $SELINUX_SRC/ building policy what is, iii how to, 91 what is, 93 access vector rule syntax, 19 CGI scripts access vectors, 19 how to run from a mounted directory, 68 activating your subscription, vii...
Page 124 how to, 95 ﬁle content description syntax, 38 ﬁle contexts ﬁles example, 38 deﬁnition, 107 ﬁles deﬁnition of policy ﬁles and directories, 30 DAC, 107 where are SELinux ﬁles, 6 MAC, 107 Flask, 107 object classes, 10 documentation references permissions, 10 (See references) targeted policy, 29 Flask security architecture...
Page 125 relabel a ﬁle or directory, 57 relabel a ﬁle system, 62 run a CGI script, 68 (See macros) run a command in a speciﬁed context, 68 run a different policy, 67 deﬁnition, 107 serve Web content from a mounted directory, 68 macro set context for a ﬁle system, 68 analysis, 22...
Page 126 how to, 68 running a different policy performance tuning, 73 how to, 67 how to, 89 permissions common sets, 10 deﬁnition, 10 policy seaudit boot, 7 how to use, 76 ﬁles and directories, 6 security contexts how it works, 5 and the kernel, 9 internal functions, 5 ﬁle systems, 8...
Page 127 role declaration, 25 type declaration, 17 Web content type transition, 18 how to serve from a mounted directory, 68 system administrators what are controlling and maintaining SELinux, 62 access vectors, 19 administrator tasks, 62 attributes, 12 directories for SELinux, iii end user tasks, 55 targeted policy ﬁle labels, 8...
Page 129: Colophon
Colophon The manuals are written in DocBook SGML v4.1 format. The HTML and PDF formats are produced using custom DSSSL stylesheets and custom jade wrapper scripts. The DocBook SGML ﬁles are written in Emacs with the help of PSGML mode. Garrett LeSage created the admonition graphics (note, tip, important, caution, and warning).
Page 130 Nadine Richter — German translations Audrey Simons — French translations Francesco Valente — Italian translations Sarah Wang — Simpliﬁed Chinese translations Ben Hung-Pin Wu — Traditional Chinese translations...

Red Hat ENTERPRISE LINUX 4 - SELINUX GUIDE Manual

Introduction to the Red hat Selinux Guide

Understanding Selinux

Working with Selinux

References

Appendix

Index

Colophon

Quick Links

Related Manuals for Red Hat ENTERPRISE LINUX 4 - SELINUX GUIDE

Summary of Contents for Red Hat ENTERPRISE LINUX 4 - SELINUX GUIDE

Table of Contents