Section A.1. Example Policy

Previous page
Table of content
Next page

A.1. Example Policy

The example policy (both strict and targeted) we discuss in Chapter 11, "Original Example Policy," is available from several sources. At the time of this writing, a version of the example policy was still available from the upstream SELinux source tree, but the National Security Agency (NSA) has announced it is planning to drop support soon in favor of the reference policy. Red Hat supports the example policy in both the Fedora Core 4 (FC4) and the Red Hat Enterprise Linux version 4 (RHEL4). (Fedora Core 5 [FC5] is moving to the reference policy.)

Note

The examples throughout the book are based on the Fedora Core strict policy, specifically version 1.27.1-2.6. For the purposes of the examples and exercises, however, any version of the FC4 strict policy should work.


A.1.1. Example Policy from Upstream SELinux Sites

The NSA example policy is the ancestor of just about every policy that has been developed. The Red Hat/Fedora policies and the reference policy all trace their origins to the NSA policy. It was meant to provide an example of a full system policy that developers could use as a starting point when writing their own policies. NSA has recently stopped supporting the example policy on their Web site (in favor of the reference policy). Historical versions are available at the following site:

www.nsa.gov/selinux/code/download0.cfm


These historical policies most likely require some tweaking. We recommend installing the packages for the specific Fedora or RHEL releases.

The NSA SELinux project tree, including the NSA example policy, are also available via cvs from the SELinux open source site. To browse the tree or download the package, access the following site:

http://selinux.sourceforge.net/


Several other Linux distributions support SELinux. At one time, they all had policies based on the NSA example. They have been at least minimally tweaked to conform to the specific distributions. The best place to find pointers to different Linux distributions that support SELinux is at the SELinux open source site previously mentioned.

A.1.2. Strict and Targeted Policies for Fedora Core 4

For most of this book, we used examples from the strict example policy for FC4. However, the targeted policy is installed as the default policy for a FC4 system. Only the prebuilt policy (without the policy source) is installed in most cases. The targeted policy is installed in /etc/selinux/targeted/. During installation if you choose the "complete" install option when deciding on which packages to install, both the strict and targeted policies are installed with their respective policy source files.

If you install only the targeted policy, you have several simple options for installing the targeted source and the strict policy and its source files. The most straightforward way is to use the yum utility as the system administrator as follows. First find out the exact package you have on your system and what is available:

# yum list | grep -i selinux-policy selinux-policy-targeted.noarch       1.27.1-2.6      installed selinux-policy-strict.noarch         1.27.1-2.16     updates-released selinux-policy-strict-sources.noarch 1.27.1-2.16     updates-released selinux-policy-targeted.noarch       1.27.1-2.16     updates-released selinux-policy-targeted-sources.noarch   1.27.1-2.16 updates-released


On our system, we have the targeted policy installed without the source. To install the source and the strict policy with source, we run the following:

# yum install selinux-policy-targeted-sources


and

# yum install selinux-policy-strict-sources


Note that when we installed the strict source files, the prebuilt policy was installed, too, because yum recognizes that the sources package is dependent on the policy package. All these policies are installed into the standard Fedora policy location, /etc/selinux/. To switch over to the strict policy, you can use the administrative tool mentioned in Chapter 13, "Managing an SELinux System," or you can perform the switch to the strict policy by hand if you change the SELINUXTYPE line in /etc/selinux/config to strict and touch /.autorelabel. In either case, you must then reboot the system to ensure all processes and files are labeled correctly.

You can also obtain and install the policy packages from the Fedora installation CDs. Disc 1 contains the packages for the prebuilt policies (that is, all the policy files except the policy source files) for both the targeted and strict policies. If you put Disc 1 in your drive, you should see it under /media/cdrecorder or /media/cdrom, or mount it as root with something like mount /dev/cdrom /media/cdrom (depending on your hardware configuration). The package files are under the following:

./Fedora/RPMS/ selinux-policy-strict-1.23.16-6.noarch.rpm selinux-policy-targeted-1.23.16-6.noarch.rpm


The policy source RPMs are on Disc 4:

/Fedora/RPMS/ selinux-policy-strict-sources-1.23.16-6.noarch.rpm selinux-policy-targeted-sources-1.23.16-6.noarch.rpm


You install them with the standard rpm command. (Remember, however, that the sources packages depend on the policy packages, so you must install the policy packages before you install the respective sources packages.) For example, you can install the strict policy with source (rpm output removed for brevity) as follows:

# rpm -ivh selinux-policy-strict-1.23.16-6.noarch.rpm # rpm -ivh selinux-policy-targeted-sources-1.23.16-6.noarch.rpm


After you install the policies with rpm, if you want to switch to the strict policy, you still need to "activate" it in the same way as described previously for yum.

A.1.3. Red Hat Enterprise Linux 4 (RHEL4)

The RHEL4 default policy, for all flavors (that is, AS, ES, and WS), is the targeted policy based on the example policy. The strict policy is not included or supported. The prebuilt targeted policy is on Disc 2 of the installation CDs. You can find it by mounting Disc 2 under the following:

./RedHat/RPMS/selinux-policy-targeted-1.17.30-2.52.1.noarch.rpm


The source package for the targeted policy is on Disc 4:

./RedHat/RPMS/selinux-policy-targeted-sources-1.17.30-2.52.1.noarch.rpm


You can install the packages by using the rpm -ivh package-name.rpm command. You can install the strict policy using the strict packages from Fedora Core (see above). You switch the system over to the strict policy in the same manner as described for FC4. Note that because the strict policy is not supported for RHEL4, you might need to tweak the policy to get it to work properly in your configuration. We recommend initially setting the SELINUX line to permissive in /etc/selinux/config until you ensure a clean boot.

A.1.4. Fedora Core Experimental and Test Policies

You can find the most recently patched policies and test and other experimental policies (for example, multilevel security [MLS] and multicategory security [MCS]) at Dan Walsh's Red Hat site:

ftp://people.redhat.com/dwalsh/SELinux/


These tend to be new and minimally tested.



Previous page
Table of content
Next page
SELinux by Example(c) Using Security Enhanced Linux
SELinux by Example: Using Security Enhanced Linux
ISBN: 0131963694
EAN: 2147483647
Year: 2007
Pages: 154
Authors: Frank Mayer, Karl MacMillan, David Caplan
BUY ON AMAZON
Interprocess Communications in Linux: The Nooks and Crannies
Software Configuration Management
Professional Java Native Interfaces with SWT/JFace (Programmer to Programmer)
Visual C# 2005 How to Program (2nd Edition)
PMP Practice Questions Exam Cram 2
Visual Studio Tools for Office(c) Using C# with Excel, Word, Outlook, and InfoPath
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy