Section 13.1. SELinux Configuration and Policy Management Files

Previous page
Table of content
Next page

13.1. SELinux Configuration and Policy Management Files

SELinux includes files that allow the management of SELinux specific additions, including the policy. This includes setting which policy to use when multiple policies are installed, label management files, and configuration files for SELinux applications and utilities.

Note

The files we describe in this chapter are based on a Fedora Core 4 (FC4) system. There are subtle differences with a RHEL4 and more significant improvements in an FC5 system. We highlight these differences as appropriate throughout this chapter.


13.1.1. The SELinux Configuration File (/etc/selinux/config)

The SELinux configuration file, /etc/selinux/config, controls which policy will be loaded during the next system boot, and in what mode the system will run. We can determine the current SELinux system state using the sestatus command. Listing 13-1 shows an example of the config file.

Listing 13-1. Listing of /etc/selinux/conf File

1  # This file controls the state of SELinux on the system. 2  # SELINUX= can take one of these three values: 3  #       enforcing - SELinux security policy is enforced. 4  #       permissive - SELinux prints warnings instead of                         enforcing. 5  #       disabled - SELinux is fully disabled. 6  SELINUX=enforcing 7  # SELINUXTYPE= type of policy in use. Possible values are: 8  #        targeted - Only targeted network daemons are                        protected. 9  #        strict - Full SELinux protection. 10 SELINUXTYPE=strict

This file controls two configuration settings: the SELinux mode and the active policy. The SELinux mode (determined by the SELINUX option on line 6) can be set to enforcing, permissive, or disabled. In enforcing mode, the policy is fully enforced. This is the primary mode of SELinux and should be used in all operational systems that require the enhanced security of SELinux. In permissive mode, the policy rules are not enforced. Instead, denials are audited, and otherwise SELinux generally does not impact the security of the system. This mode is useful for debugging and testing a policy.

In disabled mode, the SELinux kernel mechanism is completely turned off. A system may only be put into disabled mode when booting before the policy is loaded. This mode differs from permissive mode which has the SELinux kernel features operating but not denying any access (just auditing). In disabled mode, SELinux will not perform any action. This mode is only necessary in extreme circumstances (for example, when a policy error prevents you from even logging in, which can occur even in permissive mode) or if we truly do not want SELinux to operate.

Warning

Be careful about switching between enforcing and permissive modes, or disabling and enabling SELinux (something you might commonly do in a development or test machine). Quite often, you can cause file labeling inconsistencies when you go back to enforcing mode. (Not to mention that you will have turned off your system's main security enhancement feature!) We discuss how to fix file labeling problems later in this chapter.


The mode set in the SELinux configuration file is used by init to configure SELinux before it loads the initial policy as part of the boot process.

The SELINUXTYPE option in the SELinux configuration file tells init which policy to load during system initialization. The string used for the setting must match the directory name where the binary version of the policy you want to use is stored. For example, throughout this book, we use a strict policy as an example. So, we set the option as SELINUXTYPE=strict and make sure that the policy we want the kernel to use is in /etc/selinux/strict/policy/. If we had created our own custom policy, called custom_policy, we would set the option as SELINUXTYPE=custom_policy and make sure that our compiled policy is in /etc/selinux/custom_policy/policy/.

FC and RHEL systems provide a graphical tool (system-config-securitylevel) that enables us to set the options in the SELinux configuration file without having to edit the file directly (see Figure 13-1). The first two check boxes in this tool set the SELINUX option for us. The Policy Type drop-down box allows us to choose an active policy from the installed policies.

Figure 13-1. Red Hat security level configuration tool


13.1.2. The Policy Directories

As of FC3 (and RHEL4), every policy installed on a system has its own subdirectory under the /etc/selinux/ directory. The subdirectory name corresponds to the name of the policy (for example, strict, targeted, refpolicy, and so on) and is used in the SELinux configuration file to tell the kernel which policy to load on boot. All path references in this section are relative to a policy directory path (that is, /etc/selinux/[policy]/). Here is a sample directory listing for /etc/selinux/ from an FC4 machine:

# ls -lZ /etc/selinux -rw-r--r--  root   root  system_u:object_r:selinux_config_t config drwxr-xr-x  root   root  system_u:object_r:selinux_config_t strict drwxr-xr-x  root   root  system_u:object_r:selinux_config_t targeted


As you can see, two policy directories are installed on our system: strict and targeted. Notice that the directory and the policy subdirectories are labeled with the type selinux_config_t. This is the type traditionally applied to binary policies and related support files. You can use apol to examine the rules for this type and get an idea of what programs and utilities may change policy files.

Policy Directories in FC5

The layout of the policy subdirectories has changed significantly in FC5 with the introduction of the loadable policy module infrastructure (see Chapter 3, "Architecture"). The primary change is the introduction of libraries and tools to manage many of the policy files in a standardize way. This change make the installation and removal of loadable policy modules better and eases the management of many aspects of the policy. In general, it is not necessary to directly edit files in the policy subdirectories on an FC5 or other system that incorporates the loadable modules enhancements.

The commands semodule and semanage manage many aspects of the policy. The semodule command manages the installation, upgrading, and removing of loadable policy modules. It works on loadable policy packages, which include a loadable policy module and file context information. The semanage tool manages the addition, modification, and removal of users, roles, file contexts, multilevel security / multicategory security (MLS/MCS) translations, port labels, and interface labels. More information on these tools is available in their respective man pages.


Each policy subdirectory must follow a convention in the files they contain and how the files are labeled. This convention is used by various system utilities to help manage the policy. Generally, any well designed policy source tree will install the policy files correctly (as will properly constructed package installation scripts). Following is a listing of our strict policy directory, which is typical of any installed policy:

# ls -lZ /etc/selinux/strict -rw-------  root root system_u:object_r:selinux_config_t  booleans -rw-------  root root root:object_r:selinux_config_t      booleans.local drwxr-xr-x  root root system_u:object_r:default_context_t contexts drwxr-xr-x  root root system_u:object_r:policy_config_t   policy drwx------  root root system_u:object_r:policy_src_t      src drwxr-xr-x  root root system_u:object_r:selinux_config_t  users


The src/ directory is not required for a running system. It optionally contains the installed policy source tree (either the example policy or the reference policy source tree we discussed in Chapters 11, "Original Example Policy," and 12, "Reference Policy"). The actual monolithic binary policy file is stored in the .policy/ directory, in a file named policy.[ver], where [ver] is the version of the policy binary (for example, policy.19). This is the file that is loaded into the kernel during system boot.

We discuss the remaining files and directories in the following sections.

13.1.2.1. Installed Booleans Files

Chapter 9, "Conditional Policies," discussed how Booleans are managed in an SELinux system. An SELinux policy defines default values for all Booleans. The booleans file provides the distribution the ability to set persistent changes to these default values. The values in booleans override the policy defaults when the policy is loaded or the system is booted. The booleans.local file provides additional persistent values that override both the policy default values and the distribution persistent values. You should review Chapter 9 for how to set and control Boolean values. There is also a manual page, man 8 booleans, that provides a quick summary on the use of Booleans for FC and RHEL systems.

In FC5, where the booleans file is no longer present but the booleans.local file remains for local changes (although changes are made through semanage/libsemanage and not from directly changing the file), distribution defaults are now managed in the policy itself. Red Hat sets their defaults in the policy sources, thereby removing the need to have a separate distribution file to override the policy defaults.

Note

In RHEL4 systems, the booleans.local file does not exist. Rather, the only ability to override policy default values (other than changing the policy itself) is the booleans file in the policy directory. The problem with a single file is that Red Hat uses this file to set distribution defaults, and utilities such as rpm may overwrite it destroying any local changes. In FC4, the booleans.local file was added to allow local changes that will not be effected by package managers.

In Fedora Core 5, where the booleans file is no longer present but the booleans.local file remains for local changes (though changes are made through semanage/libsemanage and not from directly changing the file). Distribution defaults are now managed in the policy itself; Red Hat sets their defaults in the policy sources thereby removing the need to have a separate distribution file to override the policy defaults.


The system-config-securitylevel utility (see Figure 13-1) provides a graphical interface to change the local persistent values (that is, the booleans.local file). The items in the Modify SELinux Policy list box of this tool correspond to defined policy Booleans. The Boolean values can also be changed with the command-line tool setsebool and viewed with the setatus and getsebool commands (see Appendix D, "SELinux Commands and Utilities").

13.1.2.2. Application and File Security Contexts

The contexts/ subdirectory, in an installed policy directory, contains various files that help system services and utilities manage file security context labeling. They also contain default security contexts for login processes. In general, these files would only be changed by a policy developer, but occasionally an administrator may have need to modify one of them. Here we summarize the purpose of some of these files:

contexts/customizable_types

Contains a list of types that by convention will not be relabeled when using the restorecon or setfiles utilities to fix file labeling issues (see later in this chapter). This feature is useful to help protect some file labels that change in intended ways from their installed defaults. Use the SELinux application programming interface (API) to check on whether or not a context is customizable is is_context_customizable(3).

contexts/default_contexts

During initial login, a user may be authorized for more than one role/type pair for their login session (for example, an administrator who can log in as both an unprivileged user and a privileged user). This file provides the means by which a login process (login, sshd, and so on) determines the default role/type pair to use for initial login.


Each line in this file contains a role/type pair representing the security context of the login process followed by one or more role/type pairs that represent the default security context for the user's initial login process. For example, here are two typical lines for an SELinux system:

system_r:local_login_t  staff_r:staff_t user_r:user_t sysadm_r:sysadm_t system_r:sshd_t  user_r:user_t sysadm_r:sysadm_t


The first line represents the local login process (login via its type login_t), and the second a Secure Shell login (ssh via its type sshd_t). The login process is determined by the first role/type pair on a line. For example, the assumption in this file is that the login process (for local logins) runs with a security context that has system_r as its role and local_login_t as its type. In that case, the subsequent list of role/type pairs on the same line will be used as the default security contexts (minus the user identifier) for a user login.

The first role/type pair in the list of default security context that is authorized for the user in the policy is used as the default security context. This file does not authorize a user for a role or a type; only the policy may do that (see Chapter 6, "Roles and Users"). So, for example, in the local login case for our example default_contexts file, if administrators log in locally (administrators are generally users authorized for both staff_r:staff_t and sysadm_r:sysadm_t), their default security context will be staff_r:staff_t even though they are authorized for sysadm_r:system_t. An administrator could later change their security context (for example, using the newrole command) because they are authorized for both, but the default is the "staff" set of privileges. Notice for an ssh login, the default is the "sysadm" set of privileges.

Note that these defaults may be overridden for a specific user if there is a contexts/users/[USER] file (see the following).

[Pages 304 - 305]

contexts/users/[USER]

This file is exactly the same format as the default_contexts file except that it is for a particular user. If a file exists for a given user, default role/type pairs for that user are determined first from this file and then from the default_contexts file.

contexts/failsafe_context

If a login process cannot determine a default security context for a user, the user will not be able to log in to the system. This is most likely to be the case if the default_contexts file is corrupted or changed. This file provides a reasonable safe failsafe security context that allows at least the administrator to log in. It provides the last default security context that a login process attempts before failing the login attempt. It typically has a line like this:

sysadm_r:sysadm_t


This would at least allow administrator users to login (for example, to fix the corrupted default_contexts file).

contexts/default_type

This file contains a list of role/type pairs that are used by utilities, such as newrole. For example, if we use newrole to change our role but did not specify a type, the utility would consult this file to determine the default type for the role. For example, if we run the command newrole -r sysadm_r, and this file had a line such as sysadm_r:sysadm_t, the command would attempt to use sysadm_t as our default user domain type.

contexts/files/file_contexts

This file contains the file-related security context labeling information built as part of the policy build process and used to initialize the security context for file-related objects. It is installed here to help utilities that fix file label problems (see below).

contexts/files/file_ contexts.home_dirs

This file is automatically generated using the /usr/sbin/genhomedircon script. Its format is the same as the file_contexts file, but it is specifically used to label user home directories.

contexts/files/homedir_template

This file contains a template that the /usr/sbin/genhomedircon script uses to generate blocks of label specifications in the file_contexts.home_dirs file discussed previously.

contexts/files/media

This file contains security contexts for storage devices mounted under the /media/ directory. It is used by the libselinux matchmediacon(3) API.

contexts/initrc_context

This file contains the role/type pair that is used for the security context for run_init (that is, the program that an administrator runs to start system services in the same manner that init would) so that it can execute a script in /etc/rc.d/ in a security context the same as if the script were started by init. This role/type pair is typically the same as init uses to start these services.

contexts/removable_context

This file contains the default security context for removable media devices. This security context is used for devices not addressed by the media context file.


13.1.2.3. SELinux User Definitions

The two files in the user/ directory were added to support better user management in an SELinux system without having to change the policy. Both files have the same format. Specifically, they list policy user statements as discussed in Chapter 6.

users/system.users

This file provides the distribution provider with the ability to change role associations for users explicitly defined within the policy sources. Package managers will overwrite this file, so no local changes should be made in it. We should use the local.user files for locally defined users.

users/local.users

This file is identical in function to system.users except that it will not be changed by the distributions. Thus, we can define local users in this file that will be added to the policy.


The load_policy utility reads these files and changes the binary policy before loading it into the kernel. (The change is only to the in-memory version of the policy; the on-disk binary policy does not change.) In general, for either file, if the user already exists in the policy file (that is, hard-coded in the original policy sources), the role associations are changed. Otherwise, the user is added to the policy before it is loaded into the kernel.

13.1.2.4. The SELinux Filesystem

The SELinux pseudo filesystem provides the primary control interface between the SELinux kernel-space Linux Security Module (LSM) and userspace programs (see Figure 3-2 in Chapter 3). This filesystem is usually mounted on /selinux/. Many SELinux utilities and APIs (provided by the libselinux library) use the SELinux filesystem to access the LSM module. In this section, we examine some of the files that may be of interest to an administrator. Most of the files in this filesystem exist to support APIs in libselinux and are not discussed here. The recommended way to use these files is through the more stable libselinux APIs and the tools that use that library, and not directly.

booleans/

This directory contains a file for every Boolean defined in the policy. If the file is read, the current value of the Boolean and a pending value of the Boolean are returned. The pending value is the value the Boolean will be changed to when the Boolean values are committed (see commit_pending_booleans). The files have the same name as the Boolean names defined in the policy (see Chapter 9).

commit_pending_bools

This file signals the kernel-space security server that new policy Boolean values are ready to be activated. This feature allows multiple policy Boolean values to be changed in an atomic fashion (see Chapter 9).

disable

This file is the interface init uses to disable SELinux during initialization (see the SELinux configuration file above). When the initial SELinux policy is loaded or SELinux is disabled, this interface is no longer effective. Therefore, changes to the disable state always require a reboot. In general, the only way to enable/disable an SELinux system is to change /etc/selinux/config as discussed previously (or use the system-config-securitylevel shown in Figure 13-1) and reboot the system. Only init can use the direct interface via this file.

enforce

This file is the interface used to turn enforcing mode on and off. This is the interface that init uses during boot to set the mode to enforcing mode based on the settings in /etc/selinux/config. We can also directly use this interface to change mode by writing a 1 (enforcing mode) or 0 (permissive mode) to this file. The change in mode is effective immediately. The setenforce command does exactly this for us and is an easier way to change modes.

It is also possible (and often desirable) to write a policy that does not allow any domain permission to toggle the mode to permissive from enforcing mode.

load

This file is the interface used by the load_policy program to load a new binary policy.

mls

This file is used by the kernel to indicate whether or not MLS is activated on the system (see Chapter 8, "Multilevel Security").

policyvers

This file returns the maximum version of the policy that the kernel supports.




Previous page
Table of content
Next page
SELinux by Example(c) Using Security Enhanced Linux
SELinux by Example: Using Security Enhanced Linux
ISBN: 0131963694
EAN: 2147483647
Year: 2007
Pages: 154
Authors: Frank Mayer, Karl MacMillan, David Caplan
BUY ON AMAZON
Introducing Microsoft Office InfoPath 2003 (Bpg-Other)
Image Processing with LabVIEW and IMAQ Vision
A Practitioners Guide to Software Test Design
The Complete Cisco VPN Configuration Guide
Visual Studio Tools for Office(c) Using C# with Excel, Word, Outlook, and InfoPath
Telecommunications Essentials, Second Edition: The Complete Global Source (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy