D.1. System Utilities Distributions that support SELinux include a number of core utilities and programs that are usually present on any SELinux-enabled system. In this section, we present the programs included with Fedora Core 4 (FC4). Red Hat Enterprise Linux version 4 (RHEL4) and FC5 will have mostly the same core system utilities. We have mentioned many of these utilities throughout this book. D.1.1. Policy Tools The policy tools are directly related to the SELinux policy, and writing and managing policies: checkpolicy(8) | This is the SELinux policy compiler. It transforms a complete SELinux policy into a binary version that the kernel can load. It can also be used to debug a policy in that it can mimic some of the capabilities of the SELinux security server. No special permissions are needed to run this program if you are experimenting/debugging a policy outside of the official policy directory (that is, /etc/selinux/). | load_policy(8) | This utility loads a binary policy file into the kernel. To successfully load a policy in enforcing mode, the user must run the command in a domain that has the load_policy permission. (See the security object class in Appendix C, "Object Classes and Permissions"). | setsebool(8) | This command sets current and persistent values for policy Boolean variables. See Chapter 9, "Conditional Policies." This command requires setbool permission for the security class and read/write permission to the Boolean files themselves. | togglesebool(1) | This command toggles the current value of SELinux Booleans. The same permissions as the setsebool(8) command are required. | setenforce(8) | This command changes the mode of SELinux between enforcing and permissive modes. The domain in which the command is run must have the setenforce permission for the security object class. | audit2allow(1) | A command that takes access vector cache (AVC) audit denial messages (usually from the system log file) and outputs allow rules that, if included into the policy, permit the actions that were denied. This command is commonly used to generate a rough first draft type of policy for an application. The man page describes the weaknesses of this approach and some of the other problems with developing policy this way. | audit2why(1) | Attempts to provide a reason for AVC audit denial messages by comparing them with the rules in the policy. This is most useful for identifying constraint violations. | ausearch(8) | Although not explicitly an SELinux command, this command does some basic interpretation of audit messages and can pull out just AVC messages with the -m avc option. It is part of the new Linux audit framework package and is included in the updated audit RPM for FC4 4, Update 2 for RHEL4, and FC5. |
D.1.2. SELinux Status Information These utilities return information about SELinux. They do not change or affect the operation of SELinux in any way: avcstat(8) | Displays statistics and counters for various AVC actions (for example, the number of cache hits). | getenforce(8) | Returns a string indicating the current mode of SELinux ("permissive" or "enforcing"). | selinuxenabled(1) | Specifically designed for shell scripts to be able to determine whether SELinux is enabled or disabled (as opposed to permissive/enforcing mode). | getsebool(8) | Returns the active value of one or more SELinux Boolean values. It returns "active" if the Boolean is true, and "inactive" if the Boolean is false. | sestatus(8) | A program that returns various status information about SELinux, such as the enforcing mode, the current policy version and name, and the status of the Booleans. |
D.1.3. Security Context Labeling These programs relate to managing security context labeling for objects. They are generally administrative commands that require enough privilege to relabel file-related objects. Some systems have a specific SELinux policy for the commands to ensure that only approved domains may run them with full privileges. In most cases, the commands must be run in a domain with relabelto/relabelfrom permissions on the source and target security contexts, and must meet any relevant validatetrans constraints. The new security context must also be a valid triplet (that is, user/role/type) for the currently loaded policy. chcon(1) | Changes the security context, or part of the security context, for file-related object classes (for example, ordinary files and directories). | fixfiles(8) | A utility that relabels any number of filesystem objects. Its default behavior is to relabel all mounted filesystems that support SELinux labeling unless they were mounted with the context mount option. It automatically determines the file security context specifications to use for the labeling. | restorecon(8) | A labeling utility similar to fixfiles(8) except that it is suited more for relabeling individual files or directories. | setfiles(8) | The original system relabeling utility. It is similar to fixfiles(8). The main difference is that it requires a file context specification file as an argument along with at least one path name. | genhomedircon(8) | A script for generating the correct file context specification files for users' home directories. | matchpathcon(8) | This command returns the default security context for a path based on the active policy's file context file. |
D.1.4. Security Context Changing Utilities These command are used to start new processes with specific SELinux security contexts. The initiating domain type must have appropriate permission to allow a domain transition to the new type: newrole(1) | This command creates a new shell running with a new security context. The user may specify a new role and/or type. If the system is a multilevel security (MLS) or multicategory security (MCS) system, a security level may also be specified. If only a role is specified then the default type derived for that role is used. The current user's password must be entered for the command to succeed. | runcon(1) | Similar to newrole(1) except that it requests that a specified command is run with a different security context. A combination of user/role/type/level may be requested instead of a full security context. | run_init(8) | Runs an initrc script using the security context found in the current policy's contexts/initrc_context file. This command is usually used to restart system services so that they end up in the intended domain. |
D.1.5. SELinux Modified Commands The following commands are standard Linux commands that have been modified for SELinux to provide additional SELinux-related features: dir(1) | Additional arguments that list security contexts in various formats | find(1) | Options to use security contexts as a search criteria and an output format | install(1) | Options to preserve security contexts (when copying) or use specified security contexts (when creating) | killall(1) | Adds an option to kill all processes with a specified security context | ls(1) | Additional arguments that list security contexts in various formats | mkdir(1) | Adds an option to specify the security context for a new directory | ps(1) | Adds an option to display the security contexts of processes | pstree(1) | Adds an option to display the security contexts of processes | stat(1) | Adds an option to display the security context | vdir(1) | Additional arguments that list security contexts in various formats | sudo/sudoedit(8) | Adds options to specify a role and type to run the command in |
D.1.6. Policy Module Manual Pages There are a series of manual pages written to help administrators with the SELinux aspects of various "standard" Linux services and utilities. Usually the manual pages describe the effects of the particular policy module on that specific service. There is also a manual page describing SELinux in general and the use of Booleans: booleans(8) | General information on how to use SELinux Booleans | selinux(8) | General information on SELinux | ftpd_selinux(8) | Information on how SELinux affects the FTP daemon | httpd_selinux(8) | Information on how SELinux affects the Web server | kerberos_selinux(8) | Information on SELinux and Kerberos | named_selinux(8) | Information on SELinux and the name daemon | nfs_selinux(8) | Information on how to use NFS with SELinux | rsync_selinux(8) | Information on SELinux and the rsync daemon | samba_selinux(8) | Information on SELinux and resource sharing with a Samba server | ypbind_selinux(8) | Describes how to configure SELinux to permit NIS its required network privileges |
|
