Using SELinux in Fedora and RHEL


If you use the targeted SELinux policy (which is delivered and on by default), you can still administer Linux as you always have. The following procedure describes the software packages you need to use SELinux and starts you off working with the default targeted policy. If you need additional information, refer to the following:

  • Red Hat Enterprise Linux 4 SELinux Guide - Describes how to use, administer, and troubleshoot SELinux in Red Hat Enterprise Linux 4. While some of the specific policy settings are different for the most recent Fedora Core, this is an excellent guide for understanding how SELinux works in RHEL and Fedora Core systems. You can find this document here at www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide .

  • SELinux Documentation - Most of documents that come in the selinux-doc package are standards-type documents from the National Security Agency (NSA). Look in the /usr/share/doc/selinux-doc* directory of your Fedora or RHEL system for these files, using your Web browser or PDF file viewer.

Getting SELinux

Support for SELinux is built into the Linux 2.6 kernel. To use SELinux in Fedora, however, during installation you must enable it.

Enabling SELinux during Fedora Core installation is done on the Security Level Configuration screen. When that screen appears during first boot after installation, make sure that Active is selected next to the Enable SELinux box (which it should be, by default). If you prefer to have SELinux off, you can set the Enforcing Current selection to Permissive. Permissive causes SELinux to check and note where SELinux would fail, but doesn't actually fail.

With SELinux enabled, you must also make sure you have the following software packages installed:

  • checkpolicy - Contains the SELinux policy compiler named checkpolicy . Use this package to build or check policies for SELinux. Using checkpolicy , you create binary policy files from policy configurations and parameters in a policy.conf file. (Type man checkpolicy to read about checkpolicy .)

  • libselinux - Contains the application programming interface for SELinux applications. It includes components used by application programs to check SELinux status.

  • policycoreutils - Contains basic utilities needed to operate an SELinux system. Commands include fixfiles (to check and possibly correct security attributes on file systems), restorecon (to set security attributes for selected files), audit2allow (to translate messages from /var/log/messages to rules that SELinux can use), newrole (to open a shell in a new role), load_policy (to load a policy file), run_init (to run an init script using the correct context), sestatus (to check whether SELinux is currently enabled) , and setfiles (to set the security contexts of files).

  • selinux-doc - Contains a lot of SELinux documentation that is stored in the /usr/share/SELinux directory.

  • selinux-policy-mls - Contains the multi-level security translation table for SELinux.

  • selinux-policy-targeted - Contains the sample policy file used to incorporate the targeted SELinux policy into a running Linux system, as well as contexts files and the booleans file needed to make run-time changes to SELinux.

  • setools - Contains tools for managing parts of a running policy that define what access users have to different components of the Linux system.

Checking Whether SELinux is On

After Fedora or RHEL is installed, you can check the /etc/selinux/config file (which is linked to /etc/sysconfig/selinux ) to see if SELinux is enabled and, if so, which policies are in effect. That file sets two critical variables for a Fedora system configured to use SELinux:

  • SELinux State - The SELINUX variable sets the state of SELinux. If you enable SELinux during Fedora installation this starts out as SELINUX=enforcing (which causes security policies for SELinux to be enforced). If SELinux is disabled during installation, SELINUX=disabled is set instead. A third choice is to set SELINUX=permissive , which prints warnings based on the policies you have set, instead of enforcing them.

  • SELinux Policy Type - The SELINUXTYPE variable indicates the type of policy to use. SELINUX=targeted protects only selected network daemons (as set in files located in the /etc/selinux/targeted directory).

For most practical purposes, if you use SELinux you will want to enable the SELinux-targeted policy (which is the default). While not locking down all Fedora components under SELinux, the targeted policy does lock down those daemon processes that are most critical to protect from attacks. Standard Linux security protects everything else in the operating system.

You can override your default settings to place SELinux into permissive mode from the Linux boot prompt by adding the following to the end of the kernel line from the GRUB screen when you boot Fedora Core:

  setenforce 0  

With SELinux in permissive mode ( setenforce 0 ), you can still log in and use the system, with any potentially devastating permission failures simply resulting in error messages. If SELinux is in permissive mode, you can likewise return SELinux to enforcing mode from the boot prompt by typing setenforce 1 . You can change the SELinux state permanently, using the system-config-securitylevel window.

Checking SELinux Status

There are many tools for checking the status of SELinux on your Fedora Core system. To check whether or not SELinux is enabled, type the following:

  # sestatus -v  less  SELinux status: disabled 

The output shows that SELinux is not enforced on the current system. If SELinux were set to permissive, the output would look more like the following:

  SELinux status: enabled   SELinuxfs mount: /selinux   Current mode: enforcing   Mode from config file: enforcing   Policy version: 21   Policy from config file: targeted   Process contexts:   Current context: user_u:system_r:unconfined_t:SystemLow-SystemHigh   Init context: system_u:system_r:init_t   /sbin/mingetty system_u:system_r:getty_t   /usr/sbin/sshd system_u:system_r:unconfined_t:SystemLow-SystemHigh   File contexts:   Controlling term : user_u:object_r:devpts_t   /etc/passwd system_u:object_r:etc_t   /etc/shadow system_u:object_r:shadow_t   /bin/bash system_u:object_r:shell_exec_t   /bin/login system_u:object_r:login_exec_t   /bin/sh system_u:object_r:bin_t ->   system_u:object_r:shell_exec_t   /sbin/agetty system_u:object_r:getty_exec_t   /sbin/init system_u:object_r:init_exec_t   /sbin/mingetty system_u:object_r:getty_exec_t   /usr/sbin/sshd system_u:object_r:sshd_exec_t   /lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:lib_t  /lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t 

Press the Spacebar to page through the output. Besides showing that SELinux is enabled and running in permissive mode, this output shows the process contexts and file contexts that are set.

To see and change basic SELinux settings from a graphical interface, you can open the Security Level Configuration window. From the GNOME Desktop menu, select System Administration Security Level and Firewall (or run system-config-securitylevel as root from a Terminal window). When the window opens, select the SELinux tab. Figure 10-8 shows that window.

image from book
Figure 10-8: Change SELinux policy settings using the Security Level Configuration window.

On the Security Level Configuration window (SELinux tab), you can change whether or not SELinux is enabled on the next reboot and select whether enforcing or permissive are active for your policy. You can also see how SELinux policies are set under the following headings:

  • Admin - Use this setting if you want to prevent someone from transitioning to sysadm_t permission as a regular user (using such tools as su or sudo ).

  • Compatibility - Use settings here to allow applications that are not written specifically for SELinux-type of security to be able to work.

  • Content Locations - This setting lets you choose whether or not to let programs read files from non-standard locations.

  • Cron - Lets you enable or disable SELinux protection for the crond daemon.

  • FTP - Sets how the FTP daemon runs (using inetd or directly) and whether or not it can write to user home directories.

  • HTTPD Service - Defines the type of scripts your Apache Web server can run and whether or not it can read from user home directories.

  • Kerberos - Sets whether or not to allow Kerberos to access kerberos files.

  • Name Service - Lets you choose whether or not the named daemon (used by the BIND facility to provide DNS service) can overwrite master zone files. Also provides options for disabling SELinux protection for named and nscd daemons.

  • NFS - Defines where the NFS daemon can read and write files.

  • NIS - Sets whether or not daemons can be allowed to run using Network Information System (NIS).

  • Other - Contains settings to allow or disable different network daemon settings.

  • Printing - Lets you enable or disable SELinux protection for CUPS- related printing service.

  • Samba - Sets whether SELinux can control access to Samba and CIFS directories.

  • sasl authentication server - Sets whether or not sasl authentication is allowed to read the /etc/shadow file.

  • SELinux Service Protection - By default, most daemons are protected by SELinux in Fedora. Settings under this heading let you disable protection for individual daemons.

  • Compatibility - Use settings here to allow applications that are not written specifically for SELinux-type of security to be able to work.

  • Squid - Sets whether or not to have SELinux protect the Squid proxy server daemon and/or allow it network access.

  • SSH - Contains settings that can control access to SSH login services.

  • Universal SSL tunnel - Sets protection for the stunnel daemon and defines whether or not to allow the daemon to run in standalone.

  • User Privs - Defines whether or not users can read any default file on the system.

Changing the policy type or turning the SELinux service from off to on requires that you also relabel the entire file system. Changing policy should never be done lightly. If you do decide to change policy through the Security Level Configuration window, that change also requires that the file system be relabeled. By changing the policy through this window, the file system will be relabeled automatically the next time you reboot your computer.

Note 

Relabeling the file system can be a long and time-consuming activity. Again, remember that changing policies is a major change to your operating system. The more nodes there are in your file system, the longer it will take to relabel your file system the next time you boot your computer.

You can check the security context in which you are operating using the id command with the -Z option. The following example shows that your current context is the root user, your role is the system_r role, and the type is unconfined_t .

 #  id -Z  root:system_r:unconfined_t:SystemLow-SystemHigh 

SELinux is capable of turning out a lot of error messages. By default, those messages are directed to the /var/log/messages file. Because the file contains messages from many different services, you can use the seAudit window (type seaudit from a Terminal window) to view messages strictly related to SELinux. Figure 10-9 shows an example of the seAudit window.

image from book
Figure 10-9: View messages related to SELinux activity in the seAudit window.



Fedora 6 and Red Hat Enterprise Linux Bible
Fedora 6 and Red Hat Enterprise Linux Bible
ISBN: 047008278X
EAN: 2147483647
Year: 2007
Pages: 279

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net