Thursday, August 04, 2005

SE Linux essentials (FC3)

Bare minimal SElinux:
  • SELinux in FC3 uses a targeted policy by default. One could opt for a strict policy too, which was default with FC2. The policy files needed are in these RPMs
      selinux-policy-strict-.rpm and selinux-policy-strict-sources-.rpm
    • selinux-policy-targeted-.rpm and selinux-policy-targeted-sources-.rpm
    The policy source resides in /etc/selinux/policyname/src/policy, when it is installed, and the binary policy file is in /etc/selinux/policyname/policy.
  • Use system-config-securitylevel to change SELinux based settings.
  • The ls command's -Z option will display the security context of a file
  • The id command's -Z option will display the security context of a user
  • The ps command's -Z option will display the security context of a process.
  • Don't take policy switching lightly. Unless of course, it's for learning :)
  • To change the policy - easy way - run system-config-securitylevel, change the policy and reboot.
  • To change the policy manually -
    1. Edit /etc/selinux/config and change the type of policy to SELINUXTYPE=policyname.
    2. Set the mode to permissive. SELINUX=permissive.
    3. Tell the init scripts to relabel the system on reboot with the command touch /.autorelabel.
    4. Reboot the system.
    5. Confirm your changes took effect with the command sestatus -v. With the new system running in permissive mode, check /var/log/messages for avc: denied messages. Fix any problems.
    6. When you are satisfied that the system runs stable under the new policy, enable enforcing by changing SELINUX=enforcing. You can either reboot or run setenforce 1 to turn enforcing on in real time.
  • Ordinary backups will not backup the security context which are stored as extended attributes. Use star to backup files on an SElinux protected system. In particular, use the -xattr and -H=exustar options. Eg:
    star -xattr -H=exustar -c -f ../test.star ./*
  • The variable SELINUX in /etc/selinux/config can take the values disabled, enforcing, or permissive. Booting the kernel with enforcing=0 is the same as SELINUX=permissive. Similarly, ooting the kernel with enforcing=1 is the same as SELINUX=enforcing
  • As a safer alternative to booting with selinux=0, use SELINUX=disabled in /etc/selinux/config.
  • To temporarily turn off the enforcing mode, use setenforce 0. To return to enforcing mode, setenforce 1.
  • To turn off selinux at bootup, add selinux=0 to your kernel command line. Note that if you boot with selinux=0, any files you create while SELinux is disabled will NOT have SELinux context information. If booting with selinux=1 fails, relabel the files with a touch /.autorelabel and reboot into single user mode.
  • /usr/sbin/sestatus -v displays status info about SELinux
  • To relabel a directory, use restorecon -v -R /path.
  • If you have file systems shared by both SELinux enabled and non-SELinux machines - eg a dual-boot Suse and FC4 sharing the same /home, it sort of spells trouble when booting into SElinux as it may require relabelling.
  • Mounting a non-SELinux file system via NFS results in SELinux treating all the files in the share as having a context of nfs_t. To override the default context to say, system_u:object_r:tmp_t to SELinux:
    mount -t nfs -o context=system_u:object_r:tmp_t server:/shared/foo /mnt/foo
  • To change and load the security policy:
    cd /etc/selinux/targeted/src/policy
    make clean
    make load
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)