SE Linux essentials (FC3)

Bare minimal SElinux:

• SELinux in FC3 uses a targeted policy by default. One could opt for a strict policy too, which was default with FC2. The policy files needed are in these RPMs
  selinux-policy-strict-.rpm and selinux-policy-strict-sources-.rpm
  • selinux-policy-targeted-.rpm and selinux-policy-targeted-sources-.rpm
  The policy source resides in /etc/selinux/policyname/src/policy, when it is installed, and the binary policy file is in /etc/selinux/policyname/policy.
• Use system-config-securitylevel to change SELinux based settings.
• The ls command's -Z option will display the security context of a file
• The id command's -Z option will display the security context of a user
• The ps command's -Z option will display the security context of a process.
• Don't take policy switching lightly. Unless of course, it's for learning :)
• To change the policy - easy way - run system-config-securitylevel, change the policy and reboot.
• To change the policy manually -
  1. Edit /etc/selinux/config and change the type of policy to SELINUXTYPE=policyname.
  2. Set the mode to permissive. SELINUX=permissive.
  3. Tell the init scripts to relabel the system on reboot with the command touch /.autorelabel.
  4. Reboot the system.
  5. Confirm your changes took effect with the command sestatus -v. With the new system running in permissive mode, check /var/log/messages for avc: denied messages. Fix any problems.
  6. When you are satisfied that the system runs stable under the new policy, enable enforcing by changing SELINUX=enforcing. You can either reboot or run setenforce 1 to turn enforcing on in real time.
• Ordinary backups will not backup the security context which are stored as extended attributes. Use star to backup files on an SElinux protected system. In particular, use the -xattr and -H=exustar options. Eg:
  star -xattr -H=exustar -c -f ../test.star ./*

• The variable SELINUX in /etc/selinux/config can take the values disabled, enforcing, or permissive. Booting the kernel with enforcing=0 is the same as SELINUX=permissive. Similarly, ooting the kernel with enforcing=1 is the same as SELINUX=enforcing
• As a safer alternative to booting with selinux=0, use SELINUX=disabled in /etc/selinux/config.
• To temporarily turn off the enforcing mode, use setenforce 0. To return to enforcing mode, setenforce 1.
• To turn off selinux at bootup, add selinux=0 to your kernel command line. Note that if you boot with selinux=0, any files you create while SELinux is disabled will NOT have SELinux context information. If booting with selinux=1 fails, relabel the files with a touch /.autorelabel and reboot into single user mode.
• /usr/sbin/sestatus -v displays status info about SELinux
• To relabel a directory, use restorecon -v -R /path.
• If you have file systems shared by both SELinux enabled and non-SELinux machines - eg a dual-boot Suse and FC4 sharing the same /home, it sort of spells trouble when booting into SElinux as it may require relabelling.
• Mounting a non-SELinux file system via NFS results in SELinux treating all the files in the share as having a context of nfs_t. To override the default context to say, system_u:object_r:tmp_t to SELinux:
mount -t nfs -o context=system_u:object_r:tmp_t server:/shared/foo /mnt/foo
• To change and load the security policy:
cd /etc/selinux/targeted/src/policy
make clean
make load