Thursday, August 04, 2005

SE Linux essentials (FC3)

Bare minimal SElinux:
  • SELinux in FC3 uses a targeted policy by default. One could opt for a strict policy too, which was default with FC2. The policy files needed are in these RPMs
      selinux-policy-strict-.rpm and selinux-policy-strict-sources-.rpm
    • selinux-policy-targeted-.rpm and selinux-policy-targeted-sources-.rpm
    The policy source resides in /etc/selinux/policyname/src/policy, when it is installed, and the binary policy file is in /etc/selinux/policyname/policy.
  • Use system-config-securitylevel to change SELinux based settings.
  • The ls command's -Z option will display the security context of a file
  • The id command's -Z option will display the security context of a user
  • The ps command's -Z option will display the security context of a process.
  • Don't take policy switching lightly. Unless of course, it's for learning :)
  • To change the policy - easy way - run system-config-securitylevel, change the policy and reboot.
  • To change the policy manually -
    1. Edit /etc/selinux/config and change the type of policy to SELINUXTYPE=policyname.
    2. Set the mode to permissive. SELINUX=permissive.
    3. Tell the init scripts to relabel the system on reboot with the command touch /.autorelabel.
    4. Reboot the system.
    5. Confirm your changes took effect with the command sestatus -v. With the new system running in permissive mode, check /var/log/messages for avc: denied messages. Fix any problems.
    6. When you are satisfied that the system runs stable under the new policy, enable enforcing by changing SELINUX=enforcing. You can either reboot or run setenforce 1 to turn enforcing on in real time.
  • Ordinary backups will not backup the security context which are stored as extended attributes. Use star to backup files on an SElinux protected system. In particular, use the -xattr and -H=exustar options. Eg:
    star -xattr -H=exustar -c -f ../test.star ./*
  • The variable SELINUX in /etc/selinux/config can take the values disabled, enforcing, or permissive. Booting the kernel with enforcing=0 is the same as SELINUX=permissive. Similarly, ooting the kernel with enforcing=1 is the same as SELINUX=enforcing
  • As a safer alternative to booting with selinux=0, use SELINUX=disabled in /etc/selinux/config.
  • To temporarily turn off the enforcing mode, use setenforce 0. To return to enforcing mode, setenforce 1.
  • To turn off selinux at bootup, add selinux=0 to your kernel command line. Note that if you boot with selinux=0, any files you create while SELinux is disabled will NOT have SELinux context information. If booting with selinux=1 fails, relabel the files with a touch /.autorelabel and reboot into single user mode.
  • /usr/sbin/sestatus -v displays status info about SELinux
  • To relabel a directory, use restorecon -v -R /path.
  • If you have file systems shared by both SELinux enabled and non-SELinux machines - eg a dual-boot Suse and FC4 sharing the same /home, it sort of spells trouble when booting into SElinux as it may require relabelling.
  • Mounting a non-SELinux file system via NFS results in SELinux treating all the files in the share as having a context of nfs_t. To override the default context to say, system_u:object_r:tmp_t to SELinux:
    mount -t nfs -o context=system_u:object_r:tmp_t server:/shared/foo /mnt/foo
  • To change and load the security policy:
    cd /etc/selinux/targeted/src/policy
    make clean
    make load
Posted by at No comments:

Upgrading CentOS 4.0 to CentOS 4.1

CentOS 4 is basically Red Hat Enterprise Linux 4. I just upgraded it to CentOS 4.1 using the rpms using these steps:

  • Download the rpms from CentOS/4.1/os on any mirror.
  • Download the updates from CentOS/4.1/updates on any mirror.
  • Download any extra modules that depend on the kernel version. In my case, I had to download linux-ntfs rpms for the 2.6.11ELhugemem kernel.
  • Disable selinux using
    setenforce 0.
    (Failing to do this made the rpm postinstall fail for some rpm files. Off the cuff, I recall the rpms for bzip2-libs, and krb5-* failing.)
  • From the directory containing the 4.1 rpms, run
    rpm -Fvh *.rpm
    You do need a lot of free disk space for this to work. Alternately, freshen a few rpms at a time :)
  • Now enable selinux with setenforce 1.
  • Reboot in run level 1 so that no services start up
  • Run
    /sbin/fixfiles relabel
    Alternately, to speeden things up, you can also use
    /sbin/restorecon -R pathname
    to recursively restore security context on the specified path - in my case /lib and /usr/lib were definitely affected. I opted for the fixfiles approach rather than weed out directories individually.
  • Change to the normal runlevel
That's all there is to it :-)
Posted by at No comments:
Subscribe to: Posts (Atom)