BLAG

BLAG Forums
It is currently Mon Dec 22, 2014 10:41 am

All times are UTC




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: SELinux Primer
PostPosted: Thu Oct 02, 2008 12:49 am 
Offline

Joined: Sun Aug 13, 2006 8:26 pm
Posts: 42
Fedora and Red Hat have led the development in MAC (Mandatory Access Control) based, NSA security. BLAG inherits this from Fedora. The following might be of interest as a *very brief* introduction for the security minded who want to use SELinux, but don't know where to start.

Red Hat and Fedora have provided what is called targeted policies to make life easy for you. (A target is a policy targetted at a service, such as the web server Apache, or a MTA such as sendmail, postfix, or exim.) This means that a package not provided by Fedora (or inherited into BLAG) is automatically "unconfined." To enable SELinux under BLAG, add a symbolic link under /etc/sysconfig as "selinux" to /etc/selinux/config, and change SELINUX to "enforcing" in that file. You will need to add the packages selinux-policy and selinux-policy-targeted (there's also selinux-policy-mls). The first time you do this, you will get errors, because selinux is not yet enabled. Do not despair, just reboot (selinux will label your filesystem, so this make take a minute the first time you reboot). selinux-doc will also be helpful, as well as _selinux man pages that will describe the targets.

Make life easy on yourself and use system-config-selinux. However, {get,set}sebool, semanage, sesearch (for audit log searching), setroubleshootd (for sealert helps logged to /var/log/messages), {get,set}enforce will be helpful.

Some things to understand. First, every file on the system, and every process, is labeled with a security context (provided by the user_xattr filesystem option). There are five fields, colon delimited. For instance, an ls -Z of the network config file will show:
Code:
-rw-r--r--  root root system_u:object_r:etc_t          /etc/sysconfig/network


Field one is _u (the user), a description of what is requesting the resource described in field two (_r, the role). (More specifically, this is a generic file system object used by the system.) The third field is the pointer to the policy, called the type enforcement. There are two more fields S and C (sensitivity and category). Think of sensitivity as the level of security access (top secret!), and the category is what office, or department, gets this access.

With getsebool -a you can view the booleans (like with sysctl -a) that modify policy behaviour. To get a full list of the security contexts, type semanage fcontext -l.

To put this into the real world, if you have a ftp server, you have files shared with public_content_t and public_content_rw_t (like for an incoming directory). If you label your /var/ftp files right, the ftp server (such as vsftpd) has no problem accessing the files. If you run into problems, disable enforcement with the _trans boolean (ftpd_disable_trans) by toggling it on (setsebool -P ftpd_disable_trans on), verifying your server works right, then toggling it off to troubleshoot your selinux configuration (typically, a boolean you didn't set right, or file context that isn't set right). To change your security context use chcon with an option matching the letter (-u, -r, -t, etc.). If you panic, use restorecon on the file, and selinux will try and automatically do it for you. Finally, if you are running the setroubleshooter (see the setroubleshoot-server package, setroubleshoot init script), it will give you a sealert command in /var/log/messages that will help you figure out why something isn't working.

This document was written for the BLAG forums.

Copyright (c) 2008 D E Evans. Verbatim copying, or modification, etc., under the GFDL is permitted, as long as the copyright notice and license is preserved.


Top
 Profile  
 
 Post subject:
PostPosted: Thu Oct 02, 2008 11:56 pm 
Offline
Site Admin

Joined: Wed Mar 17, 2004 6:17 pm
Posts: 1340
Location: London, UK
Put this on the wiki?

_________________
BLAG 'em up!


Top
 Profile  
 
 Post subject:
PostPosted: Fri Oct 03, 2008 2:27 pm 
Offline

Joined: Sun Aug 13, 2006 8:26 pm
Posts: 42
john maclean wrote:
Put this on the wiki?


Feel free.


Top
 Profile  
 
 Post subject:
PostPosted: Fri Oct 03, 2008 10:08 pm 
Offline
Site Admin

Joined: Wed Mar 17, 2004 6:17 pm
Posts: 1340
Location: London, UK
https://wiki.blagblagblag.org/Selinux

_________________
BLAG 'em up!


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group