From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Q5iPP-0003mD-PO for garchives@archives.gentoo.org; Fri, 01 Apr 2011 17:45:22 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A0A25E07E6; Fri, 1 Apr 2011 17:45:11 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 0701FE07E6 for ; Fri, 1 Apr 2011 17:45:10 +0000 (UTC) Received: from pelican.gentoo.org (unknown [66.219.59.40]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 05E6E1B4003 for ; Fri, 1 Apr 2011 17:45:10 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by pelican.gentoo.org (Postfix) with ESMTP id 5BEC780065 for ; Fri, 1 Apr 2011 17:45:09 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <6ead14e833d7958b6f5b89c45d520be1accfa615.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/ X-VCS-Repository: proj/hardened-docs X-VCS-Files: xml/selinux/hb-selinux-conv-profile.xml xml/selinux/hb-selinux-conv-reboot1.xml xml/selinux/hb-selinux-conv-reboot2.xml xml/selinux/hb-selinux-faq.xml xml/selinux/hb-selinux-howto.xml xml/selinux/hb-selinux-initpol.xml xml/selinux/hb-selinux-libsemanage.xml xml/selinux/hb-selinux-localmod.xml xml/selinux/hb-selinux-loglocal.xml xml/selinux/hb-selinux-logremote.xml xml/selinux/hb-selinux-overview.xml xml/selinux/hb-selinux-references.xml X-VCS-Directories: xml/selinux/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 6ead14e833d7958b6f5b89c45d520be1accfa615 Date: Fri, 1 Apr 2011 17:45:09 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: quoted-printable X-Archives-Salt: X-Archives-Hash: d4b3302e28472de1e3cfd00d395bc28e commit: 6ead14e833d7958b6f5b89c45d520be1accfa615 Author: Sven Vermeulen siphos be> AuthorDate: Fri Apr 1 17:44:41 2011 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Fri Apr 1 17:44:41 2011 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=3Dproj/hardened-docs= .git;a=3Dcommit;h=3D6ead14e8 drop unneeded files --- xml/selinux/hb-selinux-conv-profile.xml | 107 ------- xml/selinux/hb-selinux-conv-reboot1.xml | 193 ------------ xml/selinux/hb-selinux-conv-reboot2.xml | 213 ------------- xml/selinux/hb-selinux-faq.xml | 154 --------- xml/selinux/hb-selinux-howto.xml | 250 --------------- xml/selinux/hb-selinux-initpol.xml | 48 --- xml/selinux/hb-selinux-libsemanage.xml | 246 --------------- xml/selinux/hb-selinux-localmod.xml | 134 -------- xml/selinux/hb-selinux-loglocal.xml | 166 ---------- xml/selinux/hb-selinux-logremote.xml | 177 ----------- xml/selinux/hb-selinux-overview.xml | 521 -------------------------= ------ xml/selinux/hb-selinux-references.xml | 111 ------- 12 files changed, 0 insertions(+), 2320 deletions(-) diff --git a/xml/selinux/hb-selinux-conv-profile.xml b/xml/selinux/hb-sel= inux-conv-profile.xml deleted file mode 100644 index 01f5ead..0000000 --- a/xml/selinux/hb-selinux-conv-profile.xml +++ /dev/null @@ -1,107 +0,0 @@ - - - - - -=20 - - - -2.1 -2010-06-15 - -
Change Profile - - -SELinux is only supported on ext2/3, XFS, JFS, and Btrfs. Other f= ilesystems -lack the complete extended attribute support. - -Users should convert from a 2006.1 or newer profile otherwise -there may be unpredictable results. - -As always, keep a LiveCD at hand in case things go wrong. - -

First switch your profile to the SELinux profile for your architectur= e:

- -
-# rm -f /etc/make.profile
-
-
-x86 (server):
-# ln -sf /usr/portage/profiles/selinux/v2refpolicy/x86/server /etc/ma=
ke.profile
-x86 (hardened):
-# ln -sf /usr/portage/profiles/selinux/v2refpolicy/x86/hardened /etc/=
make.profile
-AMD64:
-# ln -sf /usr/portage/profiles/selinux/v2refpolicy/amd64/server /etc/=
make.profile
-AMD64 (hardened):
-# ln -sf /usr/portage/profiles/selinux/v2refpolicy/amd64/hardened /et=
c/make.profile
-
- -You can also switch profiles with eselect if you have the gentoolk= it - package installed. That method is not shown here because the specific = options - available and their numbering will vary according to your system - configuration. - -Do not use any profiles other than the ones listed above, even -if they seem to be out of date. SELinux profiles are not necessarily -created as often as default Gentoo profiles. - -The SELinux profile has significanly fewer USE flags asserted than -the default profile. Use emerge info to see if any use flags -need to be reenabled in make.conf. - -It is not necessary to add selinux to your USE flags in make.conf. -The SELinux profile already does this for you. - - - - You may encounter this message from portage: "!!! SELinux module not f= ound. - Please verify that it was installed." This is normal, and will be fix= ed - later in the conversion process. - - - -
- -
Update Kernel Headers - -

- We will start by updating essential packages. First check which versi= on - of linux-headers is installed. -

- -
-# emerge -s linux-headers
-or if you have gentoolkit installed:
-# equery list -i linux-headers
-
- -

- If the linux-headers version is older than 2.4.20, newer headers must = be merged. -

- -
-# emerge \>=3Dsys-kernel/linux-headers-2.4.20
-
- - -
- -
Update Glibc - -

- If you have merged new headers, or you are unsure if your glibc was - compiled with newer headers, you must recompile glibc. -

- -
-# emerge glibc
-
- - - This is a critical operation. Glibc must be compiled with newer linux= -headers, - otherwise some operations will malfunction. - - -
- diff --git a/xml/selinux/hb-selinux-conv-reboot1.xml b/xml/selinux/hb-sel= inux-conv-reboot1.xml deleted file mode 100644 index bfc8692..0000000 --- a/xml/selinux/hb-selinux-conv-reboot1.xml +++ /dev/null @@ -1,193 +0,0 @@ - - - - - -=20 - - - -2.2 -2010-11-27 - -
Merge a SELinux Kernel - -

Merge an appropriate kernel. A 2.6 kernel is required. The - suggested kernel is hardened-sources. -

- -2.6.28-r9 is the current hardened release version at the time of t= his writing, - and all instructions in this document assume at least this version. - -Kernels 2.6.14 and 2.6.15 should not be used by XFS users as they - have bugs in the SELinux XFS support. -=20 -
-Any 2.6 kernel
-# emerge hardened-sources
-
- -
- -
Compile the Kernel with SELinux Options - -

The kernel must be compiled with security module support, SELinux su= pport, -devpts, and extended attribute security labels. Refer to the main insta= llation -guide for futher kernel options.

- - -The available options may vary slightly depending on the kernel version -being used. In particular, Btrfs first became available with the 2.6.29 -kernel, and the /dev/pts and tmpfs Extended Attributs and Security Label= s -options were obsoleted in kernel 2.6.13 (they are now enabled by default= ). -"Default Linux Capabilies" under "Security options" was obsoleted in the -2.6.26 kernel (it is now enabled by default). - -XFS always enables security labeling, so there is no additional option -to set for this file system - -Ext4 should work, but is NOT well tested at the time of this writing! - -Any extended attribute options not specifically enabled below should be = turned -off. - - -
-Under "General setup"
-[*] Prompt for development and/or incomplete code/drivers
-[*] Auditing support
-[*]   Enable system-call auditing support
-
-Under "File systems"
-<*> Second extended fs support (If using ext2)
-[*]   Ext2 extended attributes
-[ ]     Ext2 POSIX Access Control Lists
-[*]     Ext2 Security Labels
-[ ]   Ext2 Execute in place support
-<*> Ext3 journalling file system support (If using ext3)<=
/comment>
-[*]   Ext3 extended attributes
-[ ]     Ext3 POSIX Access Control Lists
-[*]     Ext3 Security labels
-<*> The Extended 4 (ext4) filesystem (If using ext4)
-[ ]   Enable ext4dev compatibility=20
-[*]   Ext4 extended attrributes
-[ ]     Ext4 POSIX Access Control Lists
-[*]     Ext4 Security Labels
-<*> JFS filesystem support (If using JFS)
-[ ]   JFS POSIX Access Control Lists
-[*]   JFS Security Labels
-[ ]   JFS debugging
-[ ]   JFS statistics
-<*> XFS filesystem support (If using XFS)
-[ ]   XFS Quota support
-[ ]   XFS POSIX ACL support
-[ ]   XFS Realtime subvolume support (EXPERIMENTAL)
-[ ]   XFS Debugging Support
-<*> Btrfs filesystem (EXPERIMENTAL) Unstable disk format =
(if
-using Btrfs)
-[ ]   Btrfs POSIX Access Control Lists (NEW)
-Under "Pseudo filesystems (via "File systems")
-[ ] /dev file system support (EXPERIMENTAL)
-[*]   /dev/pts Extended Attributes
-[*]     /dev/pts Security Labels
-[*] Virtual memory file system support (former shm fs)
-[*]   tmpfs Extended Attributes
-[*]     tmpfs Security Labels
-
-Under "Security options"
-[*] Enable different security models
-[*]   Socket and Networking Security Hooks
-<*>   Default Linux Capabilities
-[*] NSA SELinux Support
-[ ]   NSA SELinux boot parameter
-[ ]   NSA SELinux runtime disable
-[*]   NSA SELinux Development Support
-[ ]   NSA SELinux AVC Statistics
-(1)   NSA SELinux checkreqprot default value
-[ ]   NSA SELinux enable new secmark network controls by default
-[ ]   NSA SELinux maximum supported policy format version
-    Default security module (SELinux)  --->
-
- -

- The extended attribute security labels must be turned on for devpts an= d - your filesystem(s). Devfs is not usable in SELinux, and should be - turned off. Not all options exist on older 2.6 kernels, - such as Auditing support, and runtime disable. In newer kernels, - the extended attributes support for proc and the virtual memory fs (tm= pfs) - are enabled by default; thus, no options will appear in menuconfig. -

- -It is recommended to configure PaX if you are using harded-sources= (also -recommended). More information about Pax can be found in the Hardened Gentoo -PaX Quickstart Guide. - - - - Do not enable the SELinux MLS policy option if its available, as it is - not supported, and will cause your machine to not start. - - -

- Now compile and install the kernel and modules, but do not reboot. -

- -
- -
Update fstab - -

- SElinuxfs must also be enabled to mount at boot. - Add this to /etc/fstab: -

-
-none	/selinux	selinuxfs	defaults	0	0
-
- -
- -
Configure Baselayout - -

-SELinux does not support devfs. You must configure baselayout to -use either static device nodes or udev. If using udev, the -device tarball must be disabled. Edit the /etc/conf.d/rc file. -Set RC_DEVICES to static or udev, and RC_DEVICE_TARBALL to no. -If you have several custom device nodes, static is suggested, -otherwise udev is suggested (udev is the default at the time of this wri= ting). -For more information on udev, consult the Gentoo UDEV Guide. -

-
-# Use this variable to control the /dev management behavior.
-#  auto   - let the scripts figure out what's best at boot
-#  devfs  - use devfs (requires sys-fs/devfsd)
-#  udev   - use udev (requires sys-fs/udev)
-#  static - let the user manage /dev
-
-RC_DEVICES=3D"udev"
-
-# UDEV OPTION:
-# Set to "yes" if you want to save /dev to a tarball on shutdown
-# and restore it on startup.  This is useful if you have a lot of
-# custom device nodes that udev does not handle/know about.
-
-RC_DEVICE_TARBALL=3D"no"
-
- -
- -
Reboot - -

- We need to make some directories before we reboot. -

-
-# mkdir /selinux
-# mkdir /sys
-
-

- Now reboot. -

- -
- diff --git a/xml/selinux/hb-selinux-conv-reboot2.xml b/xml/selinux/hb-sel= inux-conv-reboot2.xml deleted file mode 100644 index 95383da..0000000 --- a/xml/selinux/hb-selinux-conv-reboot2.xml +++ /dev/null @@ -1,213 +0,0 @@ - - - - - - =20 - - - -2.3 -2010-11-27 - -
Merge SELinux Packages - - -

Merge the libraries, utilities and base-policy. The policy version m= ay need - be adjusted, refer to the SELinux Overview - for more information on policy versions. Then load the policy.

- -
-# emerge -1 checkpolicy policycoreutils
-# FEATURES=3D-selinux emerge -1 selinux-base-policy
-
- -The "FEATURES=3D-selinux" part of the emerge command should only be used= on the above command. -It is required to merge selinux-base-policy (only for the first time) as= the portage SELinux features require both policycoreutils and selinux-ba= se-policy otherwise portage will fail. - - -
- -
Choose the policy type - -

-New in 2006.1, users now have the choice between the strict policy and t= he -targeted policy. -

-

-In the strict policy, all processes are confined. -If you are familiar with pre 2006.1 Gentoo SELinux policy, that policy w= as a strict policy. -Strict policy is suggested for servers. -Gentoo does not support the strict policy on desktops. -

-

-The targeted policy differs with strict, as only network-facing services= are -confined and local users are unconfined. Gentoo only supports desktops = with -the targeted policy. This policy can also be used on servers. -

-

-Edit the /etc/selinux/config file to set the policy type. -

-
-# This file controls the state of SELinux on the system on boot.
-
-# SELINUX can take one of these three values:
-#       enforcing - SELinux security policy is enforced.
-#       permissive - SELinux prints warnings instead of enforcing.
-#       disabled - No SELinux policy is loaded.
-SELINUX=3Dpermissive (This should be set permissive for the rem=
ainder of the install)
-
-# SELINUXTYPE can take one of these two values:
-#       targeted - Only targeted network daemons are protected.
-#       strict - Full SELinux protection.
-SELINUXTYPE=3Dstrict (Set this as strict or targeted)
-
- -
- -
Merge SELinux-patched packages - -

- There are several system packages that have SELinux patches. These pa= tches - provide a variety of additional SELinux functionality, such as display= ing - file contexts. -

-
-# emerge -1 sysvinit pam coreutils findutils openssh procps psmisc sh=
adow util-linux python-selinux
-
- - If you find that you can't use portage due to a errors like these: - !!! 'module' object has no attribute 'secure_rename' or - AttributeError: 'module' object has no attribute 'getcontext', this is - a portage bug, where it can't handle a missing python-selinux. Merge = it - with "FEATURES=3D-selinux emerge python-selinux" to fix the problem. = See - bug #122= 517 - for more information. - -

There are other packages that have SELinux patches, but are optional.= These -should be remerged if they are already installed, so the SELinux patches= are -applied:

-
    -
  • app-admin/logrotate
    • -
  • sys-apps/fcron
    • -
  • sys-apps/vixie-cron
    • -
  • sys-fs/device-mapper
    • -
  • sys-fs/udev
    • -
  • sys-libs/pwdb
    • -
- - Fcron and Vixie-cron are the only crons with SELinux support. - -The above packages are NOT an exhaustive list; they are only the m= ost -common ones. In general, any package installed on the system which has = the -selinux USE flag should be remerged. To see which packages may need to = be -merged, you can: -emerge -upDN world - -Since changing to the selinux profile has changed your USE flags, the ab= ove -will get everything that is listening to the selinux USE flag. It will -probably also get some other stuff as well. To actually remerge everyth= ing, -simply remove the 'p', or manually specify the packages you want to reme= rge. - - -
- -
Merge Application Policies - -

- In future, when merging a package, the policy will be set as a depende= ncy so - that it is merged first; however, since the system is being converted,= policy - for currently installed packages must be merged. The selinux-base-pol= icy - already covers most packages in the system profile. -

-

- Look in the /usr/portage/sec-policy, it has several entries, ea= ch which - represent a policy. The naming scheme is selinux-PKGNAME, where PKGNA= ME is - the name of the package that the policy is associated. For example, t= he - selinux-apache package is the SELinux policy package for net-www/apach= e. - Merge each of the needed policy packages and then load the policy. - If you are converting a desktop, make sure to include the selinux-desk= top policy package. -

-
-# ls /usr/portage/sec-policy
-(many directories listed)
-
-# emerge -1 selinux-apache selinux-bind
-
- -
- -
Label Filesystems - -

- Before you can relabel the rest of the filesystems, you need to first = relabel - /dev. Strictly speaking, this is only necessary if you aren't using a= static - /dev. However, as the vast majority of current and new systems are go= ing to - be built with udev, this probably means you are using udev as well. T= here - are a lot of different ways to get at this problem, but the steps belo= w are - easy to do and work. -

- 
-# mkdir /mnt/gentoo
-# mount -o bind / /mnt/gentoo
-# setfiles -r /mnt/gentoo /etc/selinux/{strict,targeted}/contexts/files/=
file_contexts /mnt/gentoo/dev
-# umount /mnt/gentoo
-
-
- Remember to select one of {strict,targeted} above based on your - enforcement mode. -

- Now label the filesystems. This gives each of the files in the filesy= stems - a security label. Keeping these labels consistent is important. -

-
-# rlpkg -a -r
-
- - There is a known issue with older versions of GRUB - not being able to read symlinks that have been labeled. - Please make sure you have at least GRUB 0.94 installed. - Also rerun GRUB and reinstall it into the MBR to ensure - the updated code is in use. - You do have a LiveCD handy, right? - -
-# grub
-
-grub> root (hd0,0) (Your boot partition)
-grub> setup (hd0) (Where the boot record is installed; here, it=
 is the MBR)
-
-

- If you've installed Gentoo using the hardened sources, then you'll nee= d to - tell SELinux that you are using the hardened tool-chain with ssp. You= do - this by setting an SELinux global boolean=20 -

-
-setsebool -P global_ssp on
-
-Make sure you use the -P flag, or the setting won't survive the re= boot, -and you'll likely see a lot of errors relating to /dev/null and /dev/ran= dom - - -
- -
Final reboot - -

Reboot. Log in, then relabel again to ensure all files -are labeled correctly (some files may have been created during shutdown = and -reboot)

-
-# rlpkg -a -r
-
- - It is strongly suggested to subscribe= - to the gentoo-hardened mail list. It is generally a low traffic list,= and=20 - SELinux announcements are made there. - -

- SELinux is now installed! -

- -
- - diff --git a/xml/selinux/hb-selinux-faq.xml b/xml/selinux/hb-selinux-faq.= xml deleted file mode 100644 index dc35969..0000000 --- a/xml/selinux/hb-selinux-faq.xml +++ /dev/null @@ -1,154 +0,0 @@ - - - - - - - - - -1.3 -2006-05-01 - -
SELinux features -Does SELinux enforce resource limits? - -

- No, resource limits are outside the scope of an access control system.= If you - are looking for this type of support, GRSecurity and RSBAC are better = choices. -

- -
- -
SELinux and other hardened projects -Can I use SELinux and GRSecurity (and PaX)? - -

- Yes, SELinux can be used with GRSecurity and/or PaX with no problems; = however, - it is suggested that GRACL should not be used, since it would be redun= dant - to SELinux's access control. -

- -Can I use SELinux and the hardened compiler (PIE-SSP)= ? - -

- Yes. It is also suggested that PaX be used to take full advantage - of the PIE features of the compiler. -

- -Can I use SELinux and RSBAC? - -

- Unknown. Please report your results if you try this combination. -

- -
- -
SELinux and filesystems -Can I use SELinux with my primary filesystems?</title= > -<body> -<p> - SELinux can be used with ext2, ext3, JFS, and XFS. Reiserfs (Reiser3)= has - extended attributes, but the support was never complete, and has been = broken - since 2.6.14. Reiser4 is not supported. -</p> -</body></subsection> -<subsection><title>Can I use SELinux with my ancillary filesystems?</tit= le> -<body> -<p> - Yes, SELinux can mount ancillary filesystems, such as vfat and iso9660 - filesystems, with an important caveat. All files in each filesystem w= ill - have the same SELinux type, since the filesystems do not support exten= ded - attributes. Tmpfs is the only ancillary filesystem with complete exte= nded - attribute support, which allows it to behave like a primary filesystem= . -</p> -</body></subsection> -<subsection><title>Can I use SELinux with my network filesystems?</title= > -<body> -<p> - Yes, SELinux can mount network filesystems, such as NFS and CIFS - filesystems, with an important caveat. All files in each filesystem w= ill - have the same SELinux type, since the filesystems do not support exten= ded - attributes. In the future, hopefully network filesystems will begin t= o - support extended attributes, then they will work like a primary filesy= stem. -</p> -</body></subsection> -</section> - -<section><title>Portage error messages -I get a missing SELinux module error when using emerg= e: - -
-!!! SELinux module not found. Please verify that it was installed.
-
-

- This indicates that the portage SELinux module is missing or damaged. - Also python may have been upgraded to a new version which requires - python-selinux to be recompiled. Remerge dev-python/python-selinux. - If packages have been merged under this condition, they must be relabe= d - after fixing this condition. If the packages needing to be remerged c= annot - be determined, a full relabel may be required. -

- -
- -
SELinux kernel error messages -I get a register_security error message when booting:= - -
-There is already a security framework initialized, register_security fai=
led.
-Failure registering capabilities with the kernel
-selinux_register_security:  Registering secondary module capability
-Capability LSM initialized
-
-

- This means that the Capability LSM module couldn't register as the pri= mary - module, since SELinux is the primary module. The third message means = that it - registers with SELinux as a secondary module. This is normal. -

- -
- -
Setfiles error messages -When I try to relabel, it fails with invalid contexts= : -
-# make relabel
-/usr/sbin/setfiles file_contexts/file_contexts `mount | awk '/(ext[23]| =
xfs).*rw/{print $3}'`
-/usr/sbin/setfiles:  read 559 specifications
-/usr/sbin/setfiles:  invalid context system_u:object_r:default_t on line=
 number 39
-/usr/sbin/setfiles:  invalid context system_u:object_r:urandom_device_t =
on line number 120
-/usr/sbin/setfiles:  invalid context system_u:object_r:fonts_t on line n=
umber 377
-/usr/sbin/setfiles:  invalid context system_u:object_r:fonts_t on line n=
umber 378
-/usr/sbin/setfiles:  invalid context system_u:object_r:krb5_conf_t on li=
ne number 445
-/usr/sbin/setfiles:  invalid context system_u:object_r:system_cron_spool=
_t on line number 478
-/usr/sbin/setfiles:  invalid context system_u:object_r:system_cron_spool=
_t on line number 479
-/usr/sbin/setfiles:  invalid context system_u:object_r:system_cron_spool=
_t on line number 492
-/usr/sbin/setfiles:  invalid context system_u:object_r:system_cron_spool=
_t on line number 493
-/usr/sbin/setfiles:  invalid context system_u:object_r:system_cron_spool=
_t on line number 494
-Exiting after 10 errors.
-make: *** [relabel] Error 1
-
-

- First ensure that /selinux is mounted. If selinuxfs is not mounted, s= etfiles - cannot validate any contexts, causing it to believe all contexts are - invalid. If /selinux is mounted, then most likely there is new policy= that - has not yet been loaded; therefore, the contexts have not yet become v= alid. -

- -
- - - - - - diff --git a/xml/selinux/hb-selinux-howto.xml b/xml/selinux/hb-selinux-ho= wto.xml deleted file mode 100644 index b8f7db0..0000000 --- a/xml/selinux/hb-selinux-howto.xml +++ /dev/null @@ -1,250 +0,0 @@ - - - - - - - - - -2.0 -2006-10-14 - -
Load policy into a running SELinux kernel - -

- This requires you to be in the sysadm_r role. -

-
-# semodule -B
-
- -
- -
Change roles - -

- This requires your user have access to the target role. This example - is for changing to the sysadm_r role. -

-
-# newrole -r sysadm_r
-
- -
- -
Specify available roles for a user - -

- There is a mapping of linux users to SELinux identities. The policy h= as - generic SELinux users for relevant configurations of roles. For examp= le, to - map the user pebenito to the SELinux identity staff_u, r= un: -

-
-# semanage login -a -s staff_u pebenito
-
-

- The policy does not need to be reloaded. If the user is logged in, it - must log out and log in again to take effect. -

- -
- -
Relabel filesystems - -

- This requires you to be in the sysadm_r role. -

-
-# rlpkg -a
-
- -
- -
Relabel an individual package - -

- In addition to relabeling entire filesystems, individual portage pack= ages - can be relabeled. This requires you to be in the sysadm_r rol= e. -

-
-# rlpkg shadow sash
-
-

- The script rlpkg is used, and any number of packages can be specified - on the command line. -

- -
- -
Scan for libraries with text relocations - -

- SELinux has improved memory protections. One feature supported is - the permission for ELF text relocations. The libraries with text relo= cations - have a special label, and the rlpkg tool has an option to scan = for - these libraries. -

-
-# rlpkg -t
-
-

- This will also be done by automatically after a full relabel. -

- -
- -
Start daemons in the correct domain - -

- Controlling daemons that have init scripts in /etc/init.d is slightly - different in SELinux. The run_init command must be used to run - the scripts, to ensure they are ran in the correct domain. The comman= d - can be ran normally, except the command is prefixed with run_init. - This requires you to be in the sysadm_r role. -

-
-# run_init /etc/init.d/ntpd start
-# run_init /etc/init.d/apache2 restart
-# run_init /etc/init.d/named stop
-
- -Gentoo run_init integration -

- run_init has been integrated into Gentoo's init script system. = With - SELinux installed, services can be started and stopped as usual, but w= ill - now authenticate the user. -

-
-# /etc/init.d/sshd restart
-Authenticating root.
-Password:
- * Stopping sshd...                       [ ok ]
- * Starting sshd...                       [ ok ]
-
- -
- -
Switch between enforcing and permissive modes - -

- Switching between modes in SELinux is very simple. Write a 1 for - enforcing, or 0 for permissive to /selinux/enforce to set the mode. - The current mode can be queried by reading /selinux/enforce; 0 means - permissive mode, and 1 means enforcing mode. If the kernel option - "NSA SELinux Development Support" is turned off, the system will alway= s - be in enforcing mode, and cannot be switched to permissive mode. -

-
-Query current mode
-# cat /selinux/enforce
-Switch to enforcing mode
-# echo 1 > /selinux/enforce
-Switch to permissive mode
-# echo 0 > /selinux/enforce
-
-

- A machine with development support turned on can be started in enforci= ng - mode by adding enforcing=3D1 to the kernel command line, in the - bootloader (GRUB, lilo, etc). -

- - -Managed policy -

- In addition to the above kernel options, the mode at boot can be - set by the /etc/selinux/config file. -

-
-# SELINUX can take one of these three values:
-#       enforcing - SELinux security policy is enforced.
-#       permissive - SELinux prints warnings instead of enforcing.
-#       disabled - No SELinux policy is loaded.
-SELINUX=3Dpermissive
-
-

- The setting in this file will be overridden by the kernel command line - options described above. -

- -
- -
Understand sestatus output - -

- The sestatus tool can be used to determine detailed SELinux-spe= cific - status information about the system. The -v option provides ex= tra - detail about the context of processes and files. The output will be - divided into four sections. Sestatus only provides complete informati= on - for a user logged in as root (or su/sudo), in the sysadm_r role= . -

-
-SELinux status:         enabled
-SELinuxfs mount:        /selinux
-Current mode:           enforcing
-Policy version:         18
-
-

- The main status information is provided in the first section. The fir= st - line shows if SELinux kernel functions exists and are enabled. If the - status is disabled, either the kernel does not have SELinux support, o= r - the policy is not loaded. The second line shows the mount point for - the SELinux filesystem. During the normal use, the filesystem should = be - mounted at the default location of /selinux. The third line - shows the current SELinux mode, either enforcing or permissive. The f= ourth - line shows the policy database version supported by the currently runn= ing - kernel. -

-
-Policy booleans:
-secure_mode             inactive
-ssh_sysadm_login        inactive
-user_ping               inactive
-
-

- The second section displays the status of the conditional policy boole= ans. The - left column is the name of boolean. The right column is the status of= the - boolean, either active, or inactive. This section will not be shown o= n - policy version 15 kernels, as they do not support conditional policy. -

-
-Process contexts:
-Current context:        pebenito:sysadm_r:sysadm_t
-Init context:           system_u:system_r:init_t
-/sbin/agetty            system_u:system_r:getty_t
-/usr/sbin/sshd          system_u:system_r:sshd_t
-
-

- The third section displays the context of the current process, and of = several - key processes. If a process is running in the incorrect context, it w= ill not - function correctly. -

-
-File contexts:
-Controlling term:       pebenito:object_r:sysadm_devpts_t
-/sbin/init              system_u:object_r:init_exec_t
-/sbin/agetty            system_u:object_r:getty_exec_t
-/bin/login              system_u:object_r:login_exec_t
-/sbin/rc                system_u:object_r:initrc_exec_t
-/sbin/runscript.sh      system_u:object_r:initrc_exec_t
-/usr/sbin/sshd          system_u:object_r:sshd_exec_t
-/sbin/unix_chkpwd       system_u:object_r:chkpwd_exec_t
-/etc/passwd             system_u:object_r:etc_t
-/etc/shadow             system_u:object_r:shadow_t
-/bin/sh                 system_u:object_r:bin_t -> system_u:object_r:she=
ll_exec_t
-/bin/bash               system_u:object_r:shell_exec_t
-/bin/sash               system_u:object_r:shell_exec_t
-/usr/bin/newrole        system_u:object_r:newrole_exec_t
-/lib/libc.so.6          system_u:object_r:lib_t -> system_u:object_r:shl=
ib_t
-/lib/ld-linux.so.2      system_u:object_r:lib_t -> system_u:object_r:shl=
ib_t
-
-

- The fourth section displays the context of the current process's contr= olling - terminal, and of several key files. For symbolic links, the context o= f - the link and then the context of the link target is displayed. If a f= ile has - an incorrect context, the file may be inaccessable or have incorrect - permissions for a particular process. -

- -
- diff --git a/xml/selinux/hb-selinux-initpol.xml b/xml/selinux/hb-selinux-= initpol.xml deleted file mode 100644 index b13a0de..0000000 --- a/xml/selinux/hb-selinux-initpol.xml +++ /dev/null @@ -1,48 +0,0 @@ - - - - - - - - - -1.3 -2004-11-16 - -
Verify Available Policy - -

- You must be in sysadm_r to perform this action. -

-

- A binary policy must be available in=20 - /etc/selinux/{strict,targeted}/policy. If it is missing, then install - the policy. -

-
-# semodule -n -B
-
- - -
- -
Verify Init Can Load the Policy - -

- The final check is to ensure init can load the policy. Run ldd= on - init, and if libselinux is not in the output, remerge sysvinit. -

-
-# ldd /sbin/init
-  linux-gate.so.1 =3D>  (0xffffe000)
-  libselinux.so.1 =3D> /lib/libselinux.so.1 (0x40025000)
-  libc.so.6 =3D> /lib/libc.so.6 (0x40035000)
-  /lib/ld-linux.so.2 =3D> /lib/ld-linux.so.2 (0x40000000)
-
-

- Now reboot so init gains the correct context, and loads the policy. -

- -
- diff --git a/xml/selinux/hb-selinux-libsemanage.xml b/xml/selinux/hb-seli= nux-libsemanage.xml deleted file mode 100644 index a441f29..0000000 --- a/xml/selinux/hb-selinux-libsemanage.xml +++ /dev/null @@ -1,246 +0,0 @@ - - - - - - - - - -1.0 -2006-10-15 - -
SELinux Management Infrastructure - -

- The SElinux management infrastructure manages several aspects of SELin= ux - policy. These management tools are based on the core library libseman= age. - There are several management programs to to various tasks, including - semanage and semodule. They allow you to configure aspe= cts - of the policy without requiring the policy sources. -

- -
- -
SELinux Policy Module Management -What is a policy module? -

- SELinux supports a modular policy. This means several pieces of polic= y - are brought together to form one complete policy to be loaded in the - kernel. This is a similar structure as the kernel itself and kernel m= odules. - There is a main kernel image that is loaded, and various kernel module= s can - be added (assuming their dependencies are met) and removed on a runnin= g - system without restarting. Similarly each policy has a base module an= d - zero or more policy modules, all used to create a policy. - Modules are built by compiling a piece of policy, and creating a polic= y - package (*.pp) with that compiled policy, and optionally file contexts= . -

-

- The base module policy package (base.pp) contains the basic requiremen= ts of - the policy. All modular policies must have a base module at minimum. - In Gentoo we have these plus policies for all parts of the system prof= ile. - This is contained in the selinux-base-policy ebuild. The other policy= ebuilds - in portage have one or more policy modules. -

-

- For more information on writing a policy module, in particular for man= aging - your local customizations to the policy, please see the - policy module= guide. -

- - -The SELinux module store -

- When a policy module is inserted or removed, modules are copied into o= r - removed from the module store. This repository has a copy of the - modules that were used to create the current policy, in addition to se= veral - auxilliary files. This repository is stored in the - /etc/selinux/{strict,targeted}/modules. You should never need to dire= ctly - access the contents of the module store. A libsemanage-based tool sho= uld be - used instead. -

-

- Libsemanage handles the module store transactionally. This means that= if - a set of operations (a transaction) is performed on the store and one = part - fails, the entire transaction is aborted. This keeps the store in a - consistent state. -

-

- Managing the module store is accomplished with the semodule com= mand. - Listing the contents of the module store is done with the -l op= tion. -

-
-# semodule -l
-distcc  1.1.1
-
-

- Since the base module is required in all cases, and is not versioned, = it will - not be shown in the list. All other modules will be listed, along wit= h their - versions. -

- - -Inserting a policy module -

- The module should be referenced by its file name. -

-
-# semodule -i module.pp
-
-

- This will insert the module into module store for the currently config= ured - policy as specified in /etc/selinux/config. If the insert succeeds, t= he - policy will be loaded, unless the -n option is used. To insert= the - module into an alternate module store, the -s option. -

-
-# semodule -s targeted -i module.pp
-
-

- Since this refers to an alternate module store, the policy will not be= loaded. -

- - -Removing a policy module -

- The module is referenced by its name in the module store. -

-
-# semodule -r module
-
-

- This will remove the module into module store for the currently config= ured - policy as specified in /etc/selinux/config. If the remove succeeds, t= he - policy will be loaded, unless the -n option is used. The remov= e - command also respects the -s option. -

- -
- -
Configuring User Login Mappings - -

- The current method of assigning sets of roles to a user is by setting - up a mapping between linux users and SELinux identities. When a user - logs in, the login program will set the SELinux identity based on the - this map. If there is no explicit map, the __default__ map is - used. -

-

- Managing the SELinux user login map is accomplished with the semana= ge - tool. -

-
-# semanage login -l
-Login Name                SELinux User
-
-__default__               user_u
-root                      root
-
- - -Add a user login mapping -

- To map the linux user pebenito to the SELinux identity staff= _u: -

-
-# semanage login -a -s staff_u pebenito
-
-

- For descriptions on the available SELinux identities, see the - SEL= inux Overview. -

- - -Remove a user login mapping -

- To remove a login map for the linux user pebenito: -

-
-# semanage login -d pebenito
-
- - User login maps specified by the policy (not by the management infrast= ructure) - cannot be removed. - - -
- -
Configuring Initial Boolean States - -

- The setsebool program is now a libsemanage tool. This tool's b= asic - function is to set the state of a Boolean. However, if the machine is - restarted, the Booelans will be set using the initial state as specifi= ed in - the policy. To set the Boolean state, and make that the new initial s= tate - in the policy, the -P option of setsebool is used. -

-
-# setsebool -P fcron_crond 1
-
-

- This will set the fcron_crond Boolean to true and also make the initia= l state - for the Boolean true. -

- -
- -
Configuring SELinux Identities - -

- Generally SELinux identities need not be added to the policy, as user - login mappings are sufficient. However, one reason to add them is for - improved auditing, since the SELinux identity is part of the scontext = of a - denial message. -

-

- Managing the SELinux identities is accomplished with the semanage tool. -

-
-# semanage user -l
-SELinux User    SELinux Roles
-
-root            sysadm_r staff_r
-staff_u         sysadm_r staff_r
-sysadm_u        sysadm_r
-system_u        system_r
-user_u          user_r
-
- - -Add a SELinux identity -

- In addition to specifying the roles for an identity, a prefix must - also be specified. This prefix should match a role, for example - staff or sysadm, and it is used for home directory - entries. So if staff is used for the prefix, linux users that - are mapped to this identity will have their home directory labeled - staff_home_dir_t. -

-

- To add the test_u identity with the roles staff_r and - sysadm_r with the prefix staff: -

-
-# semanage user -a -R 'staff_r sysadm_r' -P staff test_u
-
- - To use the SELinux identity, a user login map still must be added. - - - -Remove a SELinux user identity -

- To remove the test_u SELinux identity: -

-
-# semanage user -d test_u
-
- - SELinux identities specified by the policy (not by the management - infrastructure) cannot be removed. - - -
- - diff --git a/xml/selinux/hb-selinux-localmod.xml b/xml/selinux/hb-selinux= -localmod.xml deleted file mode 100644 index 8674b9f..0000000 --- a/xml/selinux/hb-selinux-localmod.xml +++ /dev/null @@ -1,134 +0,0 @@ - - - - - - - - - -1.0 -2006-10-15 - -
Introduction - -

- This guide discusses how to set up a policy module for local additions - of rules to the policy. -

- -
- -
Preparation - -

- Copy the example Makefile from the selinux-base-policy doc directory t= o the - directory that will be used for building the policy. It is suggested = that - /root be used. The places that the semodule tool can read poli= cy - modules includes sysadm home directories. -

-
-# zcat /usr/share/doc/selinux-base-policy-20061008/Makefile.example.g=
z > /root/Makefile
-
- -
- -
Write a TE file - -

- In a policy module, most policy statements are usable in modules. - There are a few extra statements that must be added for proper operati= on. -

-
-policy_module(local,1.0)
-
-require {
-	type sysadm_su_t, newrole_t;
-}
-allow sysadm_su_t newrole_t:process sigchld;
-
-

- In addition to the basic allow rule, it has a couple statements requir= ed - by policy modules. The first is a policy_module() macro that has the - name of the module, and the module's version. It also has a require - block. This block specifies all types that are required for this modu= le - to function. All types used in the module must either be declared in = the - module or required by this module. -

- -
- -
Write a FC File (optional) - -

- The file contexts file is optional and has the same syntax as as alway= s. -

-
-/opt/myprogs/mybin	--	system_u:object_r:bin_t
-
-

- Types used in the file context file should be required or declared in - the TE file. -

- -
- -
Compile Policy Modules - -

- Simply run make to build all modules in the directory. The mod= ule - will be compiled for the current policy as specified by /etc/selinux/c= onfig. -

-
-# make
-Compiling strict local module
-/usr/bin/checkmodule:  loading policy configuration from tmp/local.tmp
-/usr/bin/checkmodule:  policy configuration loaded
-/usr/bin/checkmodule:  writing binary representation (version 6) to tmp/=
local.mod
-Creating strict local.pp policy package
-
-

- To build the module for a policy other than the configured policy, use= the - NAME=3D option. -

-
-# make NAME=3Dtargeted
-Compiling targeted local module
-/usr/bin/checkmodule:  loading policy configuration from tmp/local.tmp
-/usr/bin/checkmodule:  policy configuration loaded
-/usr/bin/checkmodule:  writing binary representation (version 6) to tmp/=
local.mod
-Creating targeted local.pp policy package
-
- -
- -
Load the Modules - -

- The modules can be loaded into the currently configured policy simply - by using the load target of the Makefile. -

-
-# make load
-
-

- The load target also respects the NAME=3D option. Alternativel= y, - the semodule command can be used to load individual modules. -

-
-# semodule -i local.pp
-
- -
- -
Building Reference Policy Modules - -

-The new Gentoo policy is based on the SELinux Reference Policy. -For more information on building a complete Reference Policy module, see= the -Reference Policy Wiki. -

- -
- - diff --git a/xml/selinux/hb-selinux-loglocal.xml b/xml/selinux/hb-selinux= -loglocal.xml deleted file mode 100644 index 7cc5506..0000000 --- a/xml/selinux/hb-selinux-loglocal.xml +++ /dev/null @@ -1,166 +0,0 @@ - - - - - - - - - -1.4 -2004-11-16 - -
Begin Here - -

- You must be in sysadm_r to perform these actions. -

-

- Run sestatus -v. Click the first context that doesn't match: -

- - -Init contextsystem_u:system_r:= init_t -/sbin/agettysystem_u:system_r:= getty_t - -/bin/loginsystem_u:object_r:lo= gin_exec_t -/sbin/unix_chkpwdsystem_u:obje= ct_r:chkpwd_exec_t -/etc/passwdsystem_u:object_r:e= tc_t -/etc/shadowsystem_u:object_r:s= hadow_t -/bin/bashsystem_u:object_r:she= ll_exec_t -
ProcessContext
FileContext
- -
- -
Incorrect Init Context -Verify Init Label - -

- There are several possible reasons why init may have the wrong context= . - First, verify that init is labeled correctly, refer to the sestatus's = output - for /sbin/init. If it is not system_u:object_r:init_exec_t, re= label sysvinit. -

-
-# rlpkg sysvinit
-
- -Verify Available Policy -

- You must be in sysadm_r to perform this action. -

-

- A binary policy must be available in /etc/selinux/{strict,targeted}/p= olicy. - If it is missing, then install the policy. -

-
-# semodule -n -B
-
- - - -Verify Init Can Load the Policy -

- The final check is to ensure init can load the policy. Run ldd= on - init, and if libselinux is not in the output, remerge sysvinit. -

-
-# ldd /sbin/init
-  linux-gate.so.1 =3D>  (0xffffe000)
-  libselinux.so.1 =3D> /lib/libselinux.so.1 (0x40025000)
-  libc.so.6 =3D> /lib/libc.so.6 (0x40035000)
-  /lib/ld-linux.so.2 =3D> /lib/ld-linux.so.2 (0x40000000)
-
-

- Now reboot so init gains the correct context, and loads the policy. -

- -
- -
Incorrect agetty Context - -

- Verify that agetty is labeled correctly. Refer to the sestatus's outpu= t - for /sbin/agetty. If it is not system_u:object_r:getty_exec_t,= relabel - util-linux. Then restart all gettys. -

-
-# rlpkg util-linux
-# killall agetty (they will respawn)
-
-

- All of the agettys should now be in the correct system_u:object_r:g= etty_exec_t - context. Try logging in again. -

- - -
- -
Incorrect Login Context - -

- The login program (/bin/login) is not labeled correctly. Relabel shad= ow. -

-
-# rlpkg shadow
-
-

- /bin/login should now be system_u:object_r:login_exec_t. - Try logging in again. -

- - -
- -
Incorrect PAM Context - -

- Sshd must be able to use PAM for authenticating the user. The PAM pas= sword - checking program (/sbin/unix_chkpwd) must be labeled correctly so - sshd can transition to the password checking context. Relabel PAM. -

-
-# rlpkg pam
-
-

- The password checking program should now be system_u:object_r:chkpw= d_exec_t. - Try loggin in again. -

- -
- -
Incorrect Password File Contexts - -

- The password file (/etc/passwd), and the shadow file (/etc/shadow) mus= t - be labeled correctly, otherwise PAM will not be able to - authenticate your user. Relabel the files. -

-
-# restorecon /etc/passwd /etc/shadow
-
-

- The password and shadow files should now be system_u:object_r:etc_t= - and system_u:object_r:shadow_t, respectively. Try logging in a= gain. -

- - -
- -
Incorrect Bash File Context - -

- Bash must be labeled correctly so the user can transition into the use= r - domain when logging in. Relabel bash. -

-
-# rlpkg bash
-
-

- Bash (/bin/bash) should now be system_u:object_r:shell_exec_t. - Try logging in again. -

- - -
- - diff --git a/xml/selinux/hb-selinux-logremote.xml b/xml/selinux/hb-selinu= x-logremote.xml deleted file mode 100644 index 1a95f7b..0000000 --- a/xml/selinux/hb-selinux-logremote.xml +++ /dev/null @@ -1,177 +0,0 @@ - - - - - - - - - -1.4 -2004-11-16 - -
Begin Here - -

- You must be in sysadm_r to perform these actions. -

-

- Run sestatus -v. Click the first context that doesn't match: -

- - -Init contextsystem_u:system_r:= init_t -/usr/sbin/sshdsystem_u:system_= r:sshd_t - -/sbin/unix_chkpwdsystem_u:obje= ct_r:chkpwd_exec_t -/etc/passwdsystem_u:object_r:e= tc_t -/etc/shadowsystem_u:object_r:s= hadow_t -/bin/bashsystem_u:object_r:she= ll_exec_t -
ProcessContext
FileContext
- -
- -
Incorrect Init Context -Verify Init Label - -

- There are several possible reasons why init may have the wrong context= . - First, verify that init is labeled correctly, refer to the sestatus's = output - for /sbin/init. If it is not system_u:object_r:init_exec_t, re= label sysvinit. -

-
-# rlpkg sysvinit
-
- - -Verify Available Policy -

- You must be in sysadm_r to perform this action. -

-

- A binary policy must be available in=20 - /etc/selinux/{strict,targeted}/policy. If it is missing, then install - the policy. -

-
-# semodule -n -B
-
- - - -Verify Init Can Load the Policy -

- The final check is to ensure init can load the policy. Run ldd= on - init, and if libselinux is not in the output, remerge sysvinit. -

-
-# ldd /sbin/init
-  linux-gate.so.1 =3D>  (0xffffe000)
-  libselinux.so.1 =3D> /lib/libselinux.so.1 (0x40025000)
-  libc.so.6 =3D> /lib/libc.so.6 (0x40035000)
-  /lib/ld-linux.so.2 =3D> /lib/ld-linux.so.2 (0x40000000)
-
-

- Now reboot so init gains the correct context, and loads the policy. -

- -
- -
Incorrect sshd Context - -

- Another possibility is sshd is not labeled correctly, meaning it is no= t running - in the right context. Relabel openssh, then restart sshd. -

-
-# rlpkg openssh
-# /etc/init.d/sshd restart
-
- -
- -
Incorrect PAM Context - -

- Sshd must be able to use PAM for authenticating the user. The PAM pas= sword - checking program (/sbin/unix_chkpwd) must be labeled correctly so - sshd can transition to the password checking context. Relabel PAM. -

-
-# rlpkg pam
-
-

- The password checking program should now be system_u:object_r:chkpw= d_exec_t. - Try loggin in again. -

- -
- -
Incorrect Password File Contexts - -

- The password file (/etc/passwd), and the shadow file (/etc/shadow) mus= t - be labeled correctly, otherwise PAM will not be able to - authenticate your user. Relabel the files. -

-
-# restorecon /etc/passwd /etc/shadow
-
-

- The password and shadow files should now be system_u:object_r:etc_t= - and system_u:object_r:shadow_t, respectively. Try logging in a= gain. -

- - -
- -
Incorrect Bash File Context - -

- Bash must be labeled correctly so the user can transition into the use= r - domain when logging in. Relabel bash. -

-
-# rlpkg bash
-
-

- Bash (/bin/bash) should now be system_u:object_r:shell_exec_t. - Try logging in again. -

- - -
- -
Other sshd Issues -Valid Shell -

- First, make sure the user has a valid shell. -

-
-# grep username /etc/passwd | cut -d: -f7
-/bin/bash (or your shell of choice)
-
-

- If the above command does not return anything, or the shell is wrong, - set the user's shell. -

-
-# usermod -s /bin/bash username
-
- -PAM enabled -

- PAM also must be enabled in sshd. Make sure this line - in /etc/ssh/sshd_config is uncommented: -

-
-UsePAM yes
-
-

- SELinux currently only allows PAM and a select few programs direct acc= ess - to /etc/shadow; therefore, openssh must now - use PAM for password authentication (public key still works). -

- -
- diff --git a/xml/selinux/hb-selinux-overview.xml b/xml/selinux/hb-selinux= -overview.xml deleted file mode 100644 index d02943d..0000000 --- a/xml/selinux/hb-selinux-overview.xml +++ /dev/null @@ -1,521 +0,0 @@ - - - - - - - - - -1.5 -2009-07-13 - - =20 -
SELinux Types - -

- A type is a security attribute given to objects such as files, and ne= twork - ports, etc. The type of a process is commonly referred to as its dom= ain. - The SELinux policy is primarily composed of type enforcement rules, w= hich - describe how domains are allowed to interact with objects, and how do= mains - are allowed to interact with other domains. A type is generally suff= ixed - with a '_t', such as sysadm_t. This is the most impor= tant - attribute for a process or object, as most policy decisions are based= on - the source and target types. -

- -
- -
SELinux Roles - -

- SELinux is type enforcement, so the SELinux role is not the same as t= hose - in a role-based access control system. Permissions are not given to = roles. - A role describes the set of types a user can use. For example, a sys= tem - administrator that is using the system for regular user tasks should = be - in the staff_r role. If they need to administrate the system,= then - a role change to sysadm_r is required. In SELinux terms, the - domains that a user can be in is determined by their role. If a role= is not - allowed to have a certain domain, a transition to that domain will be= denied, - even if the type enforcement rules allow the domain transition. A ro= le is - generally suffixed with a '_r', such as system_r. -

- -
- -
SELinux Identities -What is a SELinux Identity? -

- The SELinux identity is similar to a Linux username. The change of i= dentity - should be limited to very specific cases, since the role-based access= control - relies on the SELinux identity. Therfore, in general, a user’s= SELinux - identity will not change during a session. The user ID in Linux can = be - changed by set(e)uid, making it inappropriate for a SELinux identity. - If a user is given a SELinux identity, it must match the Linux userna= me. Each - SELinux identity is allowed a set of roles. -

- - -Configure SELinux Identity Mapping -

- The SELinux policy has several generic SELinux identities that should - be sufficient for all users. This mapping only needs to be configure= d - on the strict policy. The identity mapping for the targeted policy - need not be configured, as the default identity (user_u) is sufficien= t - in all cases. -

-

- When a user logs in, the SELinux identity used is determined by this = mapping. -

- - - - -system_u - system_r - System (non-interactive) processes. Should not be used on users= . -user_u - user_r - Generic unprivileged users. The default identity mapping.<= /tr> -staff_u - staff_r, sysadm_r - System administrators that also log in to do regular user activt= ies. -sysadm_u - sysadm_r - System administrators that only log in to do administrative task= s. It is not suggested that this identity is used. -root - staff_r, sysadm_r - Special identity for root. Other users should use staff_u inste= ad. -
SELinux IdentityRolesDescription
-

- See the SELinux HOWTO - for semanage syntax for configuring SELinux identity mappings. -

- - -
- -
SELinux Contexts - -

- Using the above three security models together is called a SELinux - context. A context takes the form identity:role:typ= e. - The SELinux context is the most important value for determining acces= s. -

- - -Object Contexts -

- A typical ls -Z may have an output similar to this: -

-
-drwxr-xr-x  root     root     system_u:object_r:bin_t          bin
-drwxr-xr-x  root     root     system_u:object_r:boot_t         boot
-drwxr-xr-x  root     root     system_u:object_r:device_t       dev
-drwxr-xr-x  root     root     system_u:object_r:etc_t          etc
-
-

- The first three columns are the typical linux permissions, user and g= roup. - The fourth column is the file or directory's security context. O= bjects - are given the generic object_r role. From the other two field= s of - the context, it can be seen that the files are in the system identity= , - and have four different types, bin_t, boot_t, device= _t, - and etc_t. -

- - -Process Contexts -

- A typical ps ax -Z may have an output similar to this: -

-
-  PID CONTEXT                                  COMMAND
-    1 system_u:system_r:init_t                 [init]
-    2 system_u:system_r:kernel_t               [keventd]
-    3 system_u:system_r:kernel_t               [ksoftirqd_CPU0]
-    4 system_u:system_r:kernel_t               [kswapd]
-    5 system_u:system_r:kernel_t               [bdflush]
-    6 system_u:system_r:kernel_t               [kupdated]
-  706 system_u:system_r:syslogd_t              [syslog-ng]
-  712 system_u:system_r:httpd_t                [apache]
-  791 system_u:system_r:sshd_t                 [sshd]
-  814 system_u:system_r:crond_t                [cron]
-  826 system_u:system_r:getty_t                [agetty]
-  827 system_u:system_r:getty_t                [agetty]
-  828 system_u:system_r:getty_t                [agetty]
-  829 system_u:system_r:getty_t                [agetty]
-  830 system_u:system_r:getty_t                [agetty]
-  831 system_u:system_r:httpd_t                [apache]
-  832 system_u:system_r:httpd_t                [apache]
-  833 system_u:system_r:httpd_t                [apache]
-23093 system_u:system_r:sshd_t                 [sshd]
-23095 user_u:user_r:user_t                     [bash]
-23124 system_u:system_r:sshd_t                 [sshd]
-23126 user_u:user_r:user_t                     [bash]
-23198 system_u:system_r:sshd_t                 [sshd]
-23204 user_u:user_r:user_t                     [bash]
-23274 system_u:system_r:sshd_t                 [sshd]
-23275 pebenito:staff_r:staff_t                 [bash]
-23290 pebenito:staff_r:staff_t                 ps ax -Z
-
-

- In this example, the typical process information is displayed, in add= ition - to the process's context. By inspection, all of the system's= kernel - processes and daemons run under the system_u identity, and - system_r role. The individual domains depend on the program. - There are a few users logged in over ssh, using the generic user_u= - identity. Finally there is a user with the identity pebenito = logged in - with the staff_r role, running in the staff_t domain. -

- - -
- -
-SELinux Policy Files - -

- The SELinux policy source files are no longer installed onto the syst= em. - In the /usr/share/selinux/{strict,targeted} directory there ar= e a - collection of policy packages and headers for building local modules. - The policy files are processed by m4, and then the policy compiler checkmodule - verifies that there are no syntactic errors, and a policy module is c= reated. - Then a policy package is created with with the semodule_package - program, using the policy module and the module file contexts. - The policy packaged then can be loaded into a running SELinux kernel - by inserting it into the module store. -

- - -*.pp -

- Policy packages for this policy. These must be inserted into the mod= ule - store so they can be loaded into the policy. Inside the package - there is a loadable policy module, and optionally a file context file= . -

- - -include/ -

- Policy headers for this policy. -

- - -
- -
-Binary Policy Versions - -

- When compiling the policy, the resultant binary policy is versioned. - The first version that was merged into 2.6 was version 15. - The version number is only incremented generally when new features ar= e added that require changes to the structure of the compiled policy. - For example, in 2.6.5, conditional policy extensions were added. - This required the policy version to be incremented to version 16. -

- -What Policy Version Does My Kernel Use? - -

- The policy version of a running kernel can be determined by executing - sestatus or policyvers. Current kernels can load - the previous version policy for compatibility. For example a version= 17 - kernel can also load a version 16 policy. However, this compatibilit= y - code may be removed in the future. -

- - The policy management infrastructure (libsemanage) will automatically - create and use the correct version policies. No extra steps need be t= aken. - - -Policy Versions - -

- The following table contains the policy versions in 2.6 kernels. -

- - - - -12 - "Old API" SELinux (deprecated). -15 - "New API" SELinux merged into 2.6. - 2.6.0 - 2.6.4 -16 - Conditional policy extensions added. - 2.6.5 -17 - IPV6 support added. - 2.6.6 - 2.6.7 -18 - Fine-grained netlink socket support added. - 2.6.8 - 2.6.11 -19 - Enhanced multi-level security. - 2.6.12 - 2.6.13 -20 - Access vector table size optimizations. - 2.6.14 - 2.6.18 -21 - Object classes in range transitions. - 2.6.19 - 2.6.24 -22 - Policy capabilities (features). - 2.6.25 -23 - Per-domain permissive mode. - 2.6.26 - 2.6.27 -24 - Explicit hierarchy (type bounds). = =20 - 2.6.28 - current -
VersionDescriptionKernel Versions
- -
- -
-Conditional Policy Extensions - -

- The conditional policy extensions allow the enabling and disabling of = policy - rules at runtime, without loading a modified policy. Using policy boo= leans - and expressions, policy rules can be conditionally applied. -

- - -Determine Boolean Values - -

- The status of policy booleans in the current running policy can be det= ermined - two ways. The first is by using sestatus. -

-
-# sestatus
-SELinux status:         enabled
-SELinuxfs mount:        /selinux
-Current mode:           enforcing
-Policy version:         17
-=20
-Policy booleans:
-user_ping               inactive
-
-

- The second is getsebool which is a simple tool that displays - the status of policy booleans, and if a value change is pending. -

-
-# getsebool -a
-user_ping --> active: 0 pending: 0
-
- - -Changing Boolean Values - -

- The value of a boolean can be toggled by using the togglesebool - command. Multiple booleans can be specified on the command line. The - new value of the boolean will be displayed. -

-
-# togglesebool user_ping
-user_ping: active
-
-

- The value of a boolean can be set specifically by using the setsebo= ol - command. -

-
-# setsebool user_ping 0
-
-

- To set the value of a boolean, and make it the devault value, use the = -P option. -

-
-# setsebool -P user_ping 1
-
- -
- -
-Policy Kernel Messages - -

- While a system is running, a program or user may attempt to do someth= ing - that violates the security policy. If the system is enforcing the po= licy, - the access will be denied, and there will be a message in the kernel = log. - If the system is not enforcing (permissive mode), the access will be = allowed, - but there will still be a kernel message. -

- - -AVC Messages -

- Most kernel messages from SELinux come from the access vector cache (= AVC). - Understanding denials is important to understand if an attack is happ= ening, - or if the program is requiring unexpected accesses. An example denia= l - may look like this: -

- -
-avc:  denied  { read write } for  pid=3D3392 exe=3D/bin/mount dev=3D03:0=
3 ino=3D65554
-scontext=3Dpebenito:sysadm_r:mount_t tcontext=3Dsystem_u:object_r:tmp_t =
tclass=3Dfile
-
- -

- While most AVC messages are denials, occasionally there might be an a= udit - message for an access that was granted: -

-
-avc:  granted  { load_policy } for  pid=3D3385 exe=3D/usr/sbin/load_poli=
cy
-scontext=3Dpebenito:sysadm_r:load_policy_t tcontext=3Dsystem_u:object_r:=
security_t tclass=3Dsecurity
-
-

- In this case, the ability to load the policy was granted. This is a = critical - security event, and thus is always audited. Another event that is al= ways - audited is switching between enforcing and permissive modes. -

- -

- SELinux will supress logging of denials if many are received in a sho= rt - amount of time. However, This does not always imply there is an atta= ck - in progress. A program may be doing something that could cause - many denials in a short time, such as doing a stat() on device nodes = in - /dev. To protect from filling up the system logs, SELinux has rate l= imiting - for its messages: -

- -
-AVC: 12 messages suppressed.
-
- -

- The policy would have to be modified to not audit these accesses if t= hey - are normal program behavior, but still need to be denied. -

- - - -Other kernel messages - -
-inode_doinit_with_dentry:  context_to_sid(system_u:object_r:bar_t) retur=
ned 22 for dev=3Dhda3 ino=3D517610
-
-

- This means that the file on /dev/hda3 with inode number 517610 has th= e context - system_u:object_r:bar_t, which is invalid. Objects with an invalid c= ontext - are treated as if they had the system_u:object_r:unlabeled_t context. -

- - -
- -
Dissecting a Denial - -

- Denials contain varying amounts of information, depending on the acce= ss type. -

- -
-avc:  denied  { lock } for  pid=3D28341 exe=3D/sbin/agetty path=3D/var/l=
og/wtmp dev=3D03:03 ino=3D475406
-scontext=3Dsystem_u:system_r:getty_t tcontext=3Dsystem_u:object_r:var_lo=
g_t tclass=3Dfile
-
-avc:  denied  { create } for  pid=3D20909 exe=3D/bin/ls scontext=3Dpeben=
ito:sysadm_r:mkinitrd_t
-tcontext=3Dpebenito:sysadm_r:mkinitrd_t tclass=3Dunix_stream_socket
-
-avc:  denied  { setuid } for  pid=3D3170 exe=3D/usr/bin/ntpd capability=3D=
7
-scontext=3Dsystem_u:system_r:ntpd_t tcontext=3Dsystem_u:system_r:ntpd_t =
tclass=3Dcapability
-
-
- -

- The most common denial relates to access of files. For better unders= tanding, - the first denial message will be broken down: -

- - -avc: denied - SELinux has denied this access. -{ lock } - The attempted access is a lock. -pid=3D28341 - The process ID performing this access is 28341. -exec=3D/sbin/agetty - The full path and name of the process's executable is /sbin/= agetty. -path=3D/var/log/wtmp - The path and name of the target object is /var/log/wtmp. Note: = a complete - path is not always available. -dev=3D03:03 - The target object resides on device 03:03 (major:minor number). - On 2.6 kernels this may resolve to a name, hda3 in this example.= -ino=3D475406 - The inode number of the target object is 475406. -scontext=3Dsystem_u:system_r:getty_t - The context of the program is system_u:system_r:getty_t. -tcontext=3Dsystem_u:object_r:var_log_t - The context of the target object is system_u:object_r:var_log_t.= -tclass=3Dfile - The target object is a normal file. -
ComponentDescription
- -

- Not all AVC messages will have all of these fields, as shown in the o= ther - two denials. The fields vary depending on the target object's cl= ass. - However, the most important fields: access type, source and target co= ntexts, - and the target object's class will always be in an AVC message. -

- - -Understanding the Denial -

- Denials can be very confusing since they can be triggered for several= reasons. - The key to understanding what is happening is to know the behavior of= the - program, and to correctly interpret the denial message. The target i= s not - limited to files; it could also be related to network sockets, - interprocess communications, or others. -

-

- In the above example, the agetty is denied locking of a file. The fi= le's type - is var_log_t, therefore it is implied that the target file is in /var= /log. - With the extra information from the path=3D field in the denial messa= ge, it is - confirmed to be the file /var/log/wtmp. If path information was unav= ailable, - this could be further confirmed by searching for the inode. Wtmp is = a file that has - information about users currently logged in, and agetty handles login= s on - ttys. It can be concluded that this is an expected access of agetty,= for - updating wtmp. However, why is this access being denied? Is there a= flaw - in the policy by not allowing agetty to update wtmp? It turns out th= at wtmp - has the incorrect context. It should be system_u:object_r:wtmp_t, ra= ther - than system_u:object_r:var_log_t. -

-

- If this access was not understood, an administrator might mistakenly = allow getty_t - read/write access to var_log_t files, which would be incorrect, since= agetty - only needs to modify /var/log/wtmp. This underscores how critical ke= eping - file contexts consistent is. -

- -
- -
References - -

- U.S. National Security Agenc= y, - SELinux Policy README -

- -
- diff --git a/xml/selinux/hb-selinux-references.xml b/xml/selinux/hb-selin= ux-references.xml deleted file mode 100644 index 5bceac4..0000000 --- a/xml/selinux/hb-selinux-references.xml +++ /dev/null @@ -1,111 +0,0 @@ - - - - - - - - - -1.2 -2006-05-07 - - -
Background - -
    -
  • - The Inevitability of Failure: - The Flawed Assumption of Security in Modern Computing Environments - explains the need for mandatory access controls.
    • -
  • - The Flask Security Architecture: - System Support for Diverse Security Policies - explains the security architecture of Flask, the architecture used by = SELinux.
    • -
  • - Implementing SELinux as a Linux Security Module - has specifics about SELinux access checks in the kernel.
    • -
- - -
- -
Policy - -
    -
  • - Configuring the SELinux Policy
    • -
  • - SELinux Referen= ce Policy
    • -
  • - SELinux Object Classes and Permissions - Overview
    • -
- - -
- -
Books - -
    -
  • - SELinux by Example: Using Security Enhanced Linux, Frank Mayer, - Karl MacMillan, and David Caplan, Prentice Hall, 2006; ISBN 0131963694=
    • -
  • - SELinux: NSA's Open Source Security Enhanced Linux, Bill McCart= y, - O'Reilly Media, 2004; ISBN 0596007167
    • -
- - -
- -
Meeting Notes - -
    -
  • - March 3= rd, 2006 SELinux Developer Summit
    • -
  • - May 6th, 20= 04 Informal Meeting
    • -
- - -
- -
Presentations -2006 SELinux Symposium -
    -
  • - SE= Linux Year in Review, - Stephen Smalley, National Security Agency
    • -
  • - Reference Policy for Security Enhanced Linux, - Karl MacMillan, Tresys Technology (Paper)
    • -
- - -2005 SELinux Symposium -
    -
  • - SELinux = Overview, - NSA
    • -
  • - Core Policy Management Infrastructure for SELinux<= /uri>, - Karl MacMillan, Tresys Technology
    • -
  • - Targeted vs. Strict Policy History and Strategy, - Dan Walsh, Red Hat
    • -
  • - Tresys SETools: Tools and Libraries for Policy Analysi= s and Management, - Frank Mayer, Tresys Technology
    • -
  • - Information Flow Analysis for Type Enforcement Pol= icies, - Karl MacMillan, Tresys Technology
    • -
  • - SELinux Policy Analysis Concepts and Techniques, - David Caplan, Frank Mayer, Tresys Technology
    • -
- - -
- -