diff -u against the XML, which is available from CVS (refer to http://docs.fedoraproject.org/documentation-guide for details on obtaining the fedora-docs/selinux-faq module from anonymous CVS; you can get just the fedora-docs/selinux-faq module if you don't want the entire fedora-docs tree.) Otherwise, plain text showing before and after is sufficient.
setuid or setgid to root, the process can have root level control over the entire file system.
selinux-policy-<version>.noarch.rpmpolicygentool used to generate a policy template file. The interface files reside in /usr/share/selinux/devel/include directory. If you want to see all of the policy files used to build the Reference Policy you need to install the src.rpm.
selinux-policy-strict-<version>.noarch.rpm, selinux-policy-targeted-<version>.noarch.rpm, selinux-policy-mls-<version>.noarch.rpm/etc/selinux/policyname/. The subdirectories include
policy - binary policy that is loaded into the kernel
contexts - context/labeling policy used for making labeling decisions by programs like restorecon and fixfiles
modules - store for policy modules that are combined to make the binary kernel policy. Note that this should note be edited by hand, as it is a private resource of libsemanage.
unconfined_t domain. As the name implies, these processes are mostly unconfined by the SELinux policy. They are still governed by standard Linux DAC security, however.
init runs under the unconfined_t policy. When named starts, it makes a transition to the named_t domain and is locked down by the appropriate policy.
accton, amanda, httpd (apache), arpwatch, pam, automount, avahi, named, bluez, lilo, grub, canna, comsat, cpucontrol, cpuspeed, cups, cvs, cyrus, dbskkd, dbus, dhcpd, dictd, dmidecode, dovecot, fetchmail, fingerd, ftpd (vsftpd, proftpd, and muddleftpd), gpm, hald, hotplug, howl, innd, kerberos, ktalkd, openldap, auditd, syslog, logwatch, lpd, lvm, mailman, module-init-tools, mount, mysql, NetworkManager, NIS, nscd, ntp, pegasus, portmap, postfix, postgresql, pppd, pptp, privoxy, procmail, radiusd, radvd, rlogin, nfs, rsync, samba, saslauthd, snmpd, spamd, squid, stunnel, dhcpc, ifconfig, sysstat, tcp wrappers, telnetd, tftpd, updfstab, user management (passwd, useradd, etc.), crack, uucpd, vpnc, webalizer, xend, xfs, zebra
system-config-selinux builds a relabel into the startup scripts.
setfiles command to generate persistent labels which describe the security context for a file or directory.
fixfiles script, which supports three options: check, restore, and relabel. This script allows users to relabel the file system without having the selinux-policy-targeted-sources package installed. The command line usage is more friendly than the standard setfiles command.
-Z is the short method for displaying the context of a subject or object:
ls -alZ file.foo id -Z ps -eZ
semodule, which lets you perform basic functions such as installing, upgrading, or removing modules. Other useful commands include checkmodule, which is the module compiler and is installed with the checkpolicy rpm, as well as semodule_package, which creates a policy package file (.pp) from a compiled policy module.
/usr/share/selinux/policyname/. There you should at least find the base.pp, which is the base module.
libsemanage, was added to provide userspace tools an interface to making policy management easier. All policy management should use this library to access the policy store. The policy store holds all the policy information, and is found at /etc/selinux/policyname/modules/.
semanage, which is a command line tool for managing much of the policy such as SELinux user mappings, SELinux port mappings, and file contexts entries. Other examples of tools that use libsemanage include semodule which uses it to manage the SELinux policy modules installed to the policy store and setsebool which uses it manage SELinux policy booleans. Additionally, graphical tools are currently being developed to utilize the functionality provided by libsemanage.
system-config-selinux or the command line tool setsebool.
rpm automatically, but sometimes a user might want to set a particular context on a file. An example would be setting the context on a public_html directory so that apache can access it, as illustrated in How do I make a user public_html directory work under SELinux.
/etc/selinux/targeted/contexts/customizable_types. These are types commonly assigned to files by users and administrators. To set these, use the chcon command. Note that the types in customizable_types are also preserved after a relabel, so relabeling the system will not undo this.
system-config-selinux, also known as the SELinux Management graphical tool, to control the Boolean values of specific daemons. For example, if you need to disable SELinux for Apache to run correctly in your environment, you can disable the value in system-config-selinux. This change disables the transition to the policy defined in apache.te, allowing httpd to remain under regular Linux DAC security.
$ mkdir foo $ cd foo
$ touch local.te local.if local.fc
policy_module(local, 1.0) require { attribute httpdcontent; type smbd_t; } allow smbd_t httpdcontent:dir create_dir_perms; allow smbd_t httpdcontent:{ file lnk_file } create_file_perms;
policy_module call inserts statements to make the module work, including declaring the module and requiring system roles, classes, and permissions. Make sure the name declared here (local in this case) matches the name you gave the file (local.te).
require block lists the symbols that this module uses that must be declared in other modules. In this case, we require the attribute httpdcontent and the type smbd_t. Note that all types and attributes you use in rules must be required here unless you are declaring them yourself below.
$ make -f /usr/share/selinux/devel/Makefile Compliling targeted local module /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 5) to tmp/local.mod Creating targeted local.pp policy package rm tmp/local.mod.fc tmp/local.mod
checkmodule, which is part of the checkpolicy rpm. So, make sure you install this rpm before doing this.
semodule.
$ su Password: # semodule -i local.pp
local.pp, it will replace the one you just loaded. So, you should keep this local.te around, and just add to it if you need to make later policy customizations. If you lose it, but want to keep your previous policy around, just call the new local policy module something else (say local2.te).
su -c 'yum install selinux-polgengui'
audit2allow to generate a Type Enforcement file that is ready to load as a policy module.
audit2allow -M local < /tmp/avcs
local.pp which you can then load into the kernel using semodule -i local.pp. You can also edit the local.te to make additional customizations. To create a module allowing all the denials since the last reboot that you can then customize, execute the following:
audit2allow -m local -l -i /var/log/messages > local.te
/var/log/audit/audit.log instead of /var/log/messages as your log file. This generates a local.te file, that looks similar to the following:
module local 1.0; require { class file { append execute execute_no_trans getattr ioctl read write }; type httpd_t; type httpd_w3c_script_exec_t; }; allow httpd_t httpd_w3c_script_exec_t:file { execute execute_no_trans getattr ioctl read };
checkmodule -M -m -o local.mod local.te to compile the te file. Note that checkmodule is part of the checkpolicy rpm, so you need to have it installed.
semodule_package -o local.pp -m local.mod to create a policy package.
semodule -i local.pp to add it to the current machine's running policy. This installs a new module called local with these rules into the module store.
semodule -i local.pp
/usr/share/doc/selinux-policy->version< and /usr/share/selinux/devel.
/usr/share/selinux/devel sub-directories. There is also a tool there to help you get started. The following procedure is an example:
policygentool command to generate your own te, fc and if files. The policygentool command takes two parameters: the name of the policy module and the full path to the executable. The following command gives a usage example:
policygentool mydaemon /usr/sbin/mydaemon
mydaemon.te, mydaemon.fc and mydaemon.if.
/usr/share/selinux/devel/Makefile, to build a policy package (mydaemon.pp):
make -f /usr/share/selinux/devel/Makefile
semodule, and relabel the executable using restorecon:
semodule -imydaemon.pprestorecon -v/usr/sbin/mydaemon
setenforce 0servicemydaemonrestart
audit2allow to translate the avc messages to allow rules and begin updating your mydaemon.te file. You should search for interface macros in the /usr/share/selinux/devel/include directory and use these instead of using the allow rules directly, whenever possible. audit2allow -R will attempt to find interfaces that match the allow rule. If you want more examples of policy, you could always install the selinux-policy src rpm, which contains all of the policy te files for the reference policy.
system-config-selinux. Change the policy as desired and ensure that the Relabel on next reboot option is enabled.
/etc/selinux/config and change the type and the mode of policy:
SELINUXTYPE=policyname SELINUX=permissive
touch /.autorelabel
sestatus -v
permissive mode, check /var/log/messages for avc: denied messages. These may indicate a problem that needs to be solved for the system to run without trouble under the new policy.
SELINUX=enforcing. You can either reboot or run setenforce 1 to turn enforcing on in real time.
star utility, which supports the extended attributes that store the security context labels. Specify the -xattr and -H=exustar options when creating archives.
ls -Z /var/log/maillog-rw------- root root system_u:object_r:var_log_t /var/log/maillogcd /var/log star -xattr -H=exustar -c -f maillog.star ./maillog*
/var/log/maillog, when you unpack the archive with star -c -f, the files are restored on the same path they were archived with. The maillog file attempts to write to /var/log/maillog. You should received a warning from star if the files about to be overwritten have a later date, but you cannot rely on this behavior.
%packages section, add selinux-policy-strict.
%post section, add the following:
lokkit -q --selinuxtype=strict touch /.autorelabel
public_html directory work under SELinux?
/etc/httpd/conf/httpd.conf. This process only covers serving static Web content. For more information about Apache HTTP and SELinux, refer to http://docs.fedoraproject.org/selinux-apache-fc3/.
~/public_html directory, create it and populate it with the files and folders to be served.
cd ~ mkdir public_html cp /path/to/content ~/public_html
httpd is configured to serve the contents, but you still receive a 403 forbidden error. This is because httpd is not allowed to read the security type for the directory and files as they are created in the user's home directory. Change the security context of the folder and its contents recursively using the -R option:
ls -Z -d public_html/drwxrwxr-x auser auser user_u:object_r:user_home_t public_htmlchcon -R -t httpd_user_content_t public_html/ ls -Z -d public_html/drwxrwxr-x auser auser user_u:object_r:httpd_user_content_t public_html/ls -Z public_html/-rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t bar.html -rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t baz.html -rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t foo.html
user_u, is changed to system_u. This does not affect how the targeted policy works. The field that matters is the type field.
system-config-selinux. Select the SELinux tab, and then select the Modify SELinux Policy area. Select Allow HTTPD to read home directories. The changes take effect immediately.
SELINUX=disabled in /etc/selinux/config.
selinux=0 to your kernel boot parameters. However, this option is not recommended.
selinux=0, any files you create while SELinux is disabled do not have SELinux context information. The file system is marked for relabeling at the next boot. If an unforeseen problem prevents you from rebooting normally, you may need to boot in single-user mode for recovery. Add the option emergency to your kernel boot parameters.
/etc/sysconfig/selinux.
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded.SELINUX=enforcing# SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection.SELINUXTYPE=targeted
enforcing is the same as adding enforcing=1 to the kernel boot parameters. Setting the value to permissive is the same as adding enforcing=0 to the kernel boot parameters.
disabled is not the same as the selinux=0 kernel boot parameter. Rather than fully disabling SELinux in the kernel, the disabled setting instead turns enforcing off and skips loading a policy.
setenforce 0 to turn off enforcing mode in real time. When you are finished, run setenforce 1 to turn enforcing back on.
sysadm_r Role Required for strict policysetenforce command with the sysadm_r role if you are using strict policy. If you are using the standard targeted policy, then this is not necessary. Use the newrole command to assume this role.
audit=1 to your kernel command line to turn system call auditing on. Add audit=0 to your kernel command line to turn system call auditing off.
denied message. The error message is helpful when debugging policy.
auditctl -e 0. Note that this command does not affect auditing of SELinux AVC denials.
/usr/sbin/sestatus -v. For more information, refer to the sestatus(8) manual page.
/etc/shadow file. There are constraint rules that prevent policy writers from writing code like
allow mydomain_t shadow_t:file read;
unix_chkpwd command. The easiest way is to use the unix_chkpwd attribute. So if you were writing policy for an ftpd daemon you would write something like
daemon_domain(vsftpd, `auth_chkpwd')
/etc/shadow, while vsftpd_t is not able to read it.
auth_domtrans_chk_passwd(vsftpd_t)
semodule -i myapp.pp. This modifies the policy that is stored on the machine. Your policy module now is loaded with the rest of the policy. You can even remove the pp file from the system.
semodule -l lists the currently loaded modules.
#semodule -i myapp 1.2.1
semodule -r myapp.
/var/log/messages. In Fedora 4, the audit daemon was added, and these messages moved to /var/log/audit/audit.log. In Fedora 5, the audit daemon is not installed by default, and consequently these messages can be found in /var/log/messages unless you choose to install and enable the audit daemon, in which case AVC messages will be in /var/log/audit/audit.log. Fedora 7 introduced the setroubleshoot browser, which enables you to see denials in a graphical browser. To install setroubleshoot, run the Add/Remove Programs tool or use the following command:
su -c 'yum install setroubleshoot'
su -c 'yum install setroublshoot-plugins'
avc: denied messages. How do I fix this?
ls -alZ /path/to/file. If it seems wrong, use the command restorecon -v /path/to/file to restore the file's default context. If you have a large number of denials related to files, you may want to use fixfiles relabel, or run restorecon -R /path to recursively relabel a directory path.
apache.te. Refer to External Link List for more information about writing policy.
/home partition, and now I can't log in.
/home partition is not labeled correctly. You can easily fix this two different ways.
/home recursively:
/sbin/restorecon -v -R /home
/sbin/fixfiles relabel
policycoreutils package installed to use fixfiles.
/home using setfiles or fixfiles, am I still be able to read /home with a non-SELinux-enabled system?
~/.bashrc. You may have to relabel /home when you reboot the SELinux enabled Fedora system.
nfs_t. You can override the default context by setting it manually, using the context= option. The following command makes the files in the NFS mounted directory appear to have a context of system_u:object_r:tmp_t to SELinux:
mount -t nfs -o context=system_u:object_r:tmp_t server:/shared/foo /mnt/foo
useradd command. First you must become root. Under the strict policy you need to change role to sysadm_r with the following command:
newrole -r sysadm_r
unconfined_t:
su - root id -Zroot:system_r:unconfined_tuseradd auser ls -Z /homedrwx------ auser auser root:object_r:user_home_dir_t /home/auser
root. Subsequent relabeling of the file system changes the identity to system_u. These are functionally the same since the role and type are identical (object_r:user_home_dir_t.)
su command change my SELinux identity and role?
su via pam_selinux. This turned out to be more trouble than it was worth, and is quite unnecessary on a system running targeted policy. So, this is no longer the case. Now, su/sudo only change the Linux identy. You will need to use newrole to change the SELinux identity, role, or level.
setuid(2), also do not cause an SELinux identity change.
avc errors filling my logs for a particular program. How do I choose not to audit the access for it?
dmesg, for example, you would put this in your dmesg.te file:
dontaudit dmesg_t userdomain:fd { use };
user, staff and sysadm.
avc denied messages.
/var/log/messages (or /var/log/audit/audit.log if using the audit daemon). How can I identify the cause of these silent denials?
dontaudit rule to suppress audit messages. The dontaudit rule is often used this way when a benign denial is filling the audit logs.
dontaudit rules:
semodule -b /usr/share/selinux/targeted/enableaudit.pp
dontaudit output is verbosedontaudit rules likely produce a large amount of audit information, most of which is irrelevant to your denial.
dontaudit rules as soon as possible.
semodule -b /usr/share/selinux/targeted/base.pp
snmpd -v | cat
system-config-selinux or setsebool on the command line.
setenforce 0 to turn off enforcing mode, and use the command setenforce 1 to re-enable SELinux when you are finished debugging.
yum), what happens with the policy? Is it updated automatically?
make load.
/etc/selinux/targeted/contexts/files/file_contexts.
reboot is not required, but is useful in ensuring every process and program is running in the proper domain. This is highly dependent on the changes in the updated policy.
fixfiles command:
fixfiles relabel reboot
/.autorelabel mechanism:
touch /.autorelabel reboot
cpio copy, as the package files are being put on the disk.
/etc/selinux/<policyname>/policy/policy.<version>, and those I compile myself have different sizes and MD5 checksums?
/etc/selinux. The different build environments will make target files that have different sizes and MD5 checksums.
.rpmsave. Use the mailing lists, bugzilla, and IRC to help you work through your problem. If you are able, write or fix policy to resolve your problem.
dmesg -n 1
selinux-policy-policyname and policycoreutils packages. Without the policy source installed, the fixfiles command automates the file system relabeling.
fixfiles relabel is the equivalent of make relabel. During the relabeling, it will delete all of the files in /tmp, cleaning up files which may have old file context labels.
fixfiles check, which checks for mislabeled files, and fixfiles restore, which fixes the mislabeled files but does not delete the files in /tmp. The fixfiles command does not take a list of directories as an argument, because it relabels the entire file system. If you need to relabel a specific directory path, use restorecon.
kdeinit, which limits what can be done with SELinux policy. This is because every KDE application runs in the domain for kdeinit.
/tmp and /var/tmp. There is no good method of determining which file should have which context.
rm -rf /var/tmp/kdecache-<username> rm -rf /var/tmp/<other_kde_files>
SELINUX=disabled not work for me?
/etc/sysconfig/selinux. The code is very sensitive to white space, even trailing space.
unconfined_t, and SELinux is still preventing my application from running.
unconfined_t domain somewhat. SELinux restricts certain memory protection operation. Following is a list of those denials, as well as possible reasons and solutions for those denials. For more information on these restrictions, see http://people.redhat.com/drepper/selinux-mem.html.
/var/log/messages (or /var/log/audit/audit.log if using the audit daemon) as avc denials. These can also show up when running programs with errors like
error while loading shared libraries: /usr/lib/libavutil.so.49: cannot restore segment prot after reloc: Permission denied
execmod
# /usr/sbin/semanage fcontext -a -t textrel_shlib_t '/usr/lib/libavutil.so.49.0.0' # /sbin/restorecon -v /usr/lib/libavutil.so.49.0.0
/usr/lib/libavutil.so.49.0.0. Now your application should be able to run. Please report this as a bugzilla.
execstackexecstack -c LIBRARY. Now try your application again. If the application now works, the library was mistakenly marked as requiring execstack. Please report this as a bugzilla.
execmem, execheapexecstack failure. You can set the boolean with
setsebool -P allow_execstack=1
restorecon reset /etc/modprobe.conf context system_u:object_r:etc_runtime_t->system_u:object_r:modules_conf_t restorecon reset /etc/cups/ppd/homehp.ppd context user_u:object_r:cupsd_etc_t->system_u:object_r:cupsd_rw_etc_t
libsepol.sepol_genbools_array: boolean hidd_disable_trans no longer in policy
semanage command to define additional ports. So say you want httpd to be able to listen on port 8082. You could enter the command.
semanage port -a -p tcp -t http_port_t 8082
semanage translation -l to list all current translations.
# semanage translation -l Level Translation s0 s0-s0:c0.c255 SystemLow-SystemHigh s0:c0.c255 SystemHigh
# semanage translation -a -T Payroll s0:c6 # semanage translation -l Level Translation s0 s0-s0:c0.c255 SystemLow-SystemHigh s0:c0.c255 SystemHigh s0:c6 Payroll
semanage, as seen in this example.
# semanage login -a -r s0-Payroll csellers # semanage login -l Login Name SELinux User MLS/MCS Range __default__ user_u s0 csellers user_u s0-Payroll root root SystemLow-SystemHigh
Payroll category with the first command, as indicated in the listing output from the second command.
/tmp directory, since users tend to use the /tmp directory also. It would be better to create a directory elsewhere which could be owned by the apache process and allow your script to write to it. You should label the directory httpd_sys_script_rw_t, which will allow apache to read and write files to that directory. This directory could be located anywhere that apache can get to (even $HOME/public_html/).
swapfile_t.
chcon -t swapfile_t SWAPFILE
relabelto/relabelfrom permissions?
relabelfrom means "Can domain D relabel a file from (i.e. currently in) type T1?" and relabelto means "Can domain D relabel a file to type T2?", so both checks are applied upon a file relabeling, where T1 is the original type of the type and T2 is the new type specified by the program.
xattr labels in the right security.* namespace. In addition to ext2/ext3, XFS has recently added support for the necessary labels.