Tips and Tricks for Taming SELinux Page 2
The security context is used by your SELinux policy to control who can do what. The identity controls which domains the process is allowed to enter. This is defined somewhere inside the vast directory /etc/selinux that contains your SELinux policy. In the targeted SELinux policy, every subject and object runs in the unconfined_t domain, which is just like running under the old familiar Unix DAC (Discretionary Access Control) permissions. Except for a select set of daemons that SELinux policy restricts and runs in its own restricted domains. For example, httpd runs in the httpd_t domain and is tightly restricted, so a successful intrusion will be confined to the HTTP process and will not gain access to the rest of the system. Nor will users or processes who have no business with httpd be allowed to interfere with its operation, or access data files at which they have no business looking.
The ps command will show you some examples of this in action:
What does the s0 mean? Well now, that opens a whole new can o' terminology. That field belongs to Multilevel Security (MLS); it sets a sensitivity value that ranges from s0-s15. When you use MLS you also need a capabilities field, which goes from c0 - c255, so it would look something like s1:c2. MLS is super-strict and overkill for most of us. So instead Fedora uses Multi-Category Security (MCS). The MLS sensitivity field is required by the kernel and it always says s0, but you can ignore it. MCS allows you to further refine access controls with user-defined categories.
$ ps aZ
LABEL PID TTY STAT TIME COMMAND system_u:system_r:getty_t:s0 2587 tty1 Ss+ 0:00 /sbin/mingetty tty1 system_u:system_r:xdm_xserver_t:s0:c0.c1023 2664 tty7 Ss+ 7:38 /usr/bin/X
For example, you could have a MCS category called "super-secret!_yes_really!" Files labeled with this will be accessible only to processes with permissions to enter this category. In the ps output above, you'll see an example of this with the X process. If you want to try your hand at these read A Brief Introduction to Multi-Category Security (MCS) and Getting Started with Multi-Category Security (MCS).
While most files can be controlled by SELinux without any modifications, a few have had to be patched to become SELinux-aware, such as the Linux coreutils files, login programs like login, sshd, gdm, cron and the X windows system. You will also find these on systems that do not ship with SELinux, such as Ubuntu. If your system does not have SELinux, they will return empty fields where the SELinux labels should go, like this ps example:
The nice SELinux devs have kindly made Z the universal "show me the security context" option. SELinux comes with its own set of user-space commands, which are bundled up in the policycoretutils package. You can run a number of SELinux commands without hurting anything, like see your own personal security context:
$ ps aZ
LABEL PID TTY STAT TIME COMMAND
- 4248 tty4 Ss+ 0:00 /sbin/getty 38400 tty4
- 4249 tty5 Ss+ 0:00 /sbin/getty 38400 tty5
You can check SELinux status:
$ id -Z
avcstat displays AVC (Access Vector Cache) statistics. avcstat 5 runs it every five seconds; of course, you can set this to any interval you want.
SELinux status: enabled
SELinux mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 21
Policy from config file: targeted
Fedora's SELinux Tools
Fedora 7 and 8 have three good graphical SELinux tools: SELinux Management, SELinux Policy Generation Tool, and SELinux Troubleshooter. Start with SELinux Management; it lets you fine-tune the existing SELinux policy, or change to a different policy type entirely.
It costs nothing but time and a spare PC to learn your way around this potent security tool. I've seen a lot of comments on forums and mailing lists that say it's too complex to bother with. I don't agree with this; I think a security tool of this nature is overdue for Linux. Any Internet-facing server is a good candidate for SELinux, especially the notoriously porous category of LAMP servers.
- Dan Walsh's LiveJournal contains reams of SELinux howtos, which is good because he is the lead Red Hat SELinux developer. Yes, it's all his fault!
- A step-by-step guide to building a new SELinux policy module
- SELinux FAQs
- SELinux Commands
- Targeted Policy Overview
This article was originally published on Enterprise Networking Planet.