setuid or setgid to root, the process can have root level control over the entire file system.
selinux-policy-<version>.noarch.rpmsepolgen used to generate a policy template file. The interface files reside in /usr/share/selinux/devel/include directory. If you want to see all of the policy files used to build the Reference Policy you need to install the src.rpm.
# seinfo -t | grep exec_t | wc -l537
setfiles command to generate persistent labels which describe the security context for a file or directory.
fixfiles script, which supports three options: check, restore, and relabel. This script allows users to relabel the file system without having the selinux-policy-targeted-sources package installed. The command line usage is more friendly than the standard setfiles command.
-Z is the short method for displaying the context of a subject or object:
ls -alZfile.fooid -Zps -eZ
semodule, which lets you perform basic functions such as installing, upgrading, or removing modules. Other useful commands include checkmodule, which is the module compiler and is installed with the checkpolicy rpm, as well as semodule_package, which creates a policy package file (.pp) from a compiled policy module.
/usr/share/selinux/policyname/. There you should at least find the base.pp, which is the base module.
libsemanage, exists to provide userspace tools an interface to making policy management easier. All policy management should use this library to access the policy store. The policy store holds all the policy information, and is found at /etc/selinux/policyname/modules/.
semanage, which is a command line tool for managing much of the policy such as SELinux user mappings, SELinux port mappings, and file contexts entries. Other examples of tools that use libsemanage include semodule which uses it to manage the SELinux policy modules installed to the policy store and setsebool which uses it manage SELinux policy booleans. Additionally, graphical tools are currently being developed to utilize the functionality provided by libsemanage.
system-config-selinux or the command line tools getsebool and setsebool.
rpm automatically, but sometimes a user might want to set a particular context on a file. An example would be setting the context on a public_html directory so that apache can access it, as illustrated in How do I make a user public_html directory work under SELinux.
/etc/selinux/targeted/contexts/customizable_types. These are types commonly assigned to files by users and administrators. To set these, use the chcon command. Note that the types in customizable_types are also preserved after a relabel, so relabeling the system will not undo this.
system-config-selinux, also known as the Security Level Configuration graphical tool, to control the Boolean values of specific daemons. For example, if you need to disable SELinux for Apache to run correctly in your environment, you can disable the value in system-config-selinux. This change disables the transition to the policy defined in apache.te, allowing httpd to remain under regular Linux DAC security.
$ mkdir foo$ cd foo
$ touch local.te local.if local.fc
policy_module(local, 1.0)
require {
attribute httpdcontent;
type smbd_t;
}
allow smbd_t httpdcontent:dir create_dir_perms;
allow smbd_t httpdcontent:{ file lnk_file } create_file_perms;
policy_module call inserts statements to make the module work, including declaring the module and requiring system roles, classes, and permissions. Make sure the name declared here (local in this case) matches the name you gave the file (local.te).
require block lists the symbols that this module uses that must be declared in other modules. In this case, we require the attribute httpdcontent and the type smbd_t. Note that all types and attributes you use in rules must be required here unless you are declaring them yourself below.
$ make -f /usr/share/selinux/devel/Makefile Compliling targeted local module /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 5) to tmp/local.mod Creating targeted local.pp policy package rm tmp/local.mod.fc tmp/local.mod
checkmodule, which is part of the checkpolicy rpm. So, make sure you install this rpm before doing this.
semodule.
$ su -Password:# semodule -i local.pp
local.pp, it will replace the one you just loaded. So, you should keep this local.te around, and just add to it if you need to make later policy customizations. If you lose it, but want to keep your previous policy around, just call the new local policy module something else (say local2.te).
audit2allow to generate a Type Enforcement file that is ready to load as a policy module.
audit2allow -M local < /tmp/avcs
local.pp which you can then load into the kernel using semodule -i local.pp. You can also edit the local.te to make additional customizations. To create a module allowing all the denials since the last reboot that you can then customize, execute the following:
audit2allow -m local -l -i /var/log/messages > local.te
/var/log/audit/audit.log instead of /var/log/messages as your log file. This generates a local.te file, that looks similar to the following:
module local 1.0;
require {
class file { append execute execute_no_trans getattr ioctl read write };
type httpd_t;
type httpd_w3c_script_exec_t;
};
allow httpd_t httpd_w3c_script_exec_t:file { execute execute_no_trans getattr ioctl read };
checkmodule -M -m -o local.mod local.te to compile the te file. Note that checkmodule is part of the checkpolicy rpm, so you need to have it installed.
semodule_package -o local.pp -m local.mod to create a policy package.
semodule -i local.pp to add it to the current machine's running policy. This installs a new module called local with these rules into the module store.
semodule -i local.pp
/usr/share/selinux/devel.
/usr/share/selinux/devel sub-directories.
Making things easier with sepolgen
sepolgen is an easy way to create SELinux policy. The following procedure is an example on how to use sepolgen to create the required policy for a daemon called mydaemon:
sepolgen /usr/sbin/mydaemon
sepolgen then performs the following:
rpm -qlf /usr/sbin/mydaemon
nm -D /usr/sbin/mydaemon
mydaemon.te- Contains all types and allow rules discovered for this daemon.mydaemon.if- Contains interfaces to be used with the types generated for this daemon.mydaemon.fc- Contains file context mapping between types and paths on disk.mydaemon.sh- Is a helper shell script used to compile/install policy and label the paths correctly.
mydaemon.sh and the policy will be compiled and installed - the daemon will then be ready to start testing.
begin:
service mydaemon start
run tests against mydaemon
check for AVC messages
if None
Break;
audit2allow -R >> mydaemon.te
Verify the policy is good or fix it.
./mydaemon.sh
goto begin
system-config-selinux. Change the policy as desired and ensure that the Relabel on next reboot option is enabled.
/etc/selinux/config and change the type and the mode of policy:
SELINUXTYPE=policyname SELINUX=permissive
touch /.autorelabel
sestatus -v
permissive mode, check /var/log/messages for avc: denied messages. These may indicate a problem that needs to be solved for the system to run without trouble under the new policy.
SELINUX=enforcing. You can either reboot or run setenforce 1 to turn enforcing on in real time.
tar command as normal, you no longer need to use star.
public_html directory work under SELinux?
/etc/httpd/conf/httpd.conf. This process only covers serving static Web content. For more information about Apache; and SELinux, refer to the SELinux Managing Confined Services Guide at http://docs.fedoraproject.org.
~/public_html directory, create it and populate it with the files and folders to be served.
cd ~mkdir public_htmlcp /path/to/content ~/public_html
httpd is configured to serve the contents, but you still receive a 403 forbidden error. This is because httpd is not allowed to read the security type for the directory and files as they are created in the user's home directory. Change the security context of the folder and its contents recursively using the -R option:
ls -Z -d public_html/drwxrwxr-x auser auser user_u:object_r:user_home_t public_htmlchcon -R -t httpd_user_content_t public_html/ ls -Z -d public_html/drwxrwxr-x auser auser user_u:object_r:httpd_user_content_t public_html/ls -Z public_html/-rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t bar.html-rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t baz.html-rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t foo.html
user_u, is changed to system_u. This does not affect how the targeted policy works. The field that matters is the type field.
system-config-selinux. Select the SELinux tab, and then select the Modify SELinux Policy area. Select Allow HTTPD to read home directories. The changes take effect immediately.
SELINUX=disabled in /etc/selinux/config.
selinux=0 to your kernel boot parameters. However, this option is not recommended.
selinux=0, any files you create while SELinux is disabled do not have SELinux context information. The file system is marked for relabeling at the next boot. If an unforeseen problem prevents you from rebooting normally, you may need to boot in single-user mode for recovery. Add the option emergency to your kernel boot parameters.
/etc/sysconfig/selinux.
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=# SELINUXTYPE= can take one of these two values: # targeted - Only targeted network daemons are protected. # mls - Multi Level Security protection. SELINUXTYPE=enforcingtargeted
enforcing is the same as adding enforcing=1 to the kernel boot parameters. Setting the value to permissive is the same as adding enforcing=0 to the kernel boot parameters.
disabled is not the same as the selinux=0 kernel boot parameter. Rather than fully disabling SELinux in the kernel, the disabled setting instead turns enforcing off and skips loading a policy.
setenforce 0 to turn off enforcing mode in real time. When you are finished, run setenforce 1 to turn enforcing back on.
audit=1 to your kernel command line to turn system call auditing on. Add audit=0 to your kernel command line to turn system call auditing off.
denied message. The error message is helpful when debugging policy.
auditctl -e 0. Note that this command does not affect auditing of SELinux AVC denials.
/usr/sbin/sestatus -v. For more information, refer to the sestatus(8) manual page.
/etc/shadow file. There are constraint rules that prevent policy writers from writing code like
allow mydomain_t shadow_t:file read;
unix_chkpwd command. The easiest way is to use the unix_chkpwd attribute. So if you were writing policy for an ftpd daemon you would write something like
daemon_domain(vsftpd, `auth_chkpwd')
/etc/shadow, while vsftpd_t is not able to read it.
auth_domtrans_chk_passwd(vsftpd_t)
semodule -i myapp.pp. This modifies the policy that is stored on the machine. Your policy module now is loaded with the rest of the policy. You can even remove the pp file from the system.
semodule -l lists the currently loaded modules.
#semodule -i myapp 1.2.1
semodule -r myapp.
/var/log/messages unless you choose to install and enable the audit daemon, in which case AVC messages will be in /var/log/audit/audit.log.
avc: denied messages. How do I fix this?
ls -alZ /path/to/file. If it seems wrong, use the command restorecon -v /path/to/file to restore the file's default context. If you have a large number of denials related to files, you may want to use fixfiles relabel, or run restorecon -R /path to recursively relabel a directory path.
apache.te.
bold:
node=host.example.com type=AVCmsg=audit(12/13/2006 11:28:14.395:952) : avc: denied {getattr} for pid=7236 comm=vsftpdname=public_html dev=dm-0ino=9601649scontext=system_u:system_r:ftpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dirnode=host.example.com type=SYSCALLmsg=audit(12/13/2006 11:28:14.395:952) : arch=i386 syscall=lstat64success=no exit=0 a0=8495230 a1=849c830 a2=874ff4 a3=328d28 items=0 ppid=7234 pid=7236 auid=dwalsh uid=dwalsh gid=dwalsh euid=dwalsh suid=dwalsh fsuid=dwalsh egid=dwalsh sgid=dwalsh fsgid=dwalsh tty=(none) comm=vsftpd exe=/usr/sbin/vsftpdsubj=system_u:system_r:ftpd_t:s0 key=(null)
AVC record and the SYSCALL record. The kernel generates both of these records when the SELinux system denies access. This AVC message indicates that SELinux prevented /usr/sbin/vsftpd from performing the getattr access on a dir named public_html.
But which particular public_html directory has the problem?
dm-0), and the inode in question (9601649). You can use this device and inode information to find the correct path if the file and/or directory still exists.
The slow way:
# find / -inum 9601649
A better way:
locate command to attempt to re-assemble the path in question:
# locate -r /public_html$ /home/dwalsh/public_html /home/obama/public_html ...(continues)
stat to get the inode of of each file returned and compares it to the values in the AVC message; if they match, it analyzes the full path. Of course, you need to have the mlocate package installed and running via cron to gather these paths.
/home partition, and now I can't log in. What do I do?
/home partition is not labeled correctly. You can easily fix this two different ways.
/home recursively:
/sbin/restorecon -v -R /home
/sbin/fixfiles relabel
policycoreutils package installed to use fixfiles.
/home using setfiles or fixfiles, am I still be able to read /home with a non-SELinux-enabled system?
~/.bashrc. You may have to relabel /home when you reboot the SELinux enabled Fedora system.
nfs_t. You can override the default context by setting it manually, using the context= option. The following command makes the files in the NFS mounted directory appear to have a context of system_u:object_r:tmp_t to SELinux:
mount -t nfs -o context=system_u:object_r:tmp_t server:/shared/foo /mnt/foo
useradd command. First you must become root.
su - rootid -Zroot:system_r:unconfined_tuseradd auserls -Z /homedrwx------ auser auser root:object_r:user_home_dir_t /home/auser
root. Subsequent relabeling of the file system changes the identity to system_u. These are functionally the same since the role and type are identical (object_r:user_home_dir_t.)
su command change my SELinux identity and role?
su command performs full domain transitions and changes your role. This is easier than using the newrole command as newrole requires you to enter two passwords - one to identify as the user, and another to identify as root.
setuid(2), do not cause an SELinux identity change.
avc errors filling my logs for a particular program. How do I choose not to audit the access for it?
dmesg, for example, you would put this in your dmesg.te file:
dontaudit dmesg_t userdomain:fd { use };
user, staff and sysadm.
avc denied messages.
/var/log/messages (or /var/log/audit/audit.log if using the audit daemon). How can I identify the cause of these silent denials?
dontaudit rule to suppress audit messages. The dontaudit rule is often used this way when a benign denial is filling the audit logs.
dontaudit rules:
semodule -b /usr/share/selinux/targeted/enableaudit.pp
dontaudit output is verbosedontaudit rules likely produce a large amount of audit information, most of which is irrelevant to your denial.
dontaudit rules as soon as possible.
semodule -b /usr/share/selinux/targeted/base.pp
snmpd -v | cat
system-config-selinux or setsebool on the command line.
setenforce 0 to turn off enforcing mode, and use the command setenforce 1 to re-enable SELinux when you are finished debugging.
yum), what happens with the policy? Is it updated automatically?
make load.
/etc/selinux/targeted/contexts/files/file_contexts.
reboot is not required, but is useful in ensuring every process and program is running in the proper domain. This is highly dependent on the changes in the updated policy.
fixfiles command:
fixfiles relabel reboot
/.autorelabel mechanism:
touch /.autorelabel reboot
cpio copy, as the package files are being put on the disk.
/etc/selinux/<policyname>/policy/policy.<version>, and those I compile myself have different sizes and MD5 checksums?
/etc/selinux. The different build environments will make target files that have different sizes and MD5 checksums.
.rpmsave. Use the mailing lists, bugzilla, and IRC to help you work through your problem. If you are able, write or fix policy to resolve your problem.
dmesg -n 1
selinux-policy-policyname and policycoreutils packages. Without the policy source installed, the fixfiles command automates the file system relabeling.
fixfiles relabel is the equivalent of make relabel. During the relabeling, it will delete all of the files in /tmp, cleaning up files which may have old file context labels.
fixfiles check, which checks for mislabeled files, and fixfiles restore, which fixes the mislabeled files but does not delete the files in /tmp. The fixfiles command does not take a list of directories as an argument, because it relabels the entire file system. If you need to relabel a specific directory path, use restorecon.
kdeinit, which limits what can be done with SELinux policy. This is because every KDE application runs in the domain for kdeinit.
/tmp and /var/tmp. There is no good method of determining which file should have which context.
rm -rf /var/tmp/kdecache-<username> rm -rf /var/tmp/<other_kde_files>
SELINUX=disabled not work for me?
/etc/sysconfig/selinux. The code is very sensitive to white space, even trailing space.
unconfined_t, and SELinux is still preventing my application from running.
unconfined_t domain somewhat. SELinux restricts certain memory protection operation. Following is a list of those denials, as well as possible reasons and solutions for those denials. For more information on these restrictions, see http://people.redhat.com/drepper/selinux-mem.html.
/var/log/messages (or /var/log/audit/audit.log if using the audit daemon) as avc denials. These can also show up when running programs with errors like
error while loading shared libraries: /usr/lib/libavutil.so.49: cannot restore segment prot after reloc: Permission denied
execmod# /usr/sbin/semanage fcontext -a -t textrel_shlib_t '/usr/lib/libavutil.so.49.0.0' # /sbin/restorecon -v /usr/lib/libavutil.so.49.0.0
/usr/lib/libavutil.so.49.0.0. Now your application should be able to run. Please report this as a bug in http://bugzilla.redhat.com.
execstackexecstack -c LIBRARY. Now try your application again. If the application now works, the library was mistakenly marked as requiring execstack. Please report this as a bug in http://bugzilla.redhat.com.
execmem, execheapexecstack failure. You can set the Boolean with:
setsebool -P allow_execstack=1
restorecon reset /etc/modprobe.conf context system_u:object_r:etc_runtime_t->system_u:object_r:modules_conf_t restorecon reset /etc/cups/ppd/homehp.ppd context user_u:object_r:cupsd_etc_t->system_u:object_r:cupsd_rw_etc_t
libsepol.sepol_genbools_array: boolean hidd_disable_trans no longer in policy
semanage command to define additional ports. So say you want httpd to be able to listen on port 8082. You could enter the command.
semanage port -a -p tcp -t http_port_t 8082
/tmp directory, since users tend to use the /tmp directory also. It would be better to create a directory elsewhere which could be owned by the apache process and allow your script to write to it. You should label the directory httpd_sys_script_rw_t, which will allow apache to read and write files to that directory. This directory could be located anywhere that apache can get to (even $HOME/public_html/).
swapfile_t.
chcon -t swapfile_t SWAPFILE
relabelto/relabelfrom permissions?
relabelfrom means "Can domain D relabel a file from (i.e. currently in) type T1?" and relabelto means "Can domain D relabel a file to type T2?", so both checks are applied upon a file relabeling, where T1 is the original type of the type and T2 is the new type specified by the program.
xattr labels in the right security.* namespace. In addition to ext2/ext3/ext4, XFS has recently added support for the necessary labels.