Security-Enhanced Linux

Fedora 10

Security-Enhanced Linux

User Guide

Edition 1.0

Murray McAllister

Red Hat Engineering Content Services

Daniel Walsh

Red Hat Security Engineering

Dominick Grift

Technical editor for the Introduction, SELinux Contexts, Targeted Policy, Working with SELinux, Confining Users, and Troubleshooting chapters. 

Eric Paris

Technical editor for the Mounting File Systems and Raw Audit Messages sections. 
Red Hat Security Engineering

James Morris

Technical editor for the Introduction and Targeted Policy chapters. 
Red Hat Security Engineering

Legal Notice

Copyright © 2008 Red Hat, Inc. This material may only be distributed subject to the terms and conditions set forth in the Open Publication License, V1.0, (the latest version is presently available at http://www.opencontent.org/openpub/).

Fedora and the Fedora Infinity Design logo are trademarks or registered trademarks of Red Hat, Inc., in the U.S. and other countries.

Red Hat and the Red Hat "Shadow Man" logo are registered trademarks of Red Hat Inc. in the United States and other countries.

All other trademarks and copyrights referred to are the property of their respective owners.

Documentation, as with software itself, may be subject to export control. Read about Fedora Project export controls at http://fedoraproject.org/wiki/Legal/Export.

Abstract

This book is about managing and using Security-Enhanced Linux®.


Preface
1. Document Conventions
1.1. Typographic Conventions
1.2. Pull-quote Conventions
1.3. Notes and Warnings
2. We Need Feedback!
1. Trademark Information
2. Introduction
2.1. Benefits of running SELinux
2.2. Examples
2.3. SELinux Architecture
2.4. SELinux on Other Operating Systems
3. SELinux Contexts
3.1. Domain Transitions
3.2. SELinux Contexts for Processes
3.3. SELinux Contexts for Users
4. Targeted Policy
4.1. Confined Processes
4.2. Unconfined Processes
4.3. Confined and Unconfined Users
5. Working with SELinux
5.1. SELinux Packages
5.2. Which Log File is Used
5.3. Main Configuration File
5.4. Enabling and Disabling SELinux
5.4.1. Enabling SELinux
5.4.2. Disabling SELinux
5.5. SELinux Modes
5.6. Booleans
5.6.1. Listing Booleans
5.6.2. Configuring Booleans
5.6.3. Examples: Booleans for NFS and CIFS
5.7. SELinux Contexts - Labeling Files
5.7.1. Temporary Changes: chcon
5.7.2. Persistent Changes: semanage fcontext
5.8. The file_t and default_t Types
5.9. Mounting File Systems
5.9.1. Context Mounts
5.9.2. Changing the Default Context
5.9.3. Mounting an NFS File System
5.9.4. Multiple NFS Mounts
5.9.5. Making Context Mounts Persistent
5.10. Maintaining SELinux Labels
5.10.1. Copying Files and Directories
5.10.2. Moving Files and Directories
5.10.3. Checking the Default SELinux Context
5.10.4. Archiving Files with tar
5.10.5. Archiving Files with star
6. Confining Users
6.1. Linux and SELinux User Mappings
6.2. Confining New Linux Users: useradd
6.3. Confining Existing Linux Users: semanage login
6.4. Changing the Default Mapping
6.5. xguest: Kiosk Mode
7. Troubleshooting
7.1. What Happens when Access is Denied
7.2. Top Three Causes of Problems
7.2.1. Labeling Problems
7.2.2. How are Confined Services Running?
7.2.3. Evolving Rules and Broken Applications
7.3. Fixing Problems
7.3.1. Linux Permissions
7.3.2. Possible Causes of Silent Denials
7.3.3. Manual Pages for Services
7.3.4. Permissive Domains
7.3.5. Searching For and Viewing Denials
7.3.6. Raw Audit Messages
7.3.7. sealert Messages
7.3.8. Allowing Access: audit2allow
8. Further Information
A. Revision History