Chapter 5. Working with SELinux

Chapter 5. Working with SELinux

5.1. SELinux Packages
5.2. Which Log File is Used
5.3. Main Configuration File
5.4. Enabling and Disabling SELinux
5.4.1. Enabling SELinux
5.4.2. Disabling SELinux
5.5. SELinux Modes
5.6. Booleans
5.6.1. Listing Booleans
5.6.2. Configuring Booleans
5.6.3. Examples: Booleans for NFS and CIFS
5.7. SELinux Contexts - Labeling Files
5.7.1. Temporary Changes: chcon
5.7.2. Persistent Changes: semanage fcontext
5.8. The file_t and default_t Types
5.9. Mounting File Systems
5.9.1. Context Mounts
5.9.2. Changing the Default Context
5.9.3. Mounting an NFS File System
5.9.4. Multiple NFS Mounts
5.9.5. Making Context Mounts Persistent
5.10. Maintaining SELinux Labels
5.10.1. Copying Files and Directories
5.10.2. Moving Files and Directories
5.10.3. Checking the Default SELinux Context
5.10.4. Archiving Files with tar
5.10.5. Archiving Files with star

The following sections give a brief overview of the main SELinux packages in Fedora 10; installing and updating packages; which log files are used; the main SELinux configuration file; enabling and disabling SELinux; SELinux modes; configuring Booleans; temporarily and persistently changing file and directory labels; overriding file system labels with the mount command; mounting NFS file systems; and how to preserve SELinux contexts when copying and archiving files and directories.

5.1. SELinux Packages

In Fedora 10, the SELinux packages are installed by default unless they are manually excluded during installation. By default, SELinux targeted policy is used, and SELinux runs in enforcing mode. The following is a brief description of the main SELinux packages:

policycoreutils: provides utilities, such as semanage, restorecon, audit2allow, semodule, load_policy, and setsebool, for operating and managing SELinux.

policycoreutils-gui: provides system-config-selinux, a graphical tool for managing SELinux.

selinux-policy: provides the SELinux Reference Policy. The SELinux Reference Policy is a complete SELinux policy, and is used as a basis for other policies, such as the SELinux targeted policy. Refer to the Tresys Technology SELinux Reference Policy page for further information. The selinux-policy-devel package provides development tools, such as /usr/share/selinux/devel/policygentool and /usr/share/selinux/devel/policyhelp, as well as example policy files. This package was merged into the selinux-policy package.

selinux-policy-policy: provides SELinux policies. For targeted policy, install selinux-policy-targeted. For MLS, install selinux-policy-mls. In Fedora 8, the strict policy was merged into targeted policy, allowing confined and unconfined users to co-exist on the same system.

setroubleshoot-server: translates denial messages, produced when access is denied by SELinux, into detailed descriptions that are viewed with sealert (which is provided by this package).

setroubleshoot: a graphical user interface for viewing denials that are translated by setroubleshoot-server.

setools, setools-gui, and setools-console: these packages provide the Tresys Technology SETools distribution, a number of tools and libraries for analyzing and querying policy, audit log monitoring and reporting, and file context management[8]. The setools package is a meta-package for SETools. The setools-gui package provides the apol, seaudit, and sediffx tools. The setools-console package provides the seaudit-report, sechecker, sediff, seinfo, sesearch, findcon, replcon, and indexcon command line tools. Refer to the Tresys Technology SETools page for information about these tools.

libselinux-utils: provides the avcstat, getenforce, getsebool, matchpathcon, selinuxconlist, selinuxdefcon, selinuxenabled, setenforce, togglesebool tools.

mcstrans: translates levels, such as s0-s0:c0.c1023, to an easier to read form, such as SystemLow-SystemHigh. This package is not installed by default.

To install packages in Fedora 10, as the Linux root user, run the yum install package-name command. For example, to install the mcstrans package, run the yum install mcstrans command. To upgrade all installed packages in Fedora 10, run the yum update command.

Refer to Managing Software with yum[9] for further information about using yum to manage packages.

Note

In previous versions of Fedora, the selinux-policy-devel package is required when making a local policy module with audit2allow -M.



[8] Brindle, Joshua. "Re: blurb for fedora setools packages" Email to Murray McAllister. 1 November 2008. Any edits or changes in this version were done by Murray McAllister.

[9] Managing Software with yum, written by Stuart Ellis, edited by Paul W. Frields, Rodrigo Menezes, and Hugo Cisneiros.