diff options
Diffstat (limited to 'html/selinux/hb-using-states.html')
-rw-r--r-- | html/selinux/hb-using-states.html | 299 |
1 files changed, 0 insertions, 299 deletions
diff --git a/html/selinux/hb-using-states.html b/html/selinux/hb-using-states.html deleted file mode 100644 index bd2398f..0000000 --- a/html/selinux/hb-using-states.html +++ /dev/null @@ -1,299 +0,0 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> -<html lang="en"> -<head> -<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> -<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> -<link REL="shortcut icon" HREF="favicon.ico" TYPE="image/x-icon"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> -<title>Gentoo Linux Handbook Page --- - </title> -</head> -<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> -<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> -<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> -<td width="99%" class="content" valign="top" align="left"> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>SELinux States</p> -<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p> -<p> -When SELinux is available, it will generally be in one of three states on your -system: disabled, permissive or enforcing. -</p> -<p class="secthead"><a name="doc_chap1_sect1">Disabled</a></p> -<p> -When <span class="code" dir="ltr">getenforce</span> returns "Disabled", then SELinux is not running on your -system. Even though it might be built in your kernel, it is definitely disabled. -Your system will still run with regular discretionary access controls (the usual -permission rules for standard Linux environments) but the mandatory access -controls are not active. -</p> -<p> -When SELinux is disabled, it also means that files, directories, etc that are -modified or created will not get the proper SELinux context assigned to them. -When you later start your system with SELinux enabled (permissive or enforcing), -issues will arise since the SELinux subsystem will not know which label the -files have (it will default the label to one that is not accessible by most -domains). -</p> -<p> -The best way to go forward in such case is to boot in permissive mode and then -relabel the entire file system: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabeling the entire file system</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">rlpkg -a -r</span> -</pre></td></tr> -</table> -<p class="secthead"><a name="doc_chap1_sect1">Permissive</a></p> -<p> -When SELinux is enabled in permissive mode (<span class="code" dir="ltr">getenforce</span> returns -"Permissive"), then SELinux is enabled and it has a policy loaded. Every access -a process makes is checked against the policy rules and, if an access is not -allowed, it will be logged (unless the denial is marked as dontaudit) but it -will <span class="emphasis">not</span> be prohibited. -</p> -<p> -The permissive mode is perfect to get acquainted with SELinux and have the -system made ready for future "enforcing" mode. While running in permissive mode, -applications <span class="emphasis">that are not SELinux aware</span> will behave as if SELinux is not -running. This is perfect to validate if a problem is caused by SELinux or not: -if in permissive mode the problem still persists, then it is not caused by -SELinux. -</p> -<p> -There is one caveat though: if the application is <span class="emphasis">SELinux-aware</span> (it knows -that it can run in a SELinux environment and is able to make SELinux-specific -calls) it might still react differently. Although this is often (but not always) -a bad programming practice, some applications check if SELinux is enabled and -base their functional flow on the results, regardless of the state being -permissive or enforcing. -</p> -<p> -To find out if an application is SELinux aware, simply check if it is linked -against libselinux (with <span class="code" dir="ltr">ldd</span> or <span class="code" dir="ltr">scanelf</span> - part of -<span class="path" dir="ltr">app-misc/pax-utils</span>): -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Checking if /bin/ls is SELinux-aware</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">scanelf -n /bin/ls</span> - TYPE NEEDED FILE -ET_DYN libselinux.so.1,librt.so.1,libc.so.6 /bin/ls -</pre></td></tr> -</table> -<p class="secthead"><a name="doc_chap1_sect1">Enforcing</a></p> -<p> -If <span class="code" dir="ltr">getenforce</span> returns "Enforcing", then SELinux is loaded and will act -based on the policy. When a process tries some activity that is not allowed by -the policy, it will be logged (unless a dontaudit is set) and the activity will -not go through. This is the only mode where you can truely say that SELinux is -active, because it is only now that the policy is acted upon. -</p> -<p class="secthead"><a name="doc_chap1_sect1">Switching States</a></p> -<p> -Depending on your Linux kernel configuration, you can switch between states -using one of the following methods. The kernel configuration however can be made -so that some of these options are disabled (for instance, a fully hardened -system will not allow disabling SELinux in any way). -</p> -<p> -Using the command <span class="code" dir="ltr">setenforce</span>: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Switching between enforcing and permissive</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -<span class="code-comment">(Switching to permissive mode)</span> -# <span class="code-input">setenforce 0</span> - -<span class="code-comment">(Switching to enforcing mode)</span> -# <span class="code-input">setenforce 1</span> -</pre></td></tr> -</table> -<p> -Using the kernel boot option <span class="code" dir="ltr">enforcing</span>: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Switching between enforcing and permissive through boot options</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -<span class="code-comment">(The following GRUB kernel line would boot in permissive mode)</span> -kernel /kernel-2.6.39-hardened-r8 root=/dev/md3 rootflags=data=journal <span class="code-input">enforcing=0</span> -</pre></td></tr> -</table> -<p> -Using the <span class="path" dir="ltr">/etc/selinux/config</span> <span class="code" dir="ltr">SELINUX</span> variable: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: /etc/selinux/config SELINUX setting</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">cat /etc/selinux/config</span> -# This file controls the state of SELinux on the system on boot. - -# SELINUX can take one of these three values: -# enforcing - SELinux security policy is enforced. -# permissive - SELinux prints warnings instead of enforcing. -# disabled - No SELinux policy is loaded. -<span class="code-input">SELINUX=enforcing</span> - -# SELINUXTYPE can take one of these four values: -# targeted - Only targeted network daemons are protected. -# strict - Full SELinux protection. -# mls - Full SELinux protection with Multi-Level Security -# mcs - Full SELinux protection with Multi-Category Security -# (mls, but only one sensitivity level) -SELINUXTYPE=strict -</pre></td></tr> -</table> -<p> -When you want to switch from permissive to enforcing, it is recommended to do so -in the order given above: -</p> -<ol> - <li> - First boot up in permissive mode, log on, verify that your context is - correct (<span class="code" dir="ltr">id -Z</span>) and then switch to enforcing (<span class="code" dir="ltr">setenforce 1</span>). - You can now test if your system is still working properly. - </li> - <li> - Next, boot with <span class="code" dir="ltr">enforcing=1</span> as kernel parameter. This way, your - system will boot in enforcing mode, but if things go haywire, you can just - reboot, leave out the option and be back in permissive mode - </li> - <li> - Finally, edit <span class="path" dir="ltr">/etc/selinux/config</span> to persist this change. - </li> -</ol> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>SELinux Policy Types</p> -<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p> -<p> -Next to the SELinux state, SELinux also offers different policy types. These -types differentiate themselves in specific SELinux features that are enabled or -disabled. Within Gentoo, three are supported (and a fourth is available): -<span class="code" dir="ltr">targeted</span>, <span class="code" dir="ltr">strict</span>, <span class="code" dir="ltr">mcs</span> (and <span class="code" dir="ltr">mls</span>). -</p> -<p> -The type used on a system is declared in <span class="path" dir="ltr">/etc/selinux/config</span>: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: The SELINUXTYPE information in /etc/selinux/config</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">cat /etc/selinux/config</span> -# This file controls the state of SELinux on the system on boot. - -# SELINUX can take one of these three values: -# enforcing - SELinux security policy is enforced. -# permissive - SELinux prints warnings instead of enforcing. -# disabled - No SELinux policy is loaded. -SELINUX=enforcing - -# SELINUXTYPE can take one of these four values: -# targeted - Only targeted network daemons are protected. -# strict - Full SELinux protection. -# mls - Full SELinux protection with Multi-Level Security -# mcs - Full SELinux protection with Multi-Category Security -# (mls, but only one sensitivity level) -<span class="code-input">SELINUXTYPE=strict</span> -</pre></td></tr> -</table> -<p class="secthead"><a name="doc_chap1_sect1">strict (without unconfined domains)</a></p> -<p> -The <span class="code" dir="ltr">strict</span> policy type is the policy type that was described in the -earlier chapters, and coincidentally the type that is the easiest to understand. -With the strict policy type, each and every application runs in a domain that -has limited privileges. Although there are highly privileged domains, they are -never truely unlimited in their privileges. -</p> -<p class="secthead"><a name="doc_chap1_sect1">targeted (using unconfined domains)</a></p> -<p> -The <span class="code" dir="ltr">targeted</span> policy type is similar to the strict one, with one major -addition: support for unconfined domains. Applications (or users) that run in an -unconfined domain are almost unlimited in their privileges. The unconfined -domains are usually used for users and user applications, but also the init -system and other domains are marked as "unconfined" domains. -</p> -<p> -The idea behind the targeted policy is that network-facing services are running -in (confined) regular domains whereas the rest uses the standard discretionary -access controls offered by Linux. These other domains are running as -"unconfined". -</p> -<p class="secthead"><a name="doc_chap1_sect1">mcs (using multiple categories)</a></p> -<p> -The introduction of <span class="code" dir="ltr">mls</span> and <span class="code" dir="ltr">mcs</span> offers the ability for -<span class="emphasis">multi-tenancy</span>: multiple instances of the same application should be able -to run, but each instance should be confined with respect to the others (instead -of all these processes running in the same domain and, hence, the same -privileges). -</p> -<p> -A simple example is virtualization: a virtual guest which runs in the -<span class="code" dir="ltr">qemu_t</span> domain needs write privileges on the image file that contains the -guest operating system. However, if you run two guests, you do not want each -guest to write to the other guests' file. With regular domains, you will need to -provide this. With <span class="code" dir="ltr">mcs</span>, you can give each running instance a specific -category (number) and only grant it write privileges to the guest file with the -correct category (number). -</p> -<p class="secthead"><a name="doc_chap1_sect1">mls (using multiple security levels)</a></p> -<p> -The <span class="code" dir="ltr">mls</span> policy type is available but not yet supported by Gentoo -Hardened. With this policy type, it is possible to give sensitivity levels on -files and resources as well as domains. Sensitivity levels can best be expressed -in terms of <span class="emphasis">public</span>, <span class="emphasis">private</span>, <span class="emphasis">confidential</span> or <span class="emphasis">strictly -confidential</span>. With MLS, you can mark a file as one (or a set of) -sensitivity level(s) and ensure that only domains with the right sensitivity -level can access it. -</p> -<p class="secthead"><a name="doc_chap1_sect1">Switching Types</a></p> -<p> -It is not recommended to switch between types often. At best, you choose your -policy type at install time and stick with it. But it is not impossible (nor -that hard) to switch between types. -</p> -<p> -First, you need to edit <span class="path" dir="ltr">/etc/selinux/config</span> so that it both -switches the policy type as well as put the mode in <span class="emphasis">permissive</span>. This is -necessary, since at your next reboot, many labels might (or will) be incorrect. -</p> -<p> -Next, edit <span class="path" dir="ltr">/etc/fstab</span> and make sure that the domains you use there -are updated accordingly. For instance, the line for <span class="path" dir="ltr">/tmp</span>: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Changing /etc/fstab</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -<span class="code-comment"># Example when switching from strict to mcs</span> -tmpfs /tmp tmpfs defaults,noexec,nosuid,rootcontext=system_u:object_r:tmp_t<span class="code-input">:c0</span> 0 0 -</pre></td></tr> -</table> -<p> -When this is done, reboot your system. Log on as root, and relabel your entire -file system using <span class="code" dir="ltr">rlpkg -a -r</span>. Finally, reboot again and then validate if -your context (such as when logged on as a user) is correct again. Once you are -confident that the domains and contexts are correct, switch the SELinux policy -mode back to "enforcing". -</p> -</td> -<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> -<tr><td class="topsep" align="center"><p class="alttext">Page updated October 15, 2011</p></td></tr> -<tr lang="en"><td align="center" class="topsep"> -<p class="alttext"><b>Donate</b> to support our development efforts. - </p> -<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> -<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> -</form> -</td></tr> -<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> -</table></td> -</tr></table></td></tr> -<tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. -</td></tr> -</table></body> -</html> |