Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/html/selinux/hb-using-states.html
diff options
context:
space:
mode:
Diffstat (limited to 'html/selinux/hb-using-states.html')
-rw-r--r--html/selinux/hb-using-states.html299
1 files changed, 0 insertions, 299 deletions
diff --git a/html/selinux/hb-using-states.html b/html/selinux/hb-using-states.html
deleted file mode 100644
index bd2398f..0000000
--- a/html/selinux/hb-using-states.html
+++ /dev/null
@@ -1,299 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
-<link REL="shortcut icon" HREF="favicon.ico" TYPE="image/x-icon">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
-<title>Gentoo Linux Handbook Page
---
- </title>
-</head>
-<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
-<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
-<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
-<td width="99%" class="content" valign="top" align="left">
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>SELinux States</p>
-<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
-<p>
-When SELinux is available, it will generally be in one of three states on your
-system: disabled, permissive or enforcing.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Disabled</a></p>
-<p>
-When <span class="code" dir="ltr">getenforce</span> returns "Disabled", then SELinux is not running on your
-system. Even though it might be built in your kernel, it is definitely disabled.
-Your system will still run with regular discretionary access controls (the usual
-permission rules for standard Linux environments) but the mandatory access
-controls are not active.
-</p>
-<p>
-When SELinux is disabled, it also means that files, directories, etc that are
-modified or created will not get the proper SELinux context assigned to them.
-When you later start your system with SELinux enabled (permissive or enforcing),
-issues will arise since the SELinux subsystem will not know which label the
-files have (it will default the label to one that is not accessible by most
-domains).
-</p>
-<p>
-The best way to go forward in such case is to boot in permissive mode and then
-relabel the entire file system:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabeling the entire file system</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">rlpkg -a -r</span>
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap1_sect1">Permissive</a></p>
-<p>
-When SELinux is enabled in permissive mode (<span class="code" dir="ltr">getenforce</span> returns
-"Permissive"), then SELinux is enabled and it has a policy loaded. Every access
-a process makes is checked against the policy rules and, if an access is not
-allowed, it will be logged (unless the denial is marked as dontaudit) but it
-will <span class="emphasis">not</span> be prohibited.
-</p>
-<p>
-The permissive mode is perfect to get acquainted with SELinux and have the
-system made ready for future "enforcing" mode. While running in permissive mode,
-applications <span class="emphasis">that are not SELinux aware</span> will behave as if SELinux is not
-running. This is perfect to validate if a problem is caused by SELinux or not:
-if in permissive mode the problem still persists, then it is not caused by
-SELinux.
-</p>
-<p>
-There is one caveat though: if the application is <span class="emphasis">SELinux-aware</span> (it knows
-that it can run in a SELinux environment and is able to make SELinux-specific
-calls) it might still react differently. Although this is often (but not always)
-a bad programming practice, some applications check if SELinux is enabled and
-base their functional flow on the results, regardless of the state being
-permissive or enforcing.
-</p>
-<p>
-To find out if an application is SELinux aware, simply check if it is linked
-against libselinux (with <span class="code" dir="ltr">ldd</span> or <span class="code" dir="ltr">scanelf</span> - part of
-<span class="path" dir="ltr">app-misc/pax-utils</span>):
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Checking if /bin/ls is SELinux-aware</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">scanelf -n /bin/ls</span>
- TYPE NEEDED FILE
-ET_DYN libselinux.so.1,librt.so.1,libc.so.6 /bin/ls
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap1_sect1">Enforcing</a></p>
-<p>
-If <span class="code" dir="ltr">getenforce</span> returns "Enforcing", then SELinux is loaded and will act
-based on the policy. When a process tries some activity that is not allowed by
-the policy, it will be logged (unless a dontaudit is set) and the activity will
-not go through. This is the only mode where you can truely say that SELinux is
-active, because it is only now that the policy is acted upon.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Switching States</a></p>
-<p>
-Depending on your Linux kernel configuration, you can switch between states
-using one of the following methods. The kernel configuration however can be made
-so that some of these options are disabled (for instance, a fully hardened
-system will not allow disabling SELinux in any way).
-</p>
-<p>
-Using the command <span class="code" dir="ltr">setenforce</span>:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Switching between enforcing and permissive</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-<span class="code-comment">(Switching to permissive mode)</span>
-# <span class="code-input">setenforce 0</span>
-
-<span class="code-comment">(Switching to enforcing mode)</span>
-# <span class="code-input">setenforce 1</span>
-</pre></td></tr>
-</table>
-<p>
-Using the kernel boot option <span class="code" dir="ltr">enforcing</span>:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Switching between enforcing and permissive through boot options</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-<span class="code-comment">(The following GRUB kernel line would boot in permissive mode)</span>
-kernel /kernel-2.6.39-hardened-r8 root=/dev/md3 rootflags=data=journal <span class="code-input">enforcing=0</span>
-</pre></td></tr>
-</table>
-<p>
-Using the <span class="path" dir="ltr">/etc/selinux/config</span> <span class="code" dir="ltr">SELINUX</span> variable:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: /etc/selinux/config SELINUX setting</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">cat /etc/selinux/config</span>
-# This file controls the state of SELinux on the system on boot.
-
-# SELINUX can take one of these three values:
-# enforcing - SELinux security policy is enforced.
-# permissive - SELinux prints warnings instead of enforcing.
-# disabled - No SELinux policy is loaded.
-<span class="code-input">SELINUX=enforcing</span>
-
-# SELINUXTYPE can take one of these four values:
-# targeted - Only targeted network daemons are protected.
-# strict - Full SELinux protection.
-# mls - Full SELinux protection with Multi-Level Security
-# mcs - Full SELinux protection with Multi-Category Security
-# (mls, but only one sensitivity level)
-SELINUXTYPE=strict
-</pre></td></tr>
-</table>
-<p>
-When you want to switch from permissive to enforcing, it is recommended to do so
-in the order given above:
-</p>
-<ol>
- <li>
- First boot up in permissive mode, log on, verify that your context is
- correct (<span class="code" dir="ltr">id -Z</span>) and then switch to enforcing (<span class="code" dir="ltr">setenforce 1</span>).
- You can now test if your system is still working properly.
- </li>
- <li>
- Next, boot with <span class="code" dir="ltr">enforcing=1</span> as kernel parameter. This way, your
- system will boot in enforcing mode, but if things go haywire, you can just
- reboot, leave out the option and be back in permissive mode
- </li>
- <li>
- Finally, edit <span class="path" dir="ltr">/etc/selinux/config</span> to persist this change.
- </li>
-</ol>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>SELinux Policy Types</p>
-<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
-<p>
-Next to the SELinux state, SELinux also offers different policy types. These
-types differentiate themselves in specific SELinux features that are enabled or
-disabled. Within Gentoo, three are supported (and a fourth is available):
-<span class="code" dir="ltr">targeted</span>, <span class="code" dir="ltr">strict</span>, <span class="code" dir="ltr">mcs</span> (and <span class="code" dir="ltr">mls</span>).
-</p>
-<p>
-The type used on a system is declared in <span class="path" dir="ltr">/etc/selinux/config</span>:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: The SELINUXTYPE information in /etc/selinux/config</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">cat /etc/selinux/config</span>
-# This file controls the state of SELinux on the system on boot.
-
-# SELINUX can take one of these three values:
-# enforcing - SELinux security policy is enforced.
-# permissive - SELinux prints warnings instead of enforcing.
-# disabled - No SELinux policy is loaded.
-SELINUX=enforcing
-
-# SELINUXTYPE can take one of these four values:
-# targeted - Only targeted network daemons are protected.
-# strict - Full SELinux protection.
-# mls - Full SELinux protection with Multi-Level Security
-# mcs - Full SELinux protection with Multi-Category Security
-# (mls, but only one sensitivity level)
-<span class="code-input">SELINUXTYPE=strict</span>
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap1_sect1">strict (without unconfined domains)</a></p>
-<p>
-The <span class="code" dir="ltr">strict</span> policy type is the policy type that was described in the
-earlier chapters, and coincidentally the type that is the easiest to understand.
-With the strict policy type, each and every application runs in a domain that
-has limited privileges. Although there are highly privileged domains, they are
-never truely unlimited in their privileges.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">targeted (using unconfined domains)</a></p>
-<p>
-The <span class="code" dir="ltr">targeted</span> policy type is similar to the strict one, with one major
-addition: support for unconfined domains. Applications (or users) that run in an
-unconfined domain are almost unlimited in their privileges. The unconfined
-domains are usually used for users and user applications, but also the init
-system and other domains are marked as "unconfined" domains.
-</p>
-<p>
-The idea behind the targeted policy is that network-facing services are running
-in (confined) regular domains whereas the rest uses the standard discretionary
-access controls offered by Linux. These other domains are running as
-"unconfined".
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">mcs (using multiple categories)</a></p>
-<p>
-The introduction of <span class="code" dir="ltr">mls</span> and <span class="code" dir="ltr">mcs</span> offers the ability for
-<span class="emphasis">multi-tenancy</span>: multiple instances of the same application should be able
-to run, but each instance should be confined with respect to the others (instead
-of all these processes running in the same domain and, hence, the same
-privileges).
-</p>
-<p>
-A simple example is virtualization: a virtual guest which runs in the
-<span class="code" dir="ltr">qemu_t</span> domain needs write privileges on the image file that contains the
-guest operating system. However, if you run two guests, you do not want each
-guest to write to the other guests' file. With regular domains, you will need to
-provide this. With <span class="code" dir="ltr">mcs</span>, you can give each running instance a specific
-category (number) and only grant it write privileges to the guest file with the
-correct category (number).
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">mls (using multiple security levels)</a></p>
-<p>
-The <span class="code" dir="ltr">mls</span> policy type is available but not yet supported by Gentoo
-Hardened. With this policy type, it is possible to give sensitivity levels on
-files and resources as well as domains. Sensitivity levels can best be expressed
-in terms of <span class="emphasis">public</span>, <span class="emphasis">private</span>, <span class="emphasis">confidential</span> or <span class="emphasis">strictly
-confidential</span>. With MLS, you can mark a file as one (or a set of)
-sensitivity level(s) and ensure that only domains with the right sensitivity
-level can access it.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Switching Types</a></p>
-<p>
-It is not recommended to switch between types often. At best, you choose your
-policy type at install time and stick with it. But it is not impossible (nor
-that hard) to switch between types.
-</p>
-<p>
-First, you need to edit <span class="path" dir="ltr">/etc/selinux/config</span> so that it both
-switches the policy type as well as put the mode in <span class="emphasis">permissive</span>. This is
-necessary, since at your next reboot, many labels might (or will) be incorrect.
-</p>
-<p>
-Next, edit <span class="path" dir="ltr">/etc/fstab</span> and make sure that the domains you use there
-are updated accordingly. For instance, the line for <span class="path" dir="ltr">/tmp</span>:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Changing /etc/fstab</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-<span class="code-comment"># Example when switching from strict to mcs</span>
-tmpfs /tmp tmpfs defaults,noexec,nosuid,rootcontext=system_u:object_r:tmp_t<span class="code-input">:c0</span> 0 0
-</pre></td></tr>
-</table>
-<p>
-When this is done, reboot your system. Log on as root, and relabel your entire
-file system using <span class="code" dir="ltr">rlpkg -a -r</span>. Finally, reboot again and then validate if
-your context (such as when logged on as a user) is correct again. Once you are
-confident that the domains and contexts are correct, switch the SELinux policy
-mode back to "enforcing".
-</p>
-</td>
-<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Page updated October 15, 2011</p></td></tr>
-<tr lang="en"><td align="center" class="topsep">
-<p class="alttext"><b>Donate</b> to support our development efforts.
- </p>
-<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
-<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
-</form>
-</td></tr>
-<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
-</table></td>
-</tr></table></td></tr>
-<tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
-</td></tr>
-</table></body>
-</html>