aboutsummaryrefslogtreecommitdiff
blob: bd2398f1ddb2f67341de2d8d0e3e564b4a92c35c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
<link REL="shortcut icon" HREF="favicon.ico" TYPE="image/x-icon">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
<title>Gentoo Linux Handbook Page
--
  </title>
</head>
<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
<td width="99%" class="content" valign="top" align="left">
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
            </span>SELinux States</p>
<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
<p>
When SELinux is available, it will generally be in one of three states on your
system: disabled, permissive or enforcing.
</p>
<p class="secthead"><a name="doc_chap1_sect1">Disabled</a></p>
<p>
When <span class="code" dir="ltr">getenforce</span> returns "Disabled", then SELinux is not running on your
system. Even though it might be built in your kernel, it is definitely disabled.
Your system will still run with regular discretionary access controls (the usual
permission rules for standard Linux environments) but the mandatory access
controls are not active.
</p>
<p>
When SELinux is disabled, it also means that files, directories, etc that are
modified or created will not get the proper SELinux context assigned to them.
When you later start your system with SELinux enabled (permissive or enforcing),
issues will arise since the SELinux subsystem will not know which label the
files have (it will default the label to one that is not accessible by most
domains).
</p>
<p>
The best way to go forward in such case is to boot in permissive mode and then
relabel the entire file system:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabeling the entire file system</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">rlpkg -a -r</span>
</pre></td></tr>
</table>
<p class="secthead"><a name="doc_chap1_sect1">Permissive</a></p>
<p>
When SELinux is enabled in permissive mode (<span class="code" dir="ltr">getenforce</span> returns
"Permissive"), then SELinux is enabled and it has a policy loaded. Every access
a process makes is checked against the policy rules and, if an access is not
allowed, it will be logged (unless the denial is marked as dontaudit) but it
will <span class="emphasis">not</span> be prohibited.
</p>
<p>
The permissive mode is perfect to get acquainted with SELinux and have the
system made ready for future "enforcing" mode. While running in permissive mode,
applications <span class="emphasis">that are not SELinux aware</span> will behave as if SELinux is not
running. This is perfect to validate if a problem is caused by SELinux or not:
if in permissive mode the problem still persists, then it is not caused by
SELinux.
</p>
<p>
There is one caveat though: if the application is <span class="emphasis">SELinux-aware</span> (it knows
that it can run in a SELinux environment and is able to make SELinux-specific
calls) it might still react differently. Although this is often (but not always)
a bad programming practice, some applications check if SELinux is enabled and
base their functional flow on the results, regardless of the state being
permissive or enforcing.
</p>
<p>
To find out if an application is SELinux aware, simply check if it is linked
against libselinux (with <span class="code" dir="ltr">ldd</span> or <span class="code" dir="ltr">scanelf</span> - part of
<span class="path" dir="ltr">app-misc/pax-utils</span>):
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Checking if /bin/ls is SELinux-aware</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">scanelf -n /bin/ls</span>
 TYPE     NEEDED FILE
ET_DYN   libselinux.so.1,librt.so.1,libc.so.6   /bin/ls
</pre></td></tr>
</table>
<p class="secthead"><a name="doc_chap1_sect1">Enforcing</a></p>
<p>
If <span class="code" dir="ltr">getenforce</span> returns "Enforcing", then SELinux is loaded and will act
based on the policy. When a process tries some activity that is not allowed by
the policy, it will be logged (unless a dontaudit is set) and the activity will
not go through. This is the only mode where you can truely say that SELinux is
active, because it is only now that the policy is acted upon.
</p>
<p class="secthead"><a name="doc_chap1_sect1">Switching States</a></p>
<p>
Depending on your Linux kernel configuration, you can switch between states
using one of the following methods. The kernel configuration however can be made
so that some of these options are disabled (for instance, a fully hardened
system will not allow disabling SELinux in any way).
</p>
<p>
Using the command <span class="code" dir="ltr">setenforce</span>:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Switching between enforcing and permissive</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
<span class="code-comment">(Switching to permissive mode)</span>
# <span class="code-input">setenforce 0</span>

<span class="code-comment">(Switching to enforcing mode)</span>
# <span class="code-input">setenforce 1</span>
</pre></td></tr>
</table>
<p>
Using the kernel boot option <span class="code" dir="ltr">enforcing</span>:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Switching between enforcing and permissive through boot options</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
<span class="code-comment">(The following GRUB kernel line would boot in permissive mode)</span>
kernel /kernel-2.6.39-hardened-r8 root=/dev/md3 rootflags=data=journal <span class="code-input">enforcing=0</span>
</pre></td></tr>
</table>
<p>
Using the <span class="path" dir="ltr">/etc/selinux/config</span> <span class="code" dir="ltr">SELINUX</span> variable:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: /etc/selinux/config SELINUX setting</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">cat /etc/selinux/config</span>
# This file controls the state of SELinux on the system on boot.

# SELINUX can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
<span class="code-input">SELINUX=enforcing</span>

# SELINUXTYPE can take one of these four values:
#       targeted - Only targeted network daemons are protected.
#       strict   - Full SELinux protection.
#       mls      - Full SELinux protection with Multi-Level Security
#       mcs      - Full SELinux protection with Multi-Category Security 
#                  (mls, but only one sensitivity level)
SELINUXTYPE=strict
</pre></td></tr>
</table>
<p>
When you want to switch from permissive to enforcing, it is recommended to do so
in the order given above:
</p>
<ol>
  <li>
    First boot up in permissive mode, log on, verify that your context is
    correct (<span class="code" dir="ltr">id -Z</span>) and then switch to enforcing (<span class="code" dir="ltr">setenforce 1</span>).
    You can now test if your system is still working properly.
  </li>
  <li>
    Next, boot with <span class="code" dir="ltr">enforcing=1</span> as kernel parameter. This way, your
    system will boot in enforcing mode, but if things go haywire, you can just
    reboot, leave out the option and be back in permissive mode
  </li>
  <li>
    Finally, edit <span class="path" dir="ltr">/etc/selinux/config</span> to persist this change.
  </li>
</ol>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
            </span>SELinux Policy Types</p>
<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
<p>
Next to the SELinux state, SELinux also offers different policy types. These
types differentiate themselves in specific SELinux features that are enabled or
disabled. Within Gentoo, three are supported (and a fourth is available):
<span class="code" dir="ltr">targeted</span>, <span class="code" dir="ltr">strict</span>, <span class="code" dir="ltr">mcs</span> (and <span class="code" dir="ltr">mls</span>).
</p>
<p>
The type used on a system is declared in <span class="path" dir="ltr">/etc/selinux/config</span>:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: The SELINUXTYPE information in /etc/selinux/config</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">cat /etc/selinux/config</span>
# This file controls the state of SELinux on the system on boot.

# SELINUX can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=enforcing

# SELINUXTYPE can take one of these four values:
#       targeted - Only targeted network daemons are protected.
#       strict   - Full SELinux protection.
#       mls      - Full SELinux protection with Multi-Level Security
#       mcs      - Full SELinux protection with Multi-Category Security 
#                  (mls, but only one sensitivity level)
<span class="code-input">SELINUXTYPE=strict</span>
</pre></td></tr>
</table>
<p class="secthead"><a name="doc_chap1_sect1">strict (without unconfined domains)</a></p>
<p>
The <span class="code" dir="ltr">strict</span> policy type is the policy type that was described in the
earlier chapters, and coincidentally the type that is the easiest to understand.
With the strict policy type, each and every application runs in a domain that
has limited privileges. Although there are highly privileged domains, they are
never truely unlimited in their privileges.
</p>
<p class="secthead"><a name="doc_chap1_sect1">targeted (using unconfined domains)</a></p>
<p>
The <span class="code" dir="ltr">targeted</span> policy type is similar to the strict one, with one major
addition: support for unconfined domains. Applications (or users) that run in an
unconfined domain are almost unlimited in their privileges. The unconfined
domains are usually used for users and user applications, but also the init
system and other domains are marked as "unconfined" domains.
</p>
<p>
The idea behind the targeted policy is that network-facing services are running
in (confined) regular domains whereas the rest uses the standard discretionary
access controls offered by Linux. These other domains are running as
"unconfined".
</p>
<p class="secthead"><a name="doc_chap1_sect1">mcs (using multiple categories)</a></p>
<p>
The introduction of <span class="code" dir="ltr">mls</span> and <span class="code" dir="ltr">mcs</span> offers the ability for
<span class="emphasis">multi-tenancy</span>: multiple instances of the same application should be able
to run, but each instance should be confined with respect to the others (instead
of all these processes running in the same domain and, hence, the same
privileges).
</p>
<p>
A simple example is virtualization: a virtual guest which runs in the
<span class="code" dir="ltr">qemu_t</span> domain needs write privileges on the image file that contains the
guest operating system. However, if you run two guests, you do not want each
guest to write to the other guests' file. With regular domains, you will need to
provide this. With <span class="code" dir="ltr">mcs</span>, you can give each running instance a specific
category (number) and only grant it write privileges to the guest file with the
correct category (number).
</p>
<p class="secthead"><a name="doc_chap1_sect1">mls (using multiple security levels)</a></p>
<p>
The <span class="code" dir="ltr">mls</span> policy type is available but not yet supported by Gentoo
Hardened. With this policy type, it is possible to give sensitivity levels on
files and resources as well as domains. Sensitivity levels can best be expressed
in terms of <span class="emphasis">public</span>, <span class="emphasis">private</span>, <span class="emphasis">confidential</span> or <span class="emphasis">strictly
confidential</span>. With MLS, you can mark a file as one (or a set of)
sensitivity level(s) and ensure that only domains with the right sensitivity
level can access it.
</p>
<p class="secthead"><a name="doc_chap1_sect1">Switching Types</a></p>
<p>
It is not recommended to switch between types often. At best, you choose your
policy type at install time and stick with it. But it is not impossible (nor
that hard) to switch between types.
</p>
<p>
First, you need to edit <span class="path" dir="ltr">/etc/selinux/config</span> so that it both
switches the policy type as well as put the mode in <span class="emphasis">permissive</span>. This is
necessary, since at your next reboot, many labels might (or will) be incorrect.
</p>
<p>
Next, edit <span class="path" dir="ltr">/etc/fstab</span> and make sure that the domains you use there
are updated accordingly. For instance, the line for <span class="path" dir="ltr">/tmp</span>:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Changing /etc/fstab</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
<span class="code-comment"># Example when switching from strict to mcs</span>
tmpfs  /tmp  tmpfs  defaults,noexec,nosuid,rootcontext=system_u:object_r:tmp_t<span class="code-input">:c0</span>  0 0
</pre></td></tr>
</table>
<p>
When this is done, reboot your system. Log on as root, and relabel your entire
file system using <span class="code" dir="ltr">rlpkg -a -r</span>. Finally, reboot again and then validate if
your context (such as when logged on as a user) is correct again. Once you are
confident that the domains and contexts are correct, switch the SELinux policy
mode back to "enforcing".
</p>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="alttext">Page updated October 15, 2011</p></td></tr>
<tr lang="en"><td align="center" class="topsep">
<p class="alttext"><b>Donate</b> to support our development efforts.
        </p>
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
</form>
</td></tr>
<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
</table></td>
</tr></table></td></tr>
<tr><td colspan="2" align="right" class="infohead">
Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
</td></tr>
</table></body>
</html>