Fedora and Red Hat have led the development in MAC (Mandatory Access Control)
based, NSA security. BLAG inherits this from Fedora. The following might be
of interest as a *very brief* introduction for the security minded who want to
use SELinux, but don't know where to start.
Red Hat and Fedora have provided what is called targeted policies to make life
easy for you. (A target is a policy targetted at a service, such as the web
server Apache, or a MTA such as sendmail, postfix, or exim.) This means that a
package not provided by Fedora (or inherited into BLAG) is automatically
"unconfined." To enable SELinux under BLAG, add a symbolic link under
/etc/sysconfig as "selinux" to /etc/selinux/config, and change SELINUX to
"enforcing" in that file. You will need to add the packages selinux-policy and
selinux-policy-targeted (there's also selinux-policy-mls). The first time you
do this, you will get errors, because selinux is not yet enabled. Do not
despair, just reboot (selinux will label your filesystem, so this make take a
minute the first time you reboot). selinux-doc will also be helpful, as well
as _selinux man pages that will describe the targets.
Make life easy on yourself and use system-config-selinux. However,
{get,set}sebool, semanage, sesearch (for audit log searching), setroubleshootd
(for sealert helps logged to /var/log/messages), {get,set}enforce will be
helpful.
Some things to understand. First, every file on the system, and every process,
is labeled with a security context (provided by the user_xattr filesystem
option). There are five fields, colon delimited. For instance, an ls -Z of
the network config file will show:
Code:
-rw-r--r-- root root system_u:object_r:etc_t /etc/sysconfig/network
Field one is _u (the user), a description of what is requesting the resource
described in field two (_r, the role). (More specifically, this is a generic
file system object used by the system.) The third field is the pointer to the
policy, called the type enforcement. There are two more fields S and C
(sensitivity and category). Think of sensitivity as the level of security
access (top secret!), and the category is what office, or department, gets this
access.
With getsebool -a you can view the booleans (like with sysctl -a) that modify
policy behaviour. To get a full list of the security contexts, type semanage
fcontext -l.
To put this into the real world, if you have a ftp server, you have files
shared with public_content_t and public_content_rw_t (like for an incoming
directory). If you label your /var/ftp files right, the ftp server (such as
vsftpd) has no problem accessing the files. If you run into problems, disable
enforcement with the _trans boolean (ftpd_disable_trans) by toggling it on
(setsebool -P ftpd_disable_trans on), verifying your server works right, then
toggling it off to troubleshoot your selinux configuration (typically, a
boolean you didn't set right, or file context that isn't set right). To change
your security context use chcon with an option matching the letter (-u, -r, -t,
etc.). If you panic, use restorecon on the file, and selinux will try and
automatically do it for you. Finally, if you are running the setroubleshooter
(see the setroubleshoot-server package, setroubleshoot init script), it will
give you a sealert command in /var/log/messages that will help you figure out
why something isn't working.
This document was written for the BLAG forums.
Copyright (c) 2008 D E Evans. Verbatim copying, or modification, etc., under
the GFDL is permitted, as long as this noticed is preserved.
-------------------- m2f --------------------
Sent using Mail2Forum (http://www.mail2forum.com).
Read this topic online here:
http://forums.blagblagblag.org/viewtopic.php?p=26322#26322
-------------------- m2f --------------------
_______________________________________________
blag-users mailing list
[email protected]
https://www.autistici.org/mailman/listinfo/blag-users
