[securityguide] Added a section about sepolicy Suite.
Bara Ančincová
bancinco at fedoraproject.org
Sun Aug 10 23:00:06 UTC 2014
commit f18f8849b261dd608ae2c95f9bf6dc2ee7046e07
Author: Barbora Ancincova <bancinco at redhat.com>
Date: Fri Aug 8 16:08:46 2014 +0200
Added a section about sepolicy Suite.
en-US/Security_Guide.xml | 3 +-
en-US/sepolicy_Suite.xml | 354 ++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 356 insertions(+), 1 deletions(-)
---
diff --git a/en-US/Security_Guide.xml b/en-US/Security_Guide.xml
index f707385..7256d28 100644
--- a/en-US/Security_Guide.xml
+++ b/en-US/Security_Guide.xml
@@ -23,7 +23,8 @@
<xi:include href="Introduction.xml" xmlns:xi="http://www.w3.org/2001/XInclude"></xi:include>
<xi:include href="Contexts_and_Attributes.xml" xmlns:xi="http://www.w3.org/2001/XInclude"></xi:include>
<xi:include href="Targeted_Policy.xml" xmlns:xi="http://www.w3.org/2001/XInclude"></xi:include>
- <xi:include href="Working_With_SELinux.xml" xmlns:xi="http://www.w3.org/2001/XInclude"></xi:include>
+ <xi:include href="Working_With_SELinux.xml" xmlns:xi="http://www.w3.org/2001/XInclude"></xi:include>
+ <xi:include href="sepolicy_Suite.xml" xmlns:xi="http://www.w3.org/2001/XInclude"></xi:include>
<xi:include href="Managing_Users.xml" xmlns:xi="http://www.w3.org/2001/XInclude"></xi:include>
<xi:include href="Troubleshooting.xml" xmlns:xi="http://www.w3.org/2001/XInclude"></xi:include>
<xi:include href="Further_Information.xml" xmlns:xi="http://www.w3.org/2001/XInclude"></xi:include>
diff --git a/en-US/sepolicy_Suite.xml b/en-US/sepolicy_Suite.xml
new file mode 100644
index 0000000..d37a896
--- /dev/null
+++ b/en-US/sepolicy_Suite.xml
@@ -0,0 +1,354 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+
+<section id="chap-Security-Enhanced_Linux-the_sepolicy_Suite">
+ <title>The <systemitem>sepolicy</systemitem> Suite</title>
+ <para>
+ The <systemitem>sepolicy</systemitem> utility provides a suite of features to query the installed SELinux policy. These features are either new or were previously provided by separate utilities, such as <systemitem>sepolgen</systemitem> or <systemitem>setrans</systemitem>. The suite allows you to generate transition reports, man pages, or even new policy modules, thus giving users easier access and better understanding of the SELinux policy.
+ </para>
+ <para>
+ The <package>policycoreutils-devel</package> package provides <systemitem>sepolicy</systemitem>. Run the following command as the root user to install <systemitem>sepolicy</systemitem>:
+ </para>
+<screen><prompt>~]#</prompt> <command>yum install policycoreutils-devel</command></screen>
+ <para>
+ The <systemitem>sepolicy</systemitem> suite provides the following features that are invoked as command-line parameters:
+ </para>
+ <table id="sepolicy_options">
+ <title>The <systemitem>sepolicy</systemitem> Features</title>
+ <tgroup cols="2">
+ <colspec colname="c1" colnum="1" colwidth="1*" />
+ <colspec colname="c2" colnum="2" colwidth="3*" />
+ <thead>
+ <row>
+ <entry>
+ Feature
+ </entry>
+ <entry>
+ Description
+ </entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>
+ booleans
+ </entry>
+ <entry>
+ Query the SELinux Policy to see description of Booleans
+ </entry>
+ </row>
+ <row>
+ <entry>
+ communicate
+ </entry>
+ <entry>
+ Query the SELinux policy to see if domains can communicate with each other
+ </entry>
+ </row>
+ <row>
+ <entry>
+ generate
+ </entry>
+ <entry>
+ Generate an SELinux policy module template
+ </entry>
+ </row>
+ <row>
+ <entry>
+ gui
+ </entry>
+ <entry>
+ Graphical User Interface for SELinux Policy
+ </entry>
+ </row>
+ <row>
+ <entry>
+ interface
+ </entry>
+ <entry>
+ List SELinux Policy interfaces
+ </entry>
+ </row>
+ <row>
+ <entry>
+ manpage
+ </entry>
+ <entry>
+ Generate SELinux man pages
+ </entry>
+ </row>
+ <row>
+ <entry>
+ network
+ </entry>
+ <entry>
+ Query SELinux policy network information
+ </entry>
+ </row>
+ <row>
+ <entry>
+ transition
+ </entry>
+ <entry>
+ Query SELinux policy and generate a process transition report
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ <section id="Security-Enhanced_Linux-The-sepolicy-Suite-The_sepolicy_python_bindings">
+ <title>The <systemitem>sepolicy</systemitem> Python Bindings</title>
+ <para>
+ In previous versions of &PRODUCT;, the <package>setools</package> package included the <systemitem>sesearch</systemitem> and <systemitem>seinfo</systemitem> utilities. The <systemitem>sesearch</systemitem> utility is used for searching rules in a SELinux policy while the <systemitem>seinfo</systemitem> utility allows you to query various other components in the policy.
+ </para>
+ <para>
+ In newer versions of &PRODUCT;, Python bindings for <systemitem>sesearch</systemitem> and <systemitem>seinfo</systemitem> have been added so that you can use the functionality of these utilities via the <systemitem>sepolicy</systemitem> suite. See the example below:
+ </para>
+<screen>
+> python
+>>> import sepolicy
+>>> sepolicy.info(sepolicy.ATTRIBUTE)
+Returns a dictionary of all information about SELinux Attributes
+>>>sepolicy.search([sepolicy.ALLOW])
+Returns a dictionary of all allow rules in the policy.
+</screen>
+
+ </section>
+ <section id="Security-Enhanced_Linux-The-sepolicy-Suite-sepolicy_generate">
+ <title>Generating SELinux Policy Modules: <command>sepolicy generate</command></title>
+
+ <para>
+ In previous versions of &PRODUCT;, the <systemitem>sepolgen</systemitem> or <systemitem>selinux-polgengui</systemitem> utilities were used for generating a SELinux policy. These tools have been merged to the <systemitem>sepolicy</systemitem> suite and the <systemitem>sepolicy generate</systemitem> command is used to generate an initial SELinux policy module template.
+ </para>
+ <para>
+ Unlike <systemitem>sepolgen</systemitem>, it is not necessary to run <command>sepolicy generate</command> as the root user. This utility also creates an RPM spec file, which can be used to build an RPM package that installs the policy package file (<filename><replaceable>NAME</replaceable>.pp</filename>) and the interface file (<filename><replaceable>NAME</replaceable>.if</filename>) to the correct location, provides installation of the SELinux policy into the kernel, and fixes the labeling. The setup script continues to install SELinux policy and sets up the labeling. In addition, a manual page based on the installed policy is generated using the <command>sepolicy manpage</command> command.<footnote>
+ <para>
+ See <xref linkend="Security-Enhanced_Linux-The-sepolicy-Suite-sepolicy_manpage"/> for more information about <systemitem>sepolicy manpage</systemitem>.
+ </para>
+ </footnote> Finally, <command>sepolicy generate</command> builds and compiles the SELinux policy and the manual page into an RPM package, ready to be installed on other systems.
+ </para>
+
+ <para>
+ When <systemitem>sepolicy generate</systemitem> is executed, the following files are produced:
+ </para>
+
+ <variablelist>
+ <varlistentry>
+ <term><filename><replaceable>NAME</replaceable>.te</filename> – type enforcing file</term>
+ <listitem>
+ <para>
+ This file defines all the types and rules for a particular domain.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><filename><replaceable>NAME</replaceable>.if</filename> – interface file</term>
+ <listitem>
+ <para>
+ This file defines the default file context for the system. It takes the file types created in the <filename>NAME.te</filename> file and associates file paths to the types. Utilities, such as <systemitem>restorecon</systemitem> and <systemitem>rpm</systemitem>, use these paths to write labels.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><filename><replaceable>NAME</replaceable>_selinux.spec</filename> – RPM spec file</term>
+ <listitem>
+ <para>
+ This file is an RPM spec file that installs SELinux policy and sets up the labeling. This file also installs the interface file and a man page describing the policy. You can use the <command>sepolicy manpage -d <replaceable>NAME</replaceable></command> command to generate the man page.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><filename><replaceable>NAME</replaceable>.sh</filename> – helper shell script</term>
+ <listitem>
+ <para>
+ This script helps to compile, install, and fix the labeling on the system. It also generates a man page based on the installed policy, compiles, and builds an RPM package suitable to be installed on other systems.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ <para>
+ If it is possible to generate an SELinux policy module, <systemitem>sepolicy generate</systemitem> prints out all generated paths from the source domain to the target domain. See the <citerefentry><refentrytitle>sepolicy-generate</refentrytitle><manvolnum>8</manvolnum></citerefentry> manual page for further information about <systemitem>sepolicy generate</systemitem>.
+ </para>
+
+ </section>
+ <section id="Security-Enhanced_Linux-The-sepolicy-Suite-sepolicy_transition">
+ <title>Understanding Domain Transitions: <command>sepolicy transition</command></title>
+ <para>
+ Previously, the <systemitem>setrans</systemitem> utility was used to examine if transition between two domain or process types is possible and printed out all intermediary types that are used to transition between these domains or processes. Now, <systemitem>setrans</systemitem> is provided as part of the <systemitem>sepolicy</systemitem> suite and the <systemitem>sepolicy transition</systemitem> command is now used instead.
+ </para>
+ <para>
+ The <systemitem>sepolicy transition</systemitem> command queries a SELinux policy and creates a process transition report. The <command>sepolicy transition</command> command requires two command-line arguments – a source domain (specified by the <option>-s</option> option) and a target domain (specified by the <option>-t</option> option). If only the source domain is entered, <systemitem>sepolicy transition</systemitem> lists all possible domains that the source domain can transition to. The following output does not contain all entries. The <quote>@</quote> character means <quote>execute</quote>:
+ </para>
+<screen>
+<prompt>~]$</prompt> <command>sepolicy transition -s httpd_t</command>
+httpd_t @ httpd_suexec_exec_t --> httpd_suexec_t
+httpd_t @ mailman_cgi_exec_t --> mailman_cgi_t
+httpd_t @ abrt_retrace_worker_exec_t --> abrt_retrace_worker_t
+httpd_t @ dirsrvadmin_unconfined_script_exec_t --> dirsrvadmin_unconfined_script_t
+httpd_t @ httpd_unconfined_script_exec_t --> httpd_unconfined_script_t
+</screen>
+ <para>
+ If the target domain is specified, <systemitem>sepolicy transition</systemitem> examines SELinux policy for all transition paths from the source domain to the target domain and lists these paths. The output below is not complete:
+ </para>
+
+<screen>
+<prompt>~]$</prompt> <command>sepolicy transition -s httpd_t -t system_mail_t</command>
+httpd_t @ exim_exec_t --> system_mail_t
+httpd_t @ courier_exec_t --> system_mail_t
+httpd_t @ sendmail_exec_t --> system_mail_t
+httpd_t ... httpd_suexec_t @ sendmail_exec_t --> system_mail_t
+httpd_t ... httpd_suexec_t @ exim_exec_t --> system_mail_t
+httpd_t ... httpd_suexec_t @ courier_exec_t --> system_mail_t
+httpd_t ... httpd_suexec_t ... httpd_mojomojo_script_t @ sendmail_exec_t --> system_mail_t
+</screen>
+ <para>
+ See the <citerefentry><refentrytitle>sepolicy-transition</refentrytitle><manvolnum>8</manvolnum></citerefentry> manual page for further information about <systemitem>sepolicy transition</systemitem>.
+ </para>
+
+ </section>
+ <section id="Security-Enhanced_Linux-The-sepolicy-Suite-sepolicy_manpage">
+ <title>Generating Manual Pages: <command>sepolicy manpage</command></title>
+ <para>
+ The <systemitem>sepolicy manpage</systemitem> command generates manual pages based on the SELinux policy that document process domains. As a result, such documentation is always up-to-date. Each name of automatically generated manual pages consists of the process domain name and the <literal>_selinux</literal> suffix, for example <literal>httpd_selinux</literal>.
+ </para>
+ <para>
+ The manual pages include several sections that provide information about various parts of the SELinux policy for confined domains:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ The <literal>Entrypoints</literal> section contains all executable files that need to be executed during a domain transition.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The <literal>Process Types</literal> section lists all process types that begin with the same prefix as the target domain.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The <literal>Booleans</literal> section lists Booleans associated with the domain.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The <literal>Port Types</literal> section contains the port types matching the same prefix as the domain and describes the default port numbers assigned to these port types.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The <literal>Managed Files</literal> section describes the types that the domain is allowed to write to and the default paths associated with these types.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ The <literal>File Contexts</literal> section contains all file types associated with the domain and describes how to use these file types along with the default path labeling on a system.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ The <literal>Sharing Files</literal> section explains how to use the domain sharing types, such as <systemitem>public_content_t</systemitem>.
+ </para>
+ </listitem>
+ </itemizedlist>
+ <para>
+ See the <citerefentry><refentrytitle>sepolicy-manpage</refentrytitle><manvolnum>8</manvolnum></citerefentry> manual page for further information about <systemitem>sepolicy manpage</systemitem>.
+ </para>
+ </section>
+ <section id="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Management">
+ <title>Manage SELinux Graphically <command>sepolicy gui</command></title>
+ <para>
+ <remark>WIP</remark>
+ </para>
+ <para>
+ It is possible to manage SELinux graphically using the SELinux GUI interface, which is provided by the <package>policycoreutils-gui</package> package. This package is not installed by default. To install it, run the following command as root:
+ </para>
+ <screen>~]# <command>yum install policycoreutils-gui</command></screen>
+ <para>
+ To launch the GUI interface either run the <command>sepolicy gui</command> command or navigate through the <guimenu>Applications</guimenu> menu to the <guisubmenu>Other</guisubmenu> submenu and then select <application>SELinux Policy Management Tool</application>.
+ </para>
+ <!--<para>
+ The SELinux GUI consists of three separate utilities:
+ </para>
+ <variablelist>
+ <varlistentry>
+ <term><application>SELinux Management</application> <remark>SELinux Administration</remark></term>
+ <listitem>
+ <para>
+ This utility allows you to manage SELinux, for example: <remark>are these tasks that can be done by semanage?</remark>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Set up SELinux modes and the default SELinux policy type (see <xref linkend="sect-Security-Enhanced_Linux-Introduction-SELinux_Modes" /> and <xref linkend="chap-Security-Enhanced_Linux-Targeted_Policy" />)
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Enable or disable Booleans (see <xref linkend="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans" />)
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Manage file labels (see <xref linkend="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files" />)
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Add, edit, or delete user mappings (see <xref linkend="chap-Security-Enhanced_Linux-Confining_Users" />)
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Manage SELinux users (see <xref linkend="chap-Security-Enhanced_Linux-Confining_Users" />)
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Maintain network ports for services (see <xref linkend="brid-Security-Enhanced_Linux-How_are_Confined_Services_Running-Port_Numbers" />)
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Manage policy modules (see <xref linkend="Security-Enhanced_Linux-The-sepolicy-Suite-sepolicy_generate" />)
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ List process domains and set SELinux mode for a particular domain to permissive or enforcing (see <remark>what chapter?</remark>)
+ </para>
+ </listitem>
+ </itemizedlist>
+ </para>
+ <para>
+ To launch this utility, navigate through the <guimenu>Applications</guimenu> menu to the <guisubmenu>Other</guisubmenu> submenu and then select <application>SELinux Management</application>. Note that the root password is required to use <application>SELinux Management</application>.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><application>SELinux Policy Management Tool</application> <remark>SELinux Configuration</remark></term>
+ <listitem>
+ <para>
+ <remark>TBD</remark>
+ </para>
+ <para>
+ To launch this utility, navigate through the <guimenu>Applications</guimenu> menu to the <guisubmenu>Other</guisubmenu> submenu and then select <application>SELinux Policy Management Tool</application>.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><application>SELinux Policy Generation Tool</application></term>
+ <listitem>
+ <para>
+ <remark>TBD</remark>
+ </para>
+ <para>
+ To launch this utility, navigate through the <guimenu>Applications</guimenu> menu to the <guisubmenu>System Tools</guisubmenu> submenu and then select <application>SELinux Policy Generation Tool</application>.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>-->
+ </section>
+</section>
More information about the docs-commits
mailing list