[securityguide] Updated Working with SELinux with new content from RHEL7.
Bara Ančincová
bancinco at fedoraproject.org
Sun Aug 10 23:00:01 UTC 2014
commit cc77efa99b67339b28ae24f25e22dabb9ff61d49
Author: Barbora Ancincova <bancinco at redhat.com>
Date: Fri Aug 8 15:56:45 2014 +0200
Updated Working with SELinux with new content from RHEL7.
en-US/Managing_Users.xml | 6 +-
en-US/Working_With_SELinux.xml | 2443 ++++++++++++++++++++-----------
en-US/images/security-intro-to-mls.png | Bin 0 -> 19654 bytes
en-US/images/security-mls-data-flow.png | Bin 0 -> 14986 bytes
4 files changed, 1606 insertions(+), 843 deletions(-)
---
diff --git a/en-US/Managing_Users.xml b/en-US/Managing_Users.xml
index e2b3a9b..66cc315 100644
--- a/en-US/Managing_Users.xml
+++ b/en-US/Managing_Users.xml
@@ -250,9 +250,9 @@ s0-s0:c0.c1023 __default__
$ /usr/sbin/getenforce
Enforcing
</screen>
- <para>
- If this is not the case, refer to <xref linkend="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes" /> for information about changing to enforcing mode. It is not possible to log in with this account if SELinux is in permissive mode or disabled.
- </para>
+<!-- <para>
+ If this is not the case, refer to <xref linkend="" /> for information about changing to enforcing mode. It is not possible to log in with this account if SELinux is in permissive mode or disabled.
+ </para> -->
</listitem>
<listitem>
<para>
diff --git a/en-US/Working_With_SELinux.xml b/en-US/Working_With_SELinux.xml
index ec7bba1..59fd331 100644
--- a/en-US/Working_With_SELinux.xml
+++ b/en-US/Working_With_SELinux.xml
@@ -3,138 +3,167 @@
]>
<section id="sect-Security-Enhanced_Linux-Working_with_SELinux">
- <title>Working with SELinux</title>
+ <title>Working with SELinux</title>
+ <para>
+ The following sections give a brief overview of the main SELinux packages in &PRODUCT;; installing and updating packages; which log files are used; the main SELinux configuration file; enabling and disabling SELinux; SELinux modes; configuring Booleans; temporarily and persistently changing file and directory labels; overriding file system labels with the <command>mount</command> command; mounting NFS volumes; and how to preserve SELinux contexts when copying and archiving files and directories.
+ </para>
+
+ <section id="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Packages">
+ <title>SELinux Packages</title>
+ <para>
+ In &PRODUCT; full installation, the SELinux packages are installed by default unless they are manually excluded during installation. If performing a minimal installation in text mode, the <package>policycoreutils-python</package> and the <package>policycoreutils-gui</package> package are not installed by default. Also, by default, SELinux runs in enforcing mode and the SELinux targeted policy is used. The following SELinux packages are installed on your system by default:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <package>policycoreutils</package> provides utilities such as <systemitem>restorecon</systemitem>, <systemitem>secon</systemitem>, <systemitem>setfiles</systemitem>, <systemitem>semodule</systemitem>, <systemitem>load_policy</systemitem>, and <systemitem>setsebool</systemitem>, for operating and managing SELinux.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <package>selinux-policy</package> provides configuration for the SELinux Reference policy. The SELinux Reference Policy is a complete SELinux policy, and is used as a basis for other policies, such as the SELinux targeted policy; refer to the Tresys Technology <ulink url="http://oss.tresys.com/projects/refpolicy">SELinux Reference Policy</ulink> page for further information. This package contains the <filename>selinux-policy.conf</filename> file and RPM macros.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <package>selinux-policy-targeted</package> provides the SELinux targeted policy.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <package>libselinux</package> – provides an API for SELinux applications.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <package>libselinux-utils</package> provides the <systemitem>avcstat</systemitem>, <systemitem>getenforce</systemitem>, <systemitem>getsebool</systemitem>, <systemitem>matchpathcon</systemitem>, <systemitem>selinuxconlist</systemitem>, <systemitem>selinuxdefcon</systemitem>, <systemitem>selinuxenabled</systemitem>, and <systemitem>setenforce</systemitem> utilities.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <package>libselinux-python</package> provides Python bindings for developing SELinux applications.
+ </para>
+ </listitem>
+ </itemizedlist>
+
<para>
- The following sections give a brief overview of the main SELinux packages in &PRODUCT;, installing and updating packages, which log files are used, the main SELinux configuration file, enabling and disabling SELinux, SELinux modes, configuring Booleans, temporarily and persistently changing file and directory labels, overriding file system labels with the <command>mount</command> command, mounting NFS file systems, and how to preserve SELinux contexts when copying and archiving files and directories.
+ The following packages are not installed by default but can be optionally installed by running the <command>yum install <replaceable><package-name></replaceable></command> command:
</para>
- <section id="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Packages">
- <title>SELinux Packages</title>
- <para>
- In &PRODUCT;, the SELinux packages are installed by default in a full installation, unless they are manually excluded during installation. If performing a minimal installation in text mode, the <package>policycoreutils-python</package> package will not be installed by default. Also, by default, SELinux targeted policy is used, and SELinux runs in enforcing mode. The following is a brief description of the main SELinux packages:
- </para>
- <para>
- <package>policycoreutils-python</package>: provides utilities such as <command>semanage</command>, <command>audit2allow</command>, <command>audit2why</command> and <command>chcat</command>, for operating and managing SELinux.
- </para>
- <para>
- <package>policycoreutils</package>: provides utilities such as <command>restorecon</command>, <command>secon</command>, <command>setfiles</command>, <command>semodule</command>, <command>load_policy</command>, and <command>setsebool</command>, for operating and managing SELinux.
- </para>
- <para>
- <package>policycoreutils-gui</package>: provides <command>system-config-selinux</command>, a graphical tool for managing SELinux.
- </para>
- <para>
- <package>selinux-policy</package>: provides the SELinux Reference Policy. The SELinux Reference Policy is a complete SELinux policy, and is used as a basis for other policies, such as the SELinux targeted policy. Refer to the Tresys Technology <ulink url="http://oss.tresys.com/projects/refpolicy">SELinux Reference Policy</ulink> page for further information. The <package>selinux-policy-devel</package> package provides development tools, such as <command>/usr/share/selinux/devel/policygentool</command> and <command>/usr/share/selinux/devel/policyhelp</command>, as well as example policy files. This package was merged into the <package>selinux-policy</package> package.
- </para>
- <para>
- <package>selinux-policy-<replaceable>policy</replaceable></package>: provides SELinux policies. For targeted policy, install <package>selinux-policy-targeted</package>. For MLS, install <package>selinux-policy-mls</package>.
- </para>
- <para>
- <package>setroubleshoot-server</package>: translates denial messages, produced when access is denied by SELinux, into detailed descriptions that are viewed with <command>sealert</command> (which is provided by this package).
- </para>
- <para>
- <package>setools</package>, <package>setools-gui</package>, and <package>setools-console</package>: these packages provide the <ulink url="http://oss.tresys.com/projects/setools">Tresys Technology SETools distribution</ulink>, a number of tools and libraries for analyzing and querying policy, audit log monitoring and reporting, and file context management<footnote>
- <para>
- Brindle, Joshua. "Re: blurb for fedora setools packages" Email to Murray McAllister. 1 November 2008. Any edits or changes in this version were done by Murray McAllister.
- </para>
- </footnote>. The <package>setools</package> package is a meta-package for SETools. The <package>setools-gui</package> package provides the <command>apol</command>, <command>seaudit</command>, and <command>sediffx</command> tools. The <package>setools-console</package> package provides the <command>seaudit-report</command>, <command>sechecker</command>, <command>sediff</command>, <command>seinfo</command>, <command>sesearch</command>, <command>findcon</command>, <command>replcon</command>, and <command>indexcon</command> command line tools. Refer to the <ulink url="http://oss.tresys.com/projects/setools">Tresys Technology SETools</ulink> page for information about these tools.
- </para>
- <para>
- <package>libselinux-utils</package>: provides the <command>avcstat</command>, <command>getenforce</command>, <command>getsebool</command>, <command>matchpathcon</command>, <command>selinuxconlist</command>, <command>selinuxdefcon</command>, <command>selinuxenabled</command>, <command>setenforce</command>, <command>togglesebool</command> tools.
- </para>
- <para>
- <package>mcstrans</package>: translates levels, such as <computeroutput>s0-s0:c0.c1023</computeroutput>, to an easier to read form, such as <computeroutput>SystemLow-SystemHigh</computeroutput>. This package is not installed by default.
- </para>
- <para>
- To install packages in &PRODUCT;, as the Linux root user, run the <command>yum install <replaceable>package-name</replaceable></command> command. For example, to install the <package>mcstrans</package> package, run the <command>yum install mcstrans</command> command. To upgrade all installed packages in &PRODUCT;, run the <command>yum update</command> command.
- </para>
- <para>
- Refer to <ulink url="http://docs.fedoraproject.org/yum/en/">Managing Software with yum</ulink><footnote>
- <para>
- Managing Software with yum, written by Stuart Ellis, edited by Paul W. Frields, Rodrigo Menezes, and Hugo Cisneiros.
- </para>
- </footnote> for further information about using <command>yum</command> to manage packages.
- </para>
- <note>
- <para>
- In previous versions of &PRODUCT;, the <package>selinux-policy-devel</package> package is required when making a local policy module with <command>audit2allow -M</command>.
- </para>
- </note>
- </section>
-
- <section id="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used">
- <title>Which Log File is Used</title>
- <para>
- In &PRODUCT; &PRODVER;, the <package>dbus</package>, <package>setroubleshoot-server</package> and <package>audit</package> packages are installed if packages are not removed from the default package selection.
- </para>
- <para>
- SELinux denial messages, such as the following, are written to <filename>/var/log/audit/audit.log</filename> by default:
- </para>
-
-<screen>type=AVC msg=audit(1223024155.684:49): avc: denied { getattr } for pid=2000 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=399185 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=file
-</screen>
- <para>
- Also, if <systemitem class="daemon">setroubleshootd</systemitem> is running, denial messages from <filename>/var/log/audit/audit.log</filename> are translated to an easier-to-read form and sent to <filename>/var/log/messages</filename>:
- </para>
-
-<screen>May 7 18:55:56 localhost setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l de7e30d6-5488-466d-a606-92c9f40d316d
-</screen>
- <para>
- In &PRODUCT; &PRODVER;, <systemitem class="daemon">setroubleshootd</systemitem> no longer constantly runs as a service, however it is still used to analyze the AVC messages. Two new programs act as a method to start setroubleshoot when needed: <systemitem class="daemon">sedispatch</systemitem> and <systemitem class="daemon">seapplet</systemitem>. <systemitem class="daemon">sedispatch</systemitem> runs as part of the audit subsystem, and via <systemitem class="daemon">dbus</systemitem>, sends a message when an AVC denial occurs, which will go straight to <systemitem class="daemon">setroubleshootd</systemitem> if it is already running, or it will start <systemitem class="daemon">setroubleshootd</systemitem> if it is not running. <systemitem class="daemon">seapplet</systemitem> is a tool which runs in the system's toolbar, waiting for dbus messages in <systemitem class="daemon">setroubleshootd</systemitem>, and will launch the notification bubble, allowing the user to r
eview the denial.
- </para>
- <para>
- Denial messages are sent to a different location, depending on which daemons are running:
- </para>
- <segmentedlist>
- <segtitle>Daemon</segtitle>
- <segtitle>Log Location</segtitle>
- <seglistitem>
- <seg>auditd on</seg>
- <seg><filename>/var/log/audit/audit.log</filename></seg>
- </seglistitem>
- <seglistitem>
- <seg>auditd off; rsyslogd on</seg>
- <seg><filename>/var/log/messages</filename></seg>
- </seglistitem>
- <seglistitem>
- <seg>rsyslogd and auditd on</seg>
- <seg><filename>/var/log/audit/audit.log</filename>. Easier-to-read denial messages also sent to <filename>/var/log/messages</filename></seg>
- </seglistitem>
- </segmentedlist>
- <formalpara id="form-Security-Enhanced_Linux-Which_Log_File_is_Used-Starting_Daemons_Automatically">
- <title>Starting Daemons Automatically</title>
- <para>
- To configure the <systemitem class="daemon">auditd</systemitem>, <systemitem class="daemon">rsyslogd</systemitem>, and <systemitem class="daemon">setroubleshootd</systemitem> daemons to automatically start at boot, run the following commands as the Linux root user:
- </para>
- </formalpara>
-<screen>/sbin/chkconfig --levels 2345 auditd on
-</screen>
-
-<screen>/sbin/chkconfig --levels 2345 rsyslog on
-</screen>
- <para>
- Use the <command>service <replaceable>service-name</replaceable> status</command> command to check if these services are running, for example:
- </para>
-
+
+ <itemizedlist>
+ <listitem>
+ <para>
+ <package>selinux-policy-devel</package> provides utilities for creating a custom SELinux policy and policy modules. It also contains manual pages that describe how to configure SELinux altogether with various services.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <package>selinux-policy-mls</package> provides the MLS (Multi-Level Security) SELinux policy.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <package>setroubleshoot-server</package> translates denial messages, produced when access is denied by SELinux, into detailed descriptions that can be viewed with the <command>sealert</command> utility, also provided in this package.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <package>setools-console</package> provides the <ulink url="http://oss.tresys.com/projects/setools">Tresys Technology SETools distribution</ulink>, a number of utilities and libraries for analyzing and querying policy, audit log monitoring and reporting, and file context management.
+
+ <!-- <footnote>
+ <para>
+ Brindle, Joshua. "Re: blurb for fedora setools packages" Email to Murray McAllister. 1 November 2008. Any edits or changes in this version were done by Murray McAllister.
+ </para>
+ </footnote> -->
+
+ The <package>setools</package> package is a meta-package for SETools. The <package>setools-gui</package> package provides the <systemitem>apol</systemitem> and <systemitem>seaudit</systemitem> utilities. The <package>setools-console</package> package provides the <systemitem>sechecker</systemitem>, <systemitem>sediff</systemitem>, <systemitem>seinfo</systemitem>, <systemitem>sesearch</systemitem>, and <systemitem>findcon</systemitem> command-line utilities. Refer to the <ulink url="http://oss.tresys.com/projects/setools">Tresys Technology SETools</ulink> page for information about these utilities. Note that <package>setools</package> and <package>setools-gui</package> packages are available only when the Red Hat Network Optional channel is enabled. For further information, see <ulink url="https://access.redhat.com/site/support/offerings/production/scope_moredetail">Scope of Coverage Details</ulink>.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <package>mcstrans</package> translates levels, such as <systemitem>s0-s0:c0.c1023</systemitem>, to a form that is easier to read, such as <computeroutput>SystemLow-SystemHigh</computeroutput>.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <package>policycoreutils-python</package> provides utilities such as <command>semanage</command>, <command>audit2allow</command>, <command>audit2why</command>, and <command>chcat</command>, for operating and managing SELinux.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <package>policycoreutils-gui</package> provides <command>system-config-selinux</command>, a graphical utility for managing SELinux.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section id="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used">
+ <title>Which Log File is Used</title>
+ <para>
+ In &PRODUCT;, the <package>dbus</package> and <package>audit</package> packages are installed by default, unless they are removed from the default package selection. The <package>setroubleshoot-server</package> must be installed via Yum (use the <command>yum install setroubleshoot</command> command).
+ </para>
+ <para>
+ If the <systemitem class="daemon">auditd</systemitem> daemon is running, an SELinux denial message, such as the following, is written to <filename>/var/log/audit/audit.log</filename> by default:
+ </para>
<screen>
-$ /sbin/service auditd status
-auditd (pid <replaceable>1318</replaceable>) is running...
+type=AVC msg=audit(1223024155.684:49): avc: denied { getattr } for pid=2000 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=399185 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=file
</screen>
- <para>
- If the above services are not running (<computeroutput><replaceable>service-name</replaceable> is stopped</computeroutput>), use the <command>service <replaceable>service-name</replaceable> start</command> command as the Linux root user to start them. For example:
- </para>
-
+ <para>
+ In addition, a message similar to the one below is written to the <filename>/var/log/message</filename> file:
+ </para>
<screen>
-# /sbin/service auditd start
-Starting auditd: [ OK ]
-</screen>
- </section>
-
+May 7 18:55:56 localhost setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l de7e30d6-5488-466d-a606-92c9f40d316d
+</screen>
+ <para>
+ In &PRODUCT; &PRODVER;, <systemitem class="daemon">setroubleshootd</systemitem> no longer constantly runs as a service. However, it is still used to analyze the AVC messages. Two new programs act as a method to start <systemitem>setroubleshoot</systemitem> when needed:
+ <itemizedlist>
+ <listitem>
+ <para>
+ The <systemitem>sedispatch</systemitem> utility runs as a part of the <systemitem>audit</systemitem> subsystem. When an AVC denial message is returned, <systemitem>sedispatch</systemitem> sends a message using <systemitem>dbus</systemitem>. These messages go straight to <systemitem class="daemon">setroubleshootd</systemitem> if it is already running. If it is not running, <systemitem>sedispatch</systemitem> starts it automatically.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The <systemitem>seapplet</systemitem> utility runs in the system toolbar, waiting for dbus messages in <systemitem class="daemon">setroubleshootd</systemitem>. It launches the notification bubble, allowing the user to review AVC messages.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </para>
+ <procedure id="proc-Security-Enhanced_Linux-Which_Log_File_is_Used-Starting_Daemons_Automatically">
+ <title>Starting Daemons Automatically</title>
+ <para>
+ To configure the <systemitem class="daemon">auditd</systemitem> and <systemitem class="daemon">rsyslogd</systemitem> daemons to automatically start at boot, run the following commands as the root user:
+ </para>
+ <step>
+<screen><prompt>~]#</prompt> <command>chkconfig --levels 2345 auditd on</command></screen>
+<screen><prompt>~]#</prompt> <command>chkconfig --levels 2345 rsyslog on</command></screen>
+ </step>
+ <step>
+ <para>
+ Use the <command>systemctl status <replaceable>service-name</replaceable>.service</command> command to check if these services are running, for example:
+ </para>
+<screen>
+<prompt>~]#</prompt> <command>systemctl status auditd.service</command>
+auditd.service - Security Auditing Service
+ Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled)
+ Active: active (running) since Thu 2013-08-15 09:10:37 CEST; 23min ago
+</screen>
+ </step>
+ <step>
+ <para>
+ If the above services are not running (<computeroutput>Active: inactive (dead)</computeroutput>), use the <command>systemctl start <replaceable>service-name</replaceable>.service</command> command as root to start them. For example:
+ </para>
+<screen><prompt>~]#</prompt> <command>systemctl start auditd.service</command></screen>
+ </step>
+ </procedure>
+ </section>
<section id="sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File">
<title>Main Configuration File</title>
<para>
The <filename>/etc/selinux/config</filename> file is the main SELinux configuration file. It controls the SELinux mode and the SELinux policy to use:
</para>
-
-<screen># This file controls the state of SELinux on the system.
+<screen>
+# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
@@ -158,14 +187,14 @@ SELINUXTYPE=targeted
<term><computeroutput>SELINUXTYPE=targeted</computeroutput></term>
<listitem>
<para>
- The <option>SELINUXTYPE</option> option sets the SELinux policy to use. Targeted policy is the default policy. Only change this option if you want to use the MLS policy. To use the MLS policy, install the <package>selinux-policy-mls</package> package; configure <option>SELINUXTYPE=mls</option> in <filename>/etc/selinux/config</filename>; and reboot your system.
+ The <option>SELINUXTYPE</option> option sets the SELinux policy to use. Targeted policy is the default policy. Only change this option if you want to use the MLS policy. For information on how to enable the MLS policy, refer to <xref linkend="enabling-mls-in-selinux"/>.
</para>
</listitem>
</varlistentry>
</variablelist>
<important>
<para>
- When systems run with SELinux in permissive or disabled mode, users have permission to label files incorrectly. Also, files created while SELinux is disabled are not labeled. This causes problems when changing to enforcing mode. To prevent incorrectly labeled and unlabeled files from causing problems, file systems are automatically relabeled when changing from disabled mode to permissive or enforcing mode.
+ When systems run with SELinux in permissive or disabled mode, users have permission to label fies incorrectly. Also, files created while SELinux is disabled are not labeled. This causes problems when changing to enforcing mode. To prevent incorrectly labeled and unlabeled files from causing problems, file systems are automatically relabeled when changing from disabled mode to permissive or enforcing mode.
</para>
</important>
</section>
@@ -173,37 +202,35 @@ SELINUXTYPE=targeted
<section id="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux">
<title>Enabling and Disabling SELinux</title>
<para>
- Use the <command>/usr/sbin/getenforce</command> or <command>/usr/sbin/sestatus</command> commands to check the status of SELinux. The <command>getenforce</command> command returns <computeroutput>Enforcing</computeroutput>, <computeroutput>Permissive</computeroutput>, or <computeroutput>Disabled</computeroutput>. The <command>getenforce</command> command returns <computeroutput>Enforcing</computeroutput> when SELinux is enabled (SELinux policy rules are enforced):
- </para>
-
-<screen>$ /usr/sbin/getenforce
-Enforcing
-</screen>
- <para>
- The <command>getenforce</command> command returns <computeroutput>Permissive</computeroutput> when SELinux is enabled, but SELinux policy rules are not enforced, and only DAC rules are used. The <command>getenforce</command> command returns <computeroutput>Disabled</computeroutput> if SELinux is disabled.
+ Use the <command>getenforce</command> or <command>sestatus</command> commands to check the status of SELinux. The <command>getenforce</command> command returns <computeroutput>Enforcing</computeroutput>, <computeroutput>Permissive</computeroutput>, or <computeroutput>Disabled</computeroutput>.
</para>
<para>
The <command>sestatus</command> command returns the SELinux status and the SELinux policy being used:
</para>
-
-<screen>$ /usr/sbin/sestatus
+<screen>
+<prompt>~]$</prompt> <command>sestatus</command>
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
-Policy version: 23
+Policy version: 24
Policy from config file: targeted
</screen>
- <para>
- <computeroutput>SELinux status: enabled</computeroutput> is returned when SELinux is enabled. <computeroutput>Current mode: enforcing</computeroutput> is returned when SELinux is running in enforcing mode. <computeroutput>Policy from config file: targeted</computeroutput> is returned when the SELinux targeted policy is used.
- </para>
<section id="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Enabling_SELinux">
<title>Enabling SELinux</title>
+
+ <important> <!-- 832337 -->
+ <para>
+ If the system was initially installed without SELinux, particularly the <package>selinux-policy</package> package, which was added to the system later, one additional step is necessary to enable SELinux. To make sure SELinux is initialized during system startup, the <systemitem>dracut</systemitem> utility has to be run to put SELinux awareness into the initramfs file system. Failing to do so causes SELinux not to start during system startup.
+ </para>
+ </important>
+
<para>
On systems with SELinux disabled, the <computeroutput>SELINUX=disabled</computeroutput> option is configured in <filename>/etc/selinux/config</filename>:
</para>
-<screen># This file controls the state of SELinux on the system.
+<screen>
+# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
@@ -218,24 +245,125 @@ SELINUXTYPE=targeted
Also, the <command>getenforce</command> command returns <computeroutput>Disabled</computeroutput>:
</para>
-<screen>$ /usr/sbin/getenforce
+<screen>
+<prompt>~]$</prompt> <command>getenforce</command>
Disabled
</screen>
<para>
- To enable SELinux:
- </para>
- <orderedlist>
- <listitem>
- <para>
- Use the <command>rpm -qa | grep selinux</command>, <command>rpm -q policycoreutils</command>, and <command>rpm -qa | grep setroubleshoot</command> commands to confirm that the SELinux packages are installed. This guide assumes the following packages are installed: <package>selinux-policy-targeted</package>, <package>selinux-policy</package>, <package>libselinux</package>, <package>libselinux-python</package>, <package>libselinux-utils</package>, <package>policycoreutils</package>, <package>setroubleshoot</package>, <package>setroubleshoot-server</package>, <package>setroubleshoot-plugins</package>. If these packages are not installed, as the Linux root user, install them via the <command>yum install <replaceable>package-name</replaceable></command> command. The following packages are optional: <package>policycoreutils-gui</package>, <package>setroubleshoot</package>, <package>selinux-policy-devel</package>, and <package>mcstrans</package>.
- </para>
- </listitem>
- <listitem>
- <para>
- Before SELinux is enabled, each file on the file system must be labeled with an SELinux context. Before this happens, confined domains may be denied access, preventing your system from booting correctly. To prevent this, configure <computeroutput>SELINUX=permissive</computeroutput> in <filename>/etc/selinux/config</filename>:
+ Following procedure shows how to enable SELinux:
+ </para>
+ <procedure id="proc-Working_with-SELinux-Enabling_SELinux">
+ <title>Enabling SELinux</title>
+ <step>
+ <para>
+ This guide assumes that the following packages are installed:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <package>selinux-policy-targeted</package>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <package>selinux-policy</package>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <package>libselinux</package>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <package>libselinux-python</package>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <package>libselinux-utils</package>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <package>policycoreutils</package>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <package>policycoreutils-python</package>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <package>setroubleshoot</package>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <package>setroubleshoot-server</package>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <package>setroubleshoot-plugins</package>
+ </para>
+ </listitem>
+ </itemizedlist>
+ <para>
+ To confirm that the aforementioned packages are installed, use the <systemitem>rpm</systemitem> utility:
+ </para>
+<screen>
+<prompt>~]$</prompt> <command>rpm -qa | grep selinux</command>
+selinux-policy-3.12.1-136.el7.noarch
+libselinux-2.2.2-4.el7.x86_64
+selinux-policy-targeted-3.12.1-136.el7.noarch
+libselinux-utils-2.2.2-4.el7.x86_64
+libselinux-python-2.2.2-4.el7.x86_64
+</screen>
+<screen>
+<prompt>~]$</prompt> <command>rpm -qa | grep policycoreutils</command>
+policycoreutils-2.2.5-6.el7.x86_64
+policycoreutils-python-2.2.5-6.el7.x86_64
+</screen>
+<screen>
+<prompt>~]$</prompt> <command>rpm -qa | grep setroubleshoot</command>
+setroubleshoot-server-3.2.17-2.el7.x86_64
+setroubleshoot-3.2.17-2.el7.x86_64
+setroubleshoot-plugins-3.0.58-2.el7.noarch
+</screen>
+ <para>
+ If they are not installed, use the <systemitem>yum</systemitem> utility as root to install them:
+ </para>
+<screen><prompt>~]#</prompt> <command>yum install <replaceable>package_name</replaceable></command></screen>
+ <para>
+ The following packages are optional:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <package>policycoreutils-gui</package>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <package>setroubleshoot</package>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <package>mcstrans</package>
+ </para>
+ </listitem>
+ </itemizedlist>
+ </step>
+ <step>
+ <para>
+ Before SELinux is enabled, each file on the file system must be labeled with an SELinux context. Before this happens, confined domains may be denied access, preventing your system from booting correctly. To prevent this, configure <computeroutput>SELINUX=permissive</computeroutput> in the <filename>/etc/selinux/config</filename> file:
</para>
-<screen># This file controls the state of SELinux on the system.
+<screen>
+# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
@@ -246,32 +374,35 @@ SELINUX=permissive
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
</screen>
- </listitem>
- <listitem>
+ </step>
+ <step>
<para>
- As the Linux root user, run the <command>reboot</command> command to restart the system. During the next boot, file systems are labeled. The label process labels all files with an SELinux context:
+ As root, restart the system. During the next boot, file systems are labeled. The label process labels all files with an SELinux context:
</para>
-
-<screen>*** Warning -- SELinux targeted policy relabel is required.
+<screen><prompt>~]#</prompt> <command>reboot</command></screen>
+<screen>
+*** Warning -- SELinux targeted policy relabel is required.
*** Relabeling could take a very long time, depending on file
*** system size and speed of hard drives.
****
</screen>
<para>
- Each <computeroutput>*</computeroutput> character on the bottom line represents 1000 files that have been labeled. In the above example, four <computeroutput>*</computeroutput> characters represent 4000 files have been labeled. The time it takes to label all files depends upon the number of files on the system, and the speed of the hard disk drives. On modern systems, this process can take as little as 10 minutes.
+ Each <computeroutput>*</computeroutput> (asterisk) character on the bottom line represents 1000 files that have been labeled. In the above example, four <computeroutput>*</computeroutput> characters represent 4000 files have been labeled. The time it takes to label all files depends upon the number of files on the system, and the speed of the hard disk drives. On modern systems, this process can take as little as 10 minutes.
</para>
- </listitem>
- <listitem>
+ </step>
+ <step>
<para>
- In permissive mode, SELinux policy is not enforced, but denials are still logged for actions that would have been denied if running in enforcing mode. Before changing to enforcing mode, as the Linux root user, run the <command>grep "SELinux is preventing" /var/log/messages</command> command as the Linux root user to confirm that SELinux did not deny actions during the last boot. If SELinux did not deny actions during the last boot, this command does not return any output. Refer to <xref linkend="sect-Security-Enhanced_Linux-Troubleshooting" /> for troubleshooting information if SELinux denied access during boot.
+ In permissive mode, SELinux policy is not enforced, but denials are still logged for actions that would have been denied if running in enforcing mode. Before changing to enforcing mode, as root, run the following command to confirm that SELinux did not deny actions during the last boot. If SELinux did not deny actions during the last boot, this command does not return any output. Refer to <xref linkend="sect-Security-Enhanced_Linux-Troubleshooting" /> for troubleshooting information if SELinux denied access during boot.
</para>
- </listitem>
- <listitem>
+<screen><prompt>~]#</prompt> <command>grep "SELinux is preventing" /var/log/messages</command></screen>
+ </step>
+ <step>
<para>
- If there were no denial messages in <filename>/var/log/messages</filename>, configure <computeroutput>SELINUX=enforcing</computeroutput> in <filename>/etc/selinux/config</filename>:
+ If there were no denial messages in the <filename>/var/log/messages</filename> file, configure <computeroutput>SELINUX=enforcing</computeroutput> in <filename>/etc/selinux/config</filename>:
</para>
-<screen># This file controls the state of SELinux on the system.
+<screen>
+# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
@@ -282,69 +413,62 @@ SELINUX=enforcing
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
</screen>
- </listitem>
- <listitem>
+ </step>
+ <step>
<para>
- Reboot your system. After reboot, confirm that the <command>getenforce</command> command returns <computeroutput>Enforcing</computeroutput>:
+ Reboot your system. After reboot, confirm that <command>getenforce</command> returns <computeroutput>Enforcing</computeroutput>:
</para>
-
-<screen>$ /usr/sbin/getenforce
+<screen>
+<prompt>~]$</prompt> <command>getenforce</command>
Enforcing
</screen>
- </listitem>
- <listitem>
+ </step>
+ <step>
<para>
- As the Linux root user, run the <command>/usr/sbin/semanage login -l</command> command to view the mapping between SELinux and Linux users. The output should be as follows:
+ As root, run the following command to view the mapping between SELinux and Linux users. The output should be as follows:
</para>
-
-<screen>Login Name SELinux User MLS/MCS Range
+<screen>
+<prompt>~]#</prompt> <command>semanage login -l</command>
+
+Login Name SELinux User MLS/MCS Range Service
-__default__ unconfined_u s0-s0:c0.c1023
-root unconfined_u s0-s0:c0.c1023
-system_u system_u s0-s0:c0.c1023
+__default__ unconfined_u s0-s0:c0.c1023 *
+root unconfined_u s0-s0:c0.c1023 *
+system_u system_u s0-s0:c0.c1023 *
</screen>
- </listitem>
- </orderedlist>
+ </step>
+ </procedure>
<para>
- If this is not the case, run the following commands as the Linux root user to fix the user mappings. It is safe to ignore the <computeroutput>SELinux-user<replaceable> username</replaceable> is already defined</computeroutput> warnings if they occur, where <replaceable>username</replaceable> can be <computeroutput>unconfined_u</computeroutput>, <computeroutput>guest_u</computeroutput>, or <computeroutput>xguest_u</computeroutput>:
+ If this is not the case, run the following commands as root to fix the user mappings. It is safe to ignore the <computeroutput>SELinux-user<replaceable> username</replaceable> is already defined</computeroutput> warnings if they occur, where <replaceable>username</replaceable> can be <systemitem>unconfined_u</systemitem>, <systemitem>guest_u</systemitem>, or <systemitem>xguest_u</systemitem>:
</para>
- <orderedlist>
- <listitem>
-
-
-<screen>/usr/sbin/semanage user -a -S targeted -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u
-</screen>
-
- </listitem>
- <listitem>
-
-
-<screen>/usr/sbin/semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 __default__
-</screen>
-
- </listitem>
- <listitem>
-
-
-<screen>/usr/sbin/semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 root
-</screen>
-
- </listitem>
- <listitem>
-
-
-<screen>/usr/sbin/semanage user -a -S targeted -P user -R guest_r guest_u
-</screen>
-
- </listitem>
- <listitem>
-
-
-<screen>/usr/sbin/semanage user -a -S targeted -P user -R xguest_r xguest_u
-</screen>
-
- </listitem>
- </orderedlist>
+ <procedure id="proc-Working_with_SELinux-Fixing-user-mappings">
+ <title>Fixing User Mappings</title>
+ <step>
+ <para>
+<screen><prompt>~]#</prompt> <command>semanage user -a -S targeted -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u</command></screen>
+ </para>
+ </step>
+ <step>
+ <para>
+<screen><prompt>~]#</prompt> <command>semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 __default__</command></screen>
+ </para>
+ </step>
+ <step>
+ <para>
+<screen><prompt>~]#</prompt> <command>semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 root</command></screen>
+ </para>
+ </step>
+ <step>
+ <para>
+<screen><prompt>~]#</prompt> <command>semanage user -a -S targeted -P user -R guest_r guest_u</command></screen>
+ </para>
+ </step>
+ <step>
+ <para>
+<screen><prompt>~]#</prompt> <command>semanage user -a -S targeted -P user -R xguest_r xguest_u</command></screen>
+ </para>
+ </step>
+ </procedure>
<important>
<para>
When systems run with SELinux in permissive or disabled mode, users have permission to label files incorrectly. Also, files created while SELinux is disabled are not labeled. This causes problems when changing to enforcing mode. To prevent incorrectly labeled and unlabeled files from causing problems, file systems are automatically relabeled when changing from disabled mode to permissive or enforcing mode.
@@ -355,10 +479,11 @@ system_u system_u s0-s0:c0.c1023
<section id="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux">
<title>Disabling SELinux</title>
<para>
- To disable SELinux, configure <option>SELINUX=disabled</option> in <filename>/etc/selinux/config</filename>:
+ To disable SELinux, configure <option>SELINUX=disabled</option> in the <filename>/etc/selinux/config</filename> file:
</para>
-<screen># This file controls the state of SELinux on the system.
+<screen>
+# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
@@ -373,236 +498,239 @@ SELINUXTYPE=targeted
Reboot your system. After reboot, confirm that the <command>getenforce</command> command returns <computeroutput>Disabled</computeroutput>:
</para>
-<screen>$ /usr/sbin/getenforce
+<screen>
+<prompt>~]$</prompt> <command>getenforce</command>
Disabled
</screen>
</section>
</section>
-
- <section id="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes">
- <title>SELinux Modes</title>
- <para>
- SELinux has three modes:
- </para>
- <itemizedlist>
- <listitem>
- <para>
- Enforcing: SELinux policy is enforced. SELinux denies access based on SELinux policy rules.
- </para>
- </listitem>
- <listitem>
- <para>
- Permissive: SELinux policy is not enforced. SELinux does not deny access, but denials are logged for actions that would have been denied if running in enforcing mode.
- </para>
- </listitem>
- <listitem>
- <para>
- Disabled: SELinux is disabled. Only DAC rules are used.
- </para>
- </listitem>
- </itemizedlist>
- <para>
- Use the <command>/usr/sbin/setenforce</command> command to change between enforcing and permissive mode. Changes made with <command>/usr/sbin/setenforce</command> do not persist across reboots. To change to enforcing mode, as the Linux root user, run the <command>/usr/sbin/setenforce 1</command> command. To change to permissive mode, run the <command>/usr/sbin/setenforce 0</command> command. Use the <command>/usr/sbin/getenforce</command> command to view the current SELinux mode.
- </para>
- <para>
- Persistent mode changes are covered in <xref linkend="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux" />.
- </para>
- </section>
-
<section id="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans">
<title>Booleans</title>
<para>
- Booleans allow parts of SELinux policy to be changed at runtime, without any knowledge of SELinux policy writing. This allows changes, such as allowing services access to NFS file systems, without reloading or recompiling SELinux policy.
+ Booleans allow parts of SELinux policy to be changed at runtime, without any knowledge of SELinux policy writing. This allows changes, such as allowing services access to NFS volumes, without reloading or recompiling SELinux policy.
</para>
<section id="sect-Security-Enhanced_Linux-Booleans-Listing_Booleans">
<title>Listing Booleans</title>
<para>
- For a list of Booleans, an explanation of what each one is, and whether they are on or off, run the <command>semanage boolean -l</command> command as the Linux root user. The following example does not list all Booleans:
+ For a list of Booleans, an explanation of what each one is, and whether they are on or off, run the <command>semanage boolean -l</command> command as the Linux root user. The following example does not list all Booleans and the output is shortened for brevity:
</para>
-
-<screen># /usr/sbin/semanage boolean -l
-SELinux boolean Description
-ftp_home_dir -> off Allow ftp to read and write files in the user home directories
-xen_use_nfs -> off Allow xen to manage nfs files
-xguest_connect_network -> on Allow xguest to configure Network Manager
+<screen><prompt>~]#</prompt> <command>semanage boolean -l</command>
+SELinux boolean State Default Description
+
+ftp_home_dir (off , off) Determine whether ftpd can read...
+smartmon_3ware (off , off) Determine whether smartmon can...
+mpd_enable_homedirs (off , off) Determine whether mpd can traverse...
</screen>
<para>
The <computeroutput>SELinux boolean</computeroutput> column lists Boolean names. The <computeroutput>Description</computeroutput> column lists whether the Booleans are on or off, and what they do.
</para>
<para>
- In the following example, the <computeroutput>ftp_home_dir</computeroutput> Boolean is off, preventing the FTP daemon (<systemitem class="daemon">vsftpd</systemitem>) from reading and writing to files in user home directories:
+ In the following example, the <systemitem>ftp_home_dir</systemitem> Boolean is off, preventing the FTP daemon (<systemitem class="daemon">vsftpd</systemitem>) from reading and writing to files in user home directories:
</para>
-<screen>ftp_home_dir -> off Allow ftp to read and write files in the user home directories
+<screen>ftp_home_dir (off , off) Determine whether ftpd can read...
</screen>
<para>
The <command>getsebool -a</command> command lists Booleans, whether they are on or off, but does not give a description of each one. The following example does not list all Booleans:
</para>
-<screen>$ /usr/sbin/getsebool -a
-allow_console_login --> off
-allow_cvs_read_shadow --> off
-allow_daemons_dump_core --> on
+<screen><prompt>~]$</prompt> <command>getsebool -a</command>
+cvs_read_shadow --> off
+daemons_dump_core --> on
+ftp_home_dir --> off
</screen>
<para>
Run the <command>getsebool <replaceable>boolean-name</replaceable></command> command to only list the status of the <replaceable>boolean-name</replaceable> Boolean:
</para>
-<screen>$ /usr/sbin/getsebool allow_console_login
-allow_console_login --> off
+<screen><prompt>~]$</prompt> <command>getsebool cvs_read_shadow</command>
+cvs_read_shadow --> off
</screen>
<para>
Use a space-separated list to list multiple Booleans:
</para>
-<screen>$ getsebool allow_console_login allow_cvs_read_shadow allow_daemons_dump_core
-allow_console_login --> off
-allow_cvs_read_shadow --> off
-allow_daemons_dump_core --> on
+<screen><prompt>~]$</prompt> <command>getsebool cvs_read_shadow daemons_dump_core ftp_home_dir</command>
+cvs_read_shadow --> off
+daemons_dump_core --> on
+ftp_home_dir --> off
</screen>
</section>
<section id="sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans">
<title>Configuring Booleans</title>
<para>
- The <command>setsebool <replaceable>boolean-name</replaceable> <replaceable>x</replaceable></command> command turns Booleans on or off, where <replaceable>boolean-name</replaceable> is a Boolean name, and <replaceable>x</replaceable> is either <option>on</option> to turn the Boolean on, or <option>off</option> to turn it off.
- </para>
- <para>
- The following example demonstrates configuring the <computeroutput>httpd_can_network_connect_db</computeroutput> Boolean:
- </para>
- <orderedlist>
- <listitem>
+ Run the <systemitem>setsebool</systemitem> utility in the <command>setsebool <replaceable>boolean_name</replaceable> on/off</command> form to enable or disable Booleans.
+ </para>
+ <para>
+ The following example demonstrates configuring the <systemitem>httpd_can_network_connect_db</systemitem> Boolean:
+ </para>
+ <procedure id="proc-configuring-booleans">
+ <title>Configuring Booleans</title>
+ <step>
<para>
- By default, the <computeroutput>httpd_can_network_connect_db</computeroutput> Boolean is off, preventing Apache HTTP Server scripts and modules from connecting to database servers:
+ By default, the <systemitem>httpd_can_network_connect_db</systemitem> Boolean is off, preventing Apache HTTP Server scripts and modules from connecting to database servers:
</para>
-
-<screen>$ /usr/sbin/getsebool httpd_can_network_connect_db
+<screen>
+<prompt>~]$</prompt> <command>getsebool httpd_can_network_connect_db</command>
httpd_can_network_connect_db --> off
</screen>
- </listitem>
- <listitem>
+ </step>
+ <step>
<para>
- To temporarily enable Apache HTTP Server scripts and modules to connect to database servers, run the <command>setsebool httpd_can_network_connect_db on</command> command as the Linux root user.
- </para>
- </listitem>
- <listitem>
+ To temporarily enable Apache HTTP Server scripts and modules to connect to database servers, run the following command as root:
+ </para>
+<screen><prompt>~]#</prompt> <command>setsebool httpd_can_network_connect_db on</command></screen>
+ </step>
+ <step>
<para>
- Use the <command>getsebool httpd_can_network_connect_db</command> command to verify the Boolean is turned on:
+ Use the <systemitem>getsebool</systemitem> utility to verify the Boolean has been enabled:
</para>
-
-<screen>$ /usr/sbin/getsebool httpd_can_network_connect_db
+<screen>
+<prompt>~]$</prompt> <command>getsebool httpd_can_network_connect_db</command>
httpd_can_network_connect_db --> on
</screen>
<para>
This allows Apache HTTP Server scripts and modules to connect to database servers.
</para>
- </listitem>
- <listitem>
- <para>
- This change is not persistent across reboots. To make changes persistent across reboots, run the <command>setsebool -P <replaceable>boolean-name</replaceable> on</command> command as the Linux root user:
- </para>
-
-<screen># /usr/sbin/setsebool -P httpd_can_network_connect_db on
-</screen>
- </listitem>
- <listitem>
- <para>
- To temporarily revert to the default behavior, as the Linux root user, run the <command>setsebool httpd_can_network_connect_db off</command> command. For changes that persist across reboots, run the <command>setsebool -P httpd_can_network_connect_db off</command> command.
- </para>
- </listitem>
- </orderedlist>
- </section>
+ </step>
+ <step>
+ <para>
+ This change is not persistent across reboots. To make changes persistent across reboots, run the <command>setsebool -P <replaceable>boolean-name</replaceable> on</command> command as root:<footnote><para>To temporarily revert to the default behavior, as the Linux root user, run the <command>setsebool httpd_can_network_connect_db off</command> command. For changes that persist across reboots, run the <command>setsebool -P httpd_can_network_connect_db off</command> command.</para></footnote>
+ </para>
+<screen><prompt>~]#</prompt> <command>setsebool -P httpd_can_network_connect_db on</command>
+ </screen>
+ </step>
+ </procedure>
+ </section>
+ <section id="sect-Security-Enhanced_Linux-Booleans-Shell_Auto-Completion">
+ <title>Shell Auto-Completion</title>
+ <para>
+ It is possible to use shell auto-completion with the <systemitem>getsebool</systemitem>, <systemitem>setsebool</systemitem>, and <systemitem>semanage</systemitem> utilities. Use the auto-completion with <systemitem>getsebool</systemitem> and <systemitem>setsebool</systemitem> to complete both command-line parameters and Booleans. To list only the command-line parameters, add the hyphen character ("-") after the command name and hit the <keycap>Tab</keycap> key:
+ </para>
+ <!-- <screen><prompt>~]$</prompt> getsebool -[Tab]
+-a
+ </screen>-->
+ <screen><prompt>~]#</prompt> setsebool -[Tab]
+-P
+</screen>
+ <para>
+ To complete a Boolean, start writing the Boolean name and then hit <keycap>Tab</keycap>:
+ </para>
+<screen><prompt>~]$</prompt> getsebool samba_[Tab]
+samba_create_home_dirs samba_export_all_ro samba_run_unconfined
+samba_domain_controller samba_export_all_rw samba_share_fusefs
+samba_enable_home_dirs samba_portmapper samba_share_nfs
+</screen>
+<screen><prompt>~]#</prompt> setsebool -P virt_use_[Tab]
+virt_use_comm virt_use_nfs virt_use_sanlock
+virt_use_execmem virt_use_rawip virt_use_usb
+virt_use_fusefs virt_use_samba virt_use_xserver
+</screen>
+ <para>
+ The <systemitem>semanage</systemitem> utility is used with several command-line arguments that are completed one by one. The first argument of a <command>semanage</command> command is an option, which specifies what part of SELinux policy is managed:
+ </para>
+ <screen><prompt>~]#</prompt> semanage [Tab]
+boolean export import login node port
+dontaudit fcontext interface module permissive user
+</screen>
+ <para>
+ Then, one or more command-line parameters follow:
+ </para>
+<screen><prompt>~]#</prompt> semanage fcontext -[Tab]
+-a -D --equal --help -m -o
+--add --delete -f -l --modify -S
+-C --deleteall --ftype --list -n -t
+-d -e -h --locallist --noheading --type
+</screen>
+ <para>
+ Finally, complete the name of a particular SELinux entry, such as a Boolean, SELinux user, domain, or another. Start typing the entry and hit <keycap>Tab</keycap>:
+ </para>
+ <screen><prompt>~]#</prompt> <command></command>semanage fcontext -a -t samba<tab>
+samba_etc_t samba_secrets_t
+sambagui_exec_t samba_share_t
+samba_initrc_exec_t samba_unconfined_script_exec_t
+samba_log_t samba_unit_file_t
+samba_net_exec_t
+ </screen>
+ <para>
+ Command-line parameters can be chained in a command:
+<screen><prompt>~]#</prompt> semanage port -a -t http_port_t -p tcp 81</screen>
+ </para>
+ </section>
- <section id="sect-Security-Enhanced_Linux-Booleans-Booleans_for_NFS_and_CIFS">
+ <!--<section id="sect-Security-Enhanced_Linux-Booleans-Booleans_for_NFS_and_CIFS">
<title>Booleans for NFS and CIFS</title>
<para>
- By default, NFS mounts on the client side are labeled with a default context defined by policy for NFS file systems. In common policies, this default context uses the <computeroutput>nfs_t</computeroutput> type. Also, by default, Samba shares mounted on the client side are labeled with a default context defined by policy. In common policies, this default context uses the <computeroutput>cifs_t</computeroutput> type.
+ By default, NFS mounts on the client side are labeled with a default context defined by policy for NFS volumes. In common policies, this default context uses the <systemitem>nfs_t</systemitem> type. Also, by default, Samba shares mounted on the client side are labeled with a default context defined by policy. In common policies, this default context uses the <systemitem>cifs_t</systemitem> type.
</para>
<para>
- Depending on policy configuration, services may not be able to read files labeled with the <computeroutput>nfs_t</computeroutput> or <computeroutput>cifs_t</computeroutput> types. This may prevent file systems labeled with these types from being mounted and then read or exported by other services. Booleans can be turned on or off to control which services are allowed to access the <computeroutput>nfs_t</computeroutput> and <computeroutput>cifs_t</computeroutput> types.
+ Depending on policy configuration, services may not be able to read files labeled with the <systemitem>nfs_t</systemitem> or <systemitem>cifs_t</systemitem> types. This may prevent file systems labeled with these types from being mounted and then read or exported by other services. Booleans can be enabled or disabled to control which services are allowed to access the <systemitem>nfs_t</systemitem> and <systemitem>cifs_t</systemitem> types.
</para>
<para>
- The <command>setsebool</command> and <command>semanage</command> commands must be run as the Linux root user. The <command>setsebool -P</command> command makes persistent changes. Do not use the <option>-P</option> option if you do not want changes to persist across reboots:
- </para>
- <formalpara id="form-Security-Enhanced_Linux-Booleans_for_NFS_and_CIFS-Apache_HTTP_Server">
- <title>Apache HTTP Server</title>
+ The <command>setsebool</command> and <command>semanage</command> commands must be run as the Linux root user. The <command>setsebool -P</command> command makes persistent changes. Do not use the <option>-P</option> option if you do not want changes to persist across reboots.
+ </para>
+ <bridgehead renderas="sect2" id="brid-Security-Enhanced_Linux-Booleans_for_NFS_and_CIFS-Apache_HTTP_Server">Apache HTTP Server</bridgehead>
<para>
- To allow access to NFS file systems (files labeled with the <computeroutput>nfs_t</computeroutput> type):
+ To allow access to NFS volumes (files labeled with the <systemitem>nfs_t</systemitem> type):
</para>
- </formalpara>
- <para>
- <command>/usr/sbin/setsebool -P httpd_use_nfs on</command>
- </para>
+ <screen>~]# <command>setsebool -P httpd_use_nfs on</command>
+ </screen>
<para>
- To allow access to Samba file systems (files labeled with the <computeroutput>cifs_t</computeroutput> type):
+ To allow access to Samba file systems (files labeled with the <systemitem>cifs_t</systemitem> type):
</para>
- <para>
- <command>/usr/sbin/setsebool -P httpd_use_cifs on</command>
- </para>
- <formalpara id="form-Security-Enhanced_Linux-Booleans_for_NFS_and_CIFS-Samba">
- <title>Samba</title>
+ <screen>~]# <command>setsebool -P httpd_use_cifs on</command>
+ </screen>
+ <bridgehead renderas="sect2" id="brid-Security-Enhanced_Linux-Booleans_for_NFS_and_CIFS-Samba">Samba</bridgehead>
<para>
- To export NFS file systems:
+ To export NFS volumes:
</para>
- </formalpara>
- <para>
- <command>/usr/sbin/setsebool -P samba_share_nfs on</command>
- </para>
- <formalpara id="form-Security-Enhanced_Linux-Booleans_for_NFS_and_CIFS-FTP_vsftpd">
- <title>FTP (<systemitem class="daemon">vsftpd</systemitem>)</title>
+ <screen>~]# <command>setsebool -P samba_share_nfs on</command>
+ </screen>
+ <bridgehead renderas="sect2" id="brid-Security-Enhanced_Linux-Booleans_for_NFS_and_CIFS-FTP_vsftpd">FTP (<systemitem class="daemon">vsftpd</systemitem>)</bridgehead>
<para>
- To allow access to NFS file systems:
+ To allow access to NFS volumes:
</para>
- </formalpara>
- <para>
- <command>/usr/sbin/setsebool -P allow_ftpd_use_nfs on</command>
- </para>
+ <screen>~]# <command>setsebool -P ftpd_use_nfs on</command>
+ </screen>
<para>
To allow access to Samba file systems:
</para>
- <para>
- <command>/usr/sbin/setsebool -P allow_ftpd_use_cifs on</command>
- </para>
- <formalpara id="form-Security-Enhanced_Linux-Booleans_for_NFS_and_CIFS-Other_Services">
- <title>Other Services</title>
+ <screen>~]# <command>setsebool -P ftpd_use_cifs on</command>
+ </screen>
+ <bridgehead renderas="sect2" id="brid-Security-Enhanced_Linux-Booleans_for_NFS_and_CIFS-Other_Services">Other Services</bridgehead>
<para>
For a list of NFS related Booleans for other services:
</para>
- </formalpara>
- <para>
- <command>/usr/sbin/semanage boolean -l | grep nfs</command>
- </para>
+ <screen>~]# <command>semanage boolean -l | grep nfs</command>
+ </screen>
<para>
For a list of Samba related Booleans for other services:
</para>
- <para>
- <command>/usr/sbin/semanage boolean -l | grep cifs</command>
- </para>
+ <screen>~]# <command>semanage boolean -l | grep cifs</command>
+ </screen>
<note>
<para>
- These Booleans exist in SELinux policy as shipped with &PRODUCT; &PRODVER;. They may not exist in policy shipped with other versions of &PRODUCT; or other operating systems.
+ These Booleans exist in SELinux policy as shipped with &PRODUCT; &PRODVER;. They may not exist in policy shipped with other versions of &PRODUCT; or other operating systems.
</para>
</note>
- <para>
- Refer to the SELinux Managing Confined Services Guide at <ulink url="http://docs.fedoraproject.org"></ulink> for more information regarding SELinux Booleans.
- </para>
- </section>
+ </section>-->
</section>
<section id="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files">
- <title>SELinux Contexts - Labeling Files</title>
+ <title>SELinux Contexts – Labeling Files</title>
<para>
On systems running SELinux, all processes and files are labeled in a way that represents security-relevant information. This information is called the SELinux context. For files, this is viewed using the <command>ls -Z</command> command:
</para>
-<screen>$ ls -Z file1
+<screen><prompt>~]$</prompt> <command>ls -Z file1</command>
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
</screen>
<para>
- In this example, SELinux provides a user (<computeroutput>unconfined_u</computeroutput>), a role (<computeroutput>object_r</computeroutput>), a type (<computeroutput>user_home_t</computeroutput>), and a level (<computeroutput>s0</computeroutput>). This information is used to make access control decisions. On DAC systems, access is controlled based on Linux user and group IDs. SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first.
+ In this example, SELinux provides a user (<systemitem>unconfined_u</systemitem>), a role (<systemitem>object_r</systemitem>), a type (<systemitem>user_home_t</systemitem>), and a level (<systemitem>s0</systemitem>). This information is used to make access control decisions. On DAC systems, access is controlled based on Linux user and group IDs. SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first.
</para>
<para>
There are multiple commands for managing the SELinux context for files, such as <command>chcon</command>, <command>semanage fcontext</command>, and <command>restorecon</command>.
@@ -610,121 +738,122 @@ httpd_can_network_connect_db --> on
<section id="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Temporary_Changes_chcon">
<title>Temporary Changes: chcon</title>
<para>
- The <command>chcon</command> command changes the SELinux context for files. However, changes made with the <command>chcon</command> command do not survive a file system relabel, or the execution of the <command>/sbin/restorecon</command> command. SELinux policy controls whether users are able to modify the SELinux context for any given file. When using <command>chcon</command>, users provide all or part of the SELinux context to change. An incorrect file type is a common cause of SELinux denying access.
- </para>
- <formalpara id="form-Security-Enhanced_Linux-Temporary_Changes_chcon-Quick_Reference">
- <title>Quick Reference</title>
+ The <command>chcon</command> command changes the SELinux context for files. However, changes made with the <command>chcon</command> command do not survive a file system relabel, or the execution of the <command>restorecon</command> command. SELinux policy controls whether users are able to modify the SELinux context for any given file. When using <command>chcon</command>, users provide all or part of the SELinux context to change. An incorrect file type is a common cause of SELinux denying access.
+ </para>
+ <bridgehead renderas="sect2" id="brid-Security-Enhanced_Linux-Temporary_Changes_chcon-Quick_Reference">Quick Reference</bridgehead>
<para>
<itemizedlist>
<listitem>
<para>
- Run the <command>chcon -t <replaceable>type</replaceable> <replaceable>file-name</replaceable></command> command to change the file type, where <replaceable>type</replaceable> is a type, such as <computeroutput>httpd_sys_content_t</computeroutput>, and <replaceable>file-name</replaceable> is a file or directory name.
- </para>
+ Run the <command>chcon -t <replaceable>type</replaceable> <replaceable>file-name</replaceable></command> command to change the file type, where <replaceable>type</replaceable> is an SELinux type, such as <systemitem>httpd_sys_content_t</systemitem>, and <replaceable>file-name</replaceable> is a file or directory name:
+ </para>
+<screen><prompt>~]$</prompt> <command>chcon -t httpd_sys_content_t <replaceable>file-name</replaceable></command></screen>
</listitem>
<listitem>
<para>
- Run the <command>chcon -R -t <replaceable>type</replaceable> <replaceable>directory-name</replaceable></command> command to change the type of the directory and its contents, where <replaceable>type</replaceable> is a type, such as <computeroutput>httpd_sys_content_t</computeroutput>, and <replaceable>directory-name</replaceable> is a directory name.
- </para>
+ Run the <command>chcon -R -t <replaceable>type</replaceable> <replaceable>directory-name</replaceable></command> command to change the type of the directory and its contents, where <replaceable>type</replaceable> is an SELinux type, such as <systemitem>httpd_sys_content_t</systemitem>, and <replaceable>directory-name</replaceable> is a directory name:
+ </para>
+<screen><prompt>~]$</prompt> <command>chcon -R -t httpd_sys_content_t <replaceable>directory-name</replaceable></command></screen>
</listitem>
</itemizedlist>
</para>
- </formalpara>
- <formalpara id="form-Security-Enhanced_Linux-Temporary_Changes_chcon-Changing_a_Files_or_Directorys_Type">
- <title>Changing a File's or Directory's Type</title>
- <para>
- The following example demonstrates changing the type, and no other attributes of the SELinux context:
- </para>
- </formalpara>
- <orderedlist>
- <listitem>
+
+ <procedure id="proc-Security-Enhanced_Linux-Temporary_Changes_chcon-Changing_a_Files_or_Directorys_Type">
+ <title>Changing a File's or Directory's Type</title>
+ <para>
+ The following procedure demonstrates changing the type, and no other attributes of the SELinux context. The example in this section works the same for directories, for example, if <filename>file1</filename> was a directory.
+ </para>
+ <step>
<para>
- Run the <command>cd</command> command without arguments to change into your home directory.
- </para>
- </listitem>
- <listitem>
+ Change into your home directory.
+ </para>
+ </step>
+ <step>
<para>
- Run the <command>touch file1</command> command to create a new file. Use the <command>ls -Z file1</command> command to view the SELinux context for <filename>file1</filename>:
+ Create a new file and view its SELinux context:
</para>
-
-<screen>$ ls -Z file1
+<screen><prompt>~]$</prompt> <command>touch file1</command></screen>
+<screen>
+<prompt>~]$</prompt> <command>ls -Z file1</command>
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
</screen>
<para>
- In this example, the SELinux context for <filename>file1</filename> includes the SELinux <computeroutput>unconfined_u</computeroutput> user, <computeroutput>object_r</computeroutput> role, <computeroutput>user_home_t</computeroutput> type, and the <computeroutput>s0</computeroutput> level. For a description of each part of the SELinux context, refer to <xref linkend="sect-Security-Enhanced_Linux-SELinux_Contexts" />.
+ In this example, the SELinux context for <filename>file1</filename> includes the SELinux <systemitem>unconfined_u</systemitem> user, <systemitem>object_r</systemitem> role, <systemitem>user_home_t</systemitem> type, and the <systemitem>s0</systemitem> level. For a description of each part of the SELinux context, see <xref linkend="sect-Security-Enhanced_Linux-SELinux_Contexts" />.
</para>
- </listitem>
- <listitem>
+ </step>
+ <step>
<para>
- Run the <command>chcon -t samba_share_t file1</command> command to change the type to <computeroutput>samba_share_t</computeroutput>. The <option>-t</option> option only changes the type. View the change with <command>ls -Z file1</command>:
+ Run the following command to change the type to <systemitem>samba_share_t</systemitem>. The <option>-t</option> option only changes the type. Then view the change:
</para>
-
-<screen>$ ls -Z file1
+<screen><prompt>~]$</prompt> <command>chcon -t samba_share_t file1</command></screen>
+<screen>
+<prompt>~]$</prompt> <command>ls -Z file1 </command>
-rw-rw-r-- user1 group1 unconfined_u:object_r:samba_share_t:s0 file1
</screen>
- </listitem>
- <listitem>
+ </step>
+ <step>
<para>
- Use the <command>/sbin/restorecon -v file1</command> command to restore the SELinux context for the <filename>file1</filename> file. Use the <option>-v</option> option to view what changes:
+ Use the following command to restore the SELinux context for the <filename>file1</filename> file. Use the <option>-v</option> option to view what changes:
</para>
-
-<screen>$ /sbin/restorecon -v file1
+<screen><prompt>~]$</prompt> <command>restorecon -v file1</command>
restorecon reset file1 context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:user_home_t:s0
</screen>
<para>
- In this example, the previous type, <computeroutput>samba_share_t</computeroutput>, is restored to the correct, <computeroutput>user_home_t</computeroutput> type. When using targeted policy (the default SELinux policy in &PRODUCT; &PRODVER;), the <command>/sbin/restorecon</command> command reads the files in the <filename>/etc/selinux/targeted/contexts/files/</filename> directory, to see which SELinux context files should have.
+ In this example, the previous type, <systemitem>samba_share_t</systemitem>, is restored to the correct, <systemitem>user_home_t</systemitem> type. When using targeted policy (the default SELinux policy in &PRODUCT;), the <command>restorecon</command> command reads the files in the <filename>/etc/selinux/targeted/contexts/files/</filename> directory, to see which SELinux context files should have.
</para>
- </listitem>
- </orderedlist>
- <para>
- The example in this section works the same for directories, for example, if <filename>file1</filename> was a directory.
- </para>
- <formalpara id="form-Security-Enhanced_Linux-Temporary_Changes_chcon-Changing_a_Directory_and_its_Contents_Types">
- <title>Changing a Directory and its Contents Types</title>
- <para>
- The following example demonstrates creating a new directory, and changing the directory's file type (along with its contents) to a type used by the Apache HTTP Server. The configuration in this example is used if you want Apache HTTP Server to use a different document root (instead of <filename>/var/www/html/</filename>):
- </para>
- </formalpara>
- <orderedlist>
- <listitem>
+ </step>
+ </procedure>
+
+ <procedure id="proc-Security-Enhanced_Linux-Temporary_Changes_chcon-Changing_a_Directory_and_its_Contents_Types">
+ <title>Changing a Directory and its Contents Types</title>
+ <para>
+ The following example demonstrates creating a new directory, and changing the directory's file type (along with its contents) to a type used by the Apache HTTP Server. The configuration in this example is used if you want Apache HTTP Server to use a different document root (instead of <filename>/var/www/html/</filename>):
+ </para>
+ <step>
<para>
- As the Linux root user, run the <command>mkdir /web</command> command to create a new directory, and then the <command>touch /web/file{1,2,3}</command> command to create 3 empty files (<filename>file1</filename>, <filename>file2</filename>, and <filename>file3</filename>). The <filename>/web/</filename> directory and files in it are labeled with the <computeroutput>default_t</computeroutput> type:
+ As the root user, create a new <filename class="directory">/mkdir/</filename>directory and then 3 empty files (<filename>file1</filename>, <filename>file2</filename>, and <filename>file3</filename>) within this directory. The <filename class="directory">/web/</filename> directory and files in it are labeled with the <systemitem>default_t</systemitem> type:
</para>
-
-<screen># ls -dZ /web
+<screen><prompt>~]#</prompt> <command>mkdir /web</command></screen>
+<screen><prompt>~]#</prompt> <command>touch /web/file{1,2,3}</command></screen>
+<screen>
+<prompt>~]#</prompt> <command>ls -dZ /web</command>
drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /web
-# ls -lZ /web
+</screen>
+<screen>
+<prompt>~]#</prompt> <command>ls -lZ /web</command>
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file1
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file2
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file3
</screen>
- </listitem>
- <listitem>
+ </step>
+ <step>
<para>
- As the Linux root user, run the <command>chcon -R -t httpd_sys_content_t /web/</command> command to change the type of the <filename>/web/</filename> directory (and its contents) to <computeroutput>httpd_sys_content_t</computeroutput>:
+ As root, run the following command to change the type of the <filename class="directory">/web/</filename> directory (and its contents) to <systemitem>httpd_sys_content_t</systemitem>:
</para>
-<screen># chcon -R -t httpd_sys_content_t /web/
-# ls -dZ /web/
+<screen><prompt>~]#</prompt> <command>chcon -R -t httpd_sys_content_t /web/</command></screen>
+<screen><prompt>~]#</prompt> <command>ls -dZ /web/</command>
drwxr-xr-x root root unconfined_u:object_r:httpd_sys_content_t:s0 /web/
-# ls -lZ /web/
+</screen>
+<screen>
+<prompt>~]#</prompt> <command>ls -lZ /web/</command>
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
</screen>
- </listitem>
- <listitem>
+ </step>
+ <step>
<para>
- As the Linux root user, run the <command>/sbin/restorecon -R -v /web/</command> command to restore the default SELinux contexts:
+ To restore the default SELinux contexts, use the <systemitem>restorecon</systemitem> utility as root:
</para>
-
-<screen># /sbin/restorecon -R -v /web/
+<screen><prompt>~]#</prompt> <command>restorecon -R -v /web/</command>
restorecon reset /web context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
restorecon reset /web/file2 context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
restorecon reset /web/file3 context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
restorecon reset /web/file1 context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
</screen>
- </listitem>
- </orderedlist>
+ </step>
+ </procedure>
<para>
Refer to the <citerefentry><refentrytitle>chcon</refentrytitle><manvolnum>1</manvolnum></citerefentry> manual page for further information about <command>chcon</command>.
</para>
@@ -738,243 +867,288 @@ restorecon reset /web/file1 context unconfined_u:object_r:httpd_sys_content_t:s0
<section id="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext">
<title>Persistent Changes: semanage fcontext</title>
<para>
- The <command>/usr/sbin/semanage fcontext</command> command changes the SELinux context for files. When using targeted policy, changes made with this command are added to the <filename>/etc/selinux/targeted/contexts/files/file_contexts</filename> file if the changes are to files that exists in <filename>file_contexts</filename>, or are added to <filename>file_contexts.local</filename> for new files and directories, such as creating a <filename>/web/</filename> directory. <command>setfiles</command>, which is used when a file system is relabeled, and <command>/sbin/restorecon</command>, which restores the default SELinux contexts, read these files. This means that changes made by <command>/usr/sbin/semanage fcontext</command> are persistent, even if the file system is relabeled. SELinux policy controls whether users are able to modify the SELinux context for any given file.
- </para>
- <formalpara id="form-Security-Enhanced_Linux-Persistent_Changes_semanage_fcontext-Quick_Reference">
- <title>Quick Reference</title>
- <para>
- To make SELinux context changes that survive a file system relabel:
- </para>
- </formalpara>
- <orderedlist>
- <listitem>
- <para>
- Run the <command>/usr/sbin/semanage fcontext -a <replaceable>options</replaceable> <replaceable>file-name</replaceable>|<replaceable>directory-name</replaceable></command> command, remembering to use the full path to the file or directory.
- </para>
- </listitem>
- <listitem>
- <para>
- Run the <command>/sbin/restorecon -v <replaceable>file-name</replaceable>|<replaceable>directory-name</replaceable></command> command to apply the context changes.
- </para>
- </listitem>
- </orderedlist>
- <formalpara id="form-Security-Enhanced_Linux-Persistent_Changes_semanage_fcontext-Changing_a_Files_Type">
- <title>Changing a File's Type</title>
- <para>
- The following example demonstrates changing a file's type, and no other attributes of the SELinux context:
- </para>
- </formalpara>
- <orderedlist>
- <listitem>
- <para>
- As the Linux root user, run the <command>touch /etc/file1</command> command to create a new file. By default, newly-created files in the <filename>/etc/</filename> directory are labeled with the <computeroutput>etc_t</computeroutput> type:
- </para>
-
-<screen># ls -Z /etc/file1
+ The <command>semanage fcontext</command> command is used to change the SELinux context of files. When using targeted policy, changes are written to files located in the <filename class="directory">/etc/selinux/targeted/contexts/files/</filename> directory:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ The <filename>file_contexts</filename> file specifies default contexts for many files, as well as contexts updated via <command>semanage fcontext</command>.
+ </para>
+ <para>
+ <remark>Does file_contexts come with the SELinux policy?</remark>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The <filename>file_contexts.local</filename> file stores contexts to newly created files and directories not found in <filename>file_contexts</filename>.
+ </para>
+ </listitem>
+ </itemizedlist>
+ <para>
+ Two utilities read these files. The <systemitem>setfiles</systemitem> utility is used when a file system is relabeled and the <systemitem>restorecon</systemitem> utility restores the default SELinux contexts. This means that changes made by <command>semanage fcontext</command> are persistent, even if the file system is relabeled. SELinux policy controls whether users are able to modify the SELinux context for any given file.
+ </para>
+ <bridgehead renderas="sect2" id="brid-Security-Enhanced_Linux-Persistent_Changes_semanage_fcontext-Quick_Reference">Quick Reference</bridgehead>
+ <para>
+ To make SELinux context changes that survive a file system relabel:
+ </para>
+ <para>
+ <orderedlist>
+ <listitem>
+ <para>
+ Run the following command, remembering to use the full path to the file or directory:
+ </para>
+<screen><prompt>~]#</prompt> <command>semanage fcontext -a <replaceable>options</replaceable> <replaceable>file-name</replaceable>|<replaceable>directory-name</replaceable></command></screen>
+ </listitem>
+ <listitem>
+ <para>
+ Use the <systemitem>restorecon</systemitem> utility to apply the context changes:
+ </para>
+<screen><prompt>~]#</prompt> <command>restorecon -v <replaceable>file-name</replaceable>|<replaceable>directory-name</replaceable></command></screen>
+ </listitem>
+ </orderedlist>
+ </para>
+ <procedure id="proc-Security-Enhanced_Linux-Persistent_Changes_semanage_fcontext-Changing_a_Files_Type">
+ <title>Changing a File's or Directory 's Type</title>
+ <para>
+ The following example demonstrates changing a file's type, and no other attributes of the SELinux context. This example works the same for directories, for instance if <filename>file1</filename> was a directory.
+ </para>
+ <step>
+ <para>
+ As the root user, create a new file in the <filename class="directory">/etc/</filename> directory. By default, newly-created files in <filename class="directory">/etc/</filename> are labeled with the <systemitem>etc_t</systemitem> type:
+ </para>
+<screen><prompt>~]#</prompt> <command>touch /etc/file1</command></screen>
+<screen>
+<prompt>~]$</prompt> <command>ls -Z /etc/file1</command>
-rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1
</screen>
- </listitem>
- <listitem>
+ <para>
+ To list information about a directory, use the following command:
+ </para>
+<screen><prompt>~]$</prompt> <command>ls -dZ <replaceable>directory_name</replaceable></command></screen>
+ </step>
+ <step>
<para>
- As the Linux root user, run the <command>/usr/sbin/semanage fcontext -a -t samba_share_t /etc/file1</command> command to change the <filename>file1</filename> type to <computeroutput>samba_share_t</computeroutput>. The <option>-a</option> option adds a new record, and the <option>-t</option> option defines a type (<computeroutput>samba_share_t</computeroutput>). Note: running this command does not directly change the type - <filename>file1</filename> is still labeled with the <computeroutput>etc_t</computeroutput> type:
+ As root, run the following command to change the <filename>file1</filename> type to <systemitem>samba_share_t</systemitem>. The <option>-a</option> option adds a new record, and the <option>-t</option> option defines a type (<systemitem>samba_share_t</systemitem>). Note that running this command does not directly change the type; <filename>file1</filename> is still labeled with the <systemitem>etc_t</systemitem> type:
</para>
-
-<screen># /usr/sbin/semanage fcontext -a -t samba_share_t /etc/file1
-# ls -Z /etc/file1
+<screen><prompt>~]#</prompt> <command>semanage fcontext -a -t samba_share_t /etc/file1</command></screen>
+<screen>
+<prompt>~]#</prompt> <command>ls -Z /etc/file1</command>
-rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1
</screen>
<para>
- The <command>/usr/sbin/semanage fcontext -a -t samba_share_t /etc/file1</command> command adds the following entry to <filename>/etc/selinux/targeted/contexts/files/file_contexts.local</filename>:
+ The <command>semanage fcontext -a -t samba_share_t /etc/file1</command> command adds the following entry to <filename>/etc/selinux/targeted/contexts/files/file_contexts.local</filename>:
</para>
-
<screen>/etc/file1 unconfined_u:object_r:samba_share_t:s0
</screen>
- </listitem>
- <listitem>
+ </step>
+ <step>
<para>
- As the Linux root user, run the <command>/sbin/restorecon -v /etc/file1</command> command to change the type. Since the <command>semanage</command> command added an entry to <filename>file.contexts.local</filename> for <filename>/etc/file1</filename>, the <command>/sbin/restorecon</command> command changes the type to <computeroutput>samba_share_t</computeroutput>:
+ As root, use the <systemitem>restorecon</systemitem> utility to change the type. Because <systemitem>semanage</systemitem> added an entry to <filename>file.contexts.local</filename> for <filename>/etc/file1</filename>, <systemitem>restorecon</systemitem> changes the type to <systemitem>samba_share_t</systemitem>:
</para>
-
-<screen># /sbin/restorecon -v /etc/file1
+<screen>
+<prompt>~]#</prompt> <command>restorecon -v /etc/file1</command>
restorecon reset /etc/file1 context unconfined_u:object_r:etc_t:s0->system_u:object_r:samba_share_t:s0
</screen>
- </listitem>
- <listitem>
+ </step>
+ <!-- as per RT#122301
+ <step>
<para>
As the Linux root user, run the <command>rm -i /etc/file1</command> command to remove <filename>file1</filename>.
- </para>
- </listitem>
- <listitem>
+ </para>
+ </step>
+ <step>
<para>
- As the Linux root user, run the <command>/usr/sbin/semanage fcontext -d /etc/file1</command> command to remove the context added for <filename>/etc/file1</filename>. When the context is removed, running <command>restorecon</command> changes the type to <computeroutput>etc_t</computeroutput>, rather than <computeroutput>samba_share_t</computeroutput>.
+ As the Linux root user, run the <command>semanage fcontext -d /etc/file1</command> command to remove the context added for <filename>/etc/file1</filename>.
</para>
- </listitem>
- </orderedlist>
- <formalpara id="form-Security-Enhanced_Linux-Persistent_Changes_semanage_fcontext-Changing_a_Directorys_Type">
- <title>Changing a Directory's Type</title>
- <para>
- The following example demonstrates creating a new directory and changing that directory's file type, to a type used by Apache HTTP Server:
- </para>
- </formalpara>
- <orderedlist>
- <listitem>
+ </step>-->
+ </procedure>
+
+ <!-- as per RT#122301
+ <procedure id="proc-Security-Enhanced_Linux-Persistent_Changes_semanage_fcontext-Changing_a_Directorys_Type">
+ <title>Changing a Directory's Type</title>
+ <para>
+ The following example demonstrates creating a new directory and changing that directory's file type, to a type used by Apache HTTP Server:
+ </para>
+ <step>
<para>
- As the Linux root user, run the <command>mkdir /web</command> command to create a new directory. This directory is labeled with the <computeroutput>default_t</computeroutput> type:
+ As the Linux root user, run the <command>mkdir /web</command> command to create a new directory. This directory is labeled with the <systemitem>default_t</systemitem> type:
</para>
-<screen># ls -dZ /web
+<screen>~]# <command>ls -dZ /web</command>
drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /web
</screen>
<para>
The <command>ls</command> <option>-d</option> option makes <command>ls</command> list information about a directory, rather than its contents, and the <option>-Z</option> option makes <command>ls</command> display the SELinux context (in this example, <computeroutput>unconfined_u:object_r:default_t:s0</computeroutput>).
</para>
- </listitem>
- <listitem>
+ </step>
+ <step>
<para>
- As the Linux root user, run the <command>/usr/sbin/semanage fcontext -a -t httpd_sys_content_t /web</command> command to change the <filename>/web/</filename> type to <computeroutput>httpd_sys_content_t</computeroutput>. The <option>-a</option> option adds a new record, and the <option>-t</option> option defines a type (<computeroutput>httpd_sys_content_t</computeroutput>). Note: running this command does not directly change the type - <filename>/web/</filename> is still labeled with the <computeroutput>default_t</computeroutput> type:
+ As the Linux root user, run the <command>semanage fcontext -a -t httpd_sys_content_t /web</command> command to change the <filename>/web/</filename> type to <systemitem>httpd_sys_content_t</systemitem>. The <option>-a</option> option adds a new record, and the <option>-t</option> option defines a type (<systemitem>httpd_sys_content_t</systemitem>). Note that running this command does not directly change the type; <filename>/web/</filename> is still labeled with the <systemitem>default_t</systemitem> type:
</para>
-<screen># /usr/sbin/semanage fcontext -a -t httpd_sys_content_t /web
-# ls -dZ /web
+<screen>~]# <command>semanage fcontext -a -t httpd_sys_content_t /web</command>
+~]# <command>ls -dZ /web</command>
drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /web
</screen>
<para>
- The <command>/usr/sbin/semanage fcontext -a -t httpd_sys_content_t /web</command> command adds the following entry to <command>/etc/selinux/targeted/contexts/files/file_contexts.local</command>:
+ The <command>semanage fcontext -a -t httpd_sys_content_t /web</command> command adds the following entry to <command>/etc/selinux/targeted/contexts/files/file_contexts.local</command>:
</para>
<screen>/web unconfined_u:object_r:httpd_sys_content_t:s0
</screen>
- </listitem>
- <listitem>
+ </step>
+ <step>
<para>
- As the Linux root user, run the <command>/sbin/restorecon -v /web</command> command to change the type. Since the <command>semanage</command> command added an entry to <filename>file.contexts.local</filename> for <filename>/web</filename>, the <command>/sbin/restorecon</command> command changes the type to <computeroutput>httpd_sys_content_t</computeroutput>:
+ As the Linux root user, run the <command>restorecon -v /web</command> command to change the type. Since the <command>semanage</command> command added an entry to <filename>file.contexts.local</filename> for <filename>/web</filename>, the <command>restorecon</command> command changes the type to <systemitem>httpd_sys_content_t</systemitem>:
</para>
-<screen># /sbin/restorecon -v /web
+<screen>~]# <command>restorecon -v /web</command>
restorecon reset /web context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
</screen>
<para>
- By default, newly-created files and directories inherit the SELinux type of their parent folders. When using this example, and before removing the SELinux context added for <filename>/web/</filename>, files and directories created in the <filename>/web/</filename> directory are labeled with the <computeroutput>httpd_sys_content_t</computeroutput> type.
- </para>
- </listitem>
- <listitem>
- <para>
- As the Linux root user, run the <command>/usr/sbin/semanage fcontext -d /web</command> command to remove the context added for <filename>/web/</filename>.
+ By default, newly-created files and directories inherit the SELinux type of their parent folders. When using this example, and before removing the SELinux context added for <filename>/web/</filename>, files and directories created in the <filename>/web/</filename> directory are labeled with the <systemitem>httpd_sys_content_t</systemitem> type.
</para>
- </listitem>
- <listitem>
+ </step>
+ <step>
<para>
- As the Linux root user, run the <command>/sbin/restorecon -v /web</command> command to restore the default SELinux context.
+ As the Linux root user, run the <command>semanage fcontext -d /web</command> command to remove the context added for <filename>/web/</filename>.
</para>
- </listitem>
- </orderedlist>
- <formalpara id="form-Security-Enhanced_Linux-Persistent_Changes_semanage_fcontext-Changing_a_Directory_and_its_Contents_Types">
- <title>Changing a Directory and its Contents Types</title>
- <para>
- The following example demonstrates creating a new directory, and changing the directory's file type (along with its contents) to a type used by Apache HTTP Server. The configuration in this example is used if you want Apache HTTP Server to use a different document root (instead of <filename>/var/www/html/</filename>):
- </para>
- </formalpara>
- <orderedlist>
- <listitem>
+ </step>
+ <step>
<para>
- As the Linux root user, run the <command>mkdir /web</command> command to create a new directory, and then the <command>touch /web/file{1,2,3}</command> command to create 3 empty files (<filename>file1</filename>, <filename>file2</filename>, and <filename>file3</filename>). The <filename>/web/</filename> directory and files in it are labeled with the <computeroutput>default_t</computeroutput> type:
+ As the Linux root user, run the <command>restorecon -v /web</command> command to restore the default SELinux context.
</para>
-
-<screen># ls -dZ /web
+ </step>
+ </procedure>-->
+
+ <procedure id="proc-Security-Enhanced_Linux-Persistent_Changes_semanage_fcontext-Changing_a_Directory_and_its_Contents_Types">
+ <title>Changing a Directory and its Contents Types</title>
+ <para>
+ The following example demonstrates creating a new directory, and changing the directory's file type (along with its contents) to a type used by Apache HTTP Server. The configuration in this example is used if you want Apache HTTP Server to use a different document root (instead of <filename class="directory">/var/www/html/</filename>):
+ </para>
+ <step>
+ <para>
+ As the root user, create a new <filename class="directory">/mkdir/</filename>directory and then 3 empty files (<filename>file1</filename>, <filename>file2</filename>, and <filename>file3</filename>) within this directory. The <filename class="directory">/web/</filename> directory and files in it are labeled with the <systemitem>default_t</systemitem> type:
+ </para>
+<screen><prompt>~]#</prompt> <command>mkdir /web</command></screen>
+<screen><prompt>~]#</prompt> <command>touch /web/file{1,2,3}</command></screen>
+<screen>
+<prompt>~]#</prompt> <command>ls -dZ /web</command>
drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /web
-# ls -lZ /web
+</screen>
+<screen>
+<prompt>~]#</prompt> <command>ls -lZ /web</command>
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file1
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file2
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file3
</screen>
- </listitem>
- <listitem>
+ </step>
+ <step>
<para>
- As the Linux root user, run the <command>/usr/sbin/semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"</command> command to change the type of the <filename>/web/</filename> directory and the files in it, to <computeroutput>httpd_sys_content_t</computeroutput>. The <option>-a</option> option adds a new record, and the <option>-t</option> option defines a type (httpd_sys_content_t). The <computeroutput>"/web(/.*)?"</computeroutput> regular expression causes the <command>semanage</command> command to apply changes to the <filename>/web/</filename> directory, as well as the files in it. Note: running this command does not directly change the type - <filename>/web/</filename> and files in it are still labeled with the <computeroutput>default_t</computeroutput> type:
+ As root, run the following command to change the type of the <filename class="directory">/web/</filename> directory and the files in it, to <systemitem>httpd_sys_content_t</systemitem>. The <option>-a</option> option adds a new record, and the <option>-t</option> option defines a type (httpd_sys_content_t). The <computeroutput>"/web(/.*)?"</computeroutput> regular expression causes <systemitem>semanage</systemitem> to apply changes to <filename class="directory">/web/</filename>, as well as the files in it. Note that running this command does not directly change the type; <filename class="directory">/web/</filename> and files in it are still labeled with the <systemitem>default_t</systemitem> type:
</para>
-
-<screen># ls -dZ /web
+<screen><prompt>~]#</prompt> <command>semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"</command></screen>
+<screen>
+<prompt>~]$</prompt> <command>ls -dZ /web</command>
drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /web
-# ls -lZ /web
+</screen>
+<screen>
+<prompt>~]$</prompt> <command>ls -lZ /web</command>
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file1
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file2
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file3
</screen>
<para>
- The <command>/usr/sbin/semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"</command> command adds the following entry to <filename>/etc/selinux/targeted/contexts/files/file_contexts.local</filename>:
+ The <command>semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"</command> command adds the following entry to <filename>/etc/selinux/targeted/contexts/files/file_contexts.local</filename>:
</para>
-
-<screen>/web(/.*)? system_u:object_r:httpd_sys_content_t:s0
+<screen>
+/web(/.*)? system_u:object_r:httpd_sys_content_t:s0
</screen>
- </listitem>
- <listitem>
+ </step>
+ <step>
<para>
- As the Linux root user, run the <command>/sbin/restorecon -R -v /web</command> command to change the type of the <filename>/web/</filename> directory, as well as all files in it. The <option>-R</option> is for recursive, which means all files and directories under the <filename>/web/</filename> directory are labeled with the <computeroutput>httpd_sys_content_t</computeroutput> type. Since the <command>semanage</command> command added an entry to <filename>file.contexts.local</filename> for <computeroutput>/web(/.*)?</computeroutput>, the <command>/sbin/restorecon</command> command changes the types to <computeroutput>httpd_sys_content_t</computeroutput>:
+ As root, use the <systemitem>restorecon</systemitem> utility to change the type of <filename class="directory">/web/</filename>, as well as all files in it. The <option>-R</option> is for recursive, which means all files and directories under <filename class="directory">/web/</filename> are labeled with the <systemitem>httpd_sys_content_t</systemitem> type. Since <systemitem>semanage</systemitem> added an entry to <filename>file.contexts.local</filename> for <computeroutput>/web(/.*)?</computeroutput>, <systemitem>restorecon</systemitem> changes the types to <systemitem>httpd_sys_content_t</systemitem>:
</para>
-
-<screen># /sbin/restorecon -R -v /web
+<screen>
+<prompt>~]#</prompt> <command>restorecon -R -v /web</command>
restorecon reset /web context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/file2 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/file3 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/file1 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
</screen>
+
+ <note>
+ <para>
+ By default, newly-created files and directories inherit the SELinux type of their parent directories. For example, when creating a new file in the <filename class="directory">/etc/</filename> directory that is labeled with the <systemitem>etc_t</systemitem> type, the new file inherits the same type:
+ </para>
+<screen>
+~]$ <command>ls -dZ - /etc/</command>
+drwxr-xr-x. root root system_u:object_r:<emphasis>etc_t</emphasis>:s0 /etc
+</screen>
+<screen>~]# <command>touch /etc/file1</command></screen>
+<screen>
+~]# <command>ls -lZ /etc/file1</command>
+-rw-r--r--. root root unconfined_u:object_r:<emphasis>etc_t</emphasis>:s0 /etc/file1
+</screen>
+ </note>
+ </step>
+ <!-- as per RT#122301
+ <step>
<para>
- By default, newly-created files and directories inherit the SELinux type of their parents. In this example, files and directories created in the <filename>/web/</filename> directory will be labeled with the <computeroutput>httpd_sys_content_t</computeroutput> type.
- </para>
- </listitem>
- <listitem>
- <para>
- As the Linux root user, run the <command>/usr/sbin/semanage fcontext -d "/web(/.*)?"</command> command to remove the context added for <computeroutput>"/web(/.*)?"</computeroutput>.
+ As the Linux root user, run the <command>semanage fcontext -d "/web(/.*)?"</command> command to remove the context added for <computeroutput>"/web(/.*)?"</computeroutput>.
</para>
- </listitem>
- <listitem>
+ </step>
+ <step>
<para>
- As the Linux root user, run the <command>/sbin/restorecon -R -v /web</command> command to restore the default SELinux contexts.
+ As the Linux root user, run the <command>restorecon -R -v /web</command> command to restore the default SELinux contexts.
</para>
- </listitem>
- </orderedlist>
- <formalpara id="form-Security-Enhanced_Linux-Persistent_Changes_semanage_fcontext-Deleting_an_added_Context">
- <title>Deleting an added Context</title>
- <para>
- The following example demonstrates adding and removing an SELinux context:
- </para>
- </formalpara>
- <orderedlist>
- <listitem>
- <para>
- As the Linux root user, run the <command>/usr/sbin/semanage fcontext -a -t httpd_sys_content_t /test</command> command. The <filename>/test/</filename> directory does not have to exist. This command adds the following context to <filename>/etc/selinux/targeted/contexts/files/file_contexts.local</filename>:
+ </step>-->
+ </procedure>
+
+ <procedure id="proc-Security-Enhanced_Linux-Persistent_Changes_semanage_fcontext-Deleting_an_added_Context">
+ <title>Deleting an added Context</title>
+ <para>
+ The following example demonstrates adding and removing an SELinux context. If the context is part of a regular expression, for example, <computeroutput>/web(/.*)?</computeroutput>, use quotation marks around the regular expression:
+ </para>
+<screen><prompt>~]#</prompt> <command>semanage fcontext -d "/web(/.*)?"</command>
+ </screen>
+ <!-- as per RT#122301
+ <step>
+ <para>
+ As the Linux root user, run the <command>semanage fcontext -a -t httpd_sys_content_t /test</command> command. The <filename>/test/</filename> directory does not have to exist. This command adds the following context to <filename>/etc/selinux/targeted/contexts/files/file_contexts.local</filename>:
</para>
<screen>/test system_u:object_r:httpd_sys_content_t:s0
</screen>
- </listitem>
- <listitem>
+ </step>-->
+ <step>
<para>
- To remove the context, as the Linux root user, run the <command>/usr/sbin/semanage fcontext -d <replaceable>file-name</replaceable>|<replaceable>directory-name</replaceable></command> command, where <replaceable>file-name</replaceable>|<replaceable>directory-name</replaceable> is the first part in <filename>file_contexts.local</filename>. The following is an example of a context in <filename>file_contexts.local</filename>:
+ To remove the context, as root, run the following command, where <replaceable>file-name</replaceable>|<replaceable>directory-name</replaceable> is the first part in <filename>file_contexts.local</filename>:
+ </para>
+<screen><prompt>~]#</prompt> <command>semanage fcontext -d <replaceable>file-name</replaceable>|<replaceable>directory-name</replaceable></command></screen>
+ <para>
+ The following is an example of a context in <filename>file_contexts.local</filename>:
</para>
-
-<screen>/test system_u:object_r:httpd_sys_content_t:s0
+<screen>
+/test system_u:object_r:httpd_sys_content_t:s0
</screen>
<para>
- With the first part being <computeroutput>/test</computeroutput>. To prevent the <filename>/test/</filename> directory from being labeled with the <computeroutput>httpd_sys_content_t</computeroutput> after running <command>/sbin/restorecon</command>, or after a file system relabel, run the following command as the Linux root user to delete the context from <filename>file_contexts.local</filename>:
- </para>
- <para>
- <command>/usr/sbin/semanage fcontext -d /test</command>
+ With the first part being <computeroutput>/test</computeroutput>. To prevent the <filename class="directory">/test/</filename> directory from being labeled with the <systemitem>httpd_sys_content_t</systemitem> after running <command>restorecon</command>, or after a file system relabel, run the following command as root to delete the context from <filename>file_contexts.local</filename>:
</para>
- </listitem>
- </orderedlist>
+<screen><prompt>~]#</prompt> <command>semanage fcontext -d /test</command></screen>
+ </step>
+ <step>
+ <para>
+ As root, use the <systemitem>restorecon</systemitem> utility to restore the default SELinux context.
+ </para>
+ </step>
+ </procedure>
<para>
- If the context is part of a regular expression, for example, <computeroutput>/web(/.*)?</computeroutput>, use quotation marks around the regular expression:
- </para>
- <para>
- <command>/usr/sbin/semanage fcontext -d "/web(/.*)?"</command>
- </para>
- <para>
- Refer to the <citerefentry><refentrytitle>semanage</refentrytitle><manvolnum>8</manvolnum></citerefentry> manual page for further information about <command>/usr/sbin/semanage</command>.
+ See the <citerefentry><refentrytitle>semanage</refentrytitle><manvolnum>8</manvolnum></citerefentry> manual page for further information about <command>semanage</command>.
</para>
<important>
<para>
- When changing the SELinux context with <command>/usr/sbin/semanage fcontext -a</command>, use the full path to the file or directory to avoid files being mislabeled after a file system relabel, or after the <command>/sbin/restorecon</command> command is run.
+ When changing the SELinux context with <command>semanage fcontext -a</command>, use the full path to the file or directory to avoid files being mislabeled after a file system relabel, or after the <command>restorecon</command> command is run.
</para>
</important>
</section>
@@ -983,15 +1157,15 @@ restorecon reset /web/file1 context unconfined_u:object_r:default_t:s0->syste
<section id="sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types">
<title>The file_t and default_t Types</title>
- <para>
- For file systems that support extended attributes, when a file that lacks an SELinux context on disk is accessed, it is treated as if it had a default context as defined by SELinux policy. In common policies, this default context uses the <computeroutput>file_t</computeroutput> type. This should be the only use of this type, so that files without a context on disk can be distinguished in policy, and generally kept inaccessible to confined domains. The <computeroutput>file_t</computeroutput> type should not exist on correctly-labeled file systems, because all files on a system running SELinux should have an SELinux context, and the <computeroutput>file_t</computeroutput> type is never used in file-context configuration<footnote>
+ <para>
+ When using a file system that supports extended attributes (EA), the <systemitem>file_t</systemitem> type is the default type of a file that has not yet been assigned <acronym>EA</acronym> value. This type is only used for this purpose and does not exist on correctly-labeled file systems, because all files on a system running SELinux should have a proper SELinux context, and the <systemitem>file_t</systemitem> type is never used in file-context configuration<footnote>
<para>
- Files in <filename>/etc/selinux/targeted/contexts/files/</filename> define contexts for files and directories. Files in this directory are read by <command>restorecon</command> and <command>setfiles</command> to restore files and directories to their default contexts.
+ Files in the <filename class="directory">/etc/selinux/targeted/contexts/files/</filename> directory define contexts for files and directories. Files in this directory are read by the <systemitem>restorecon</systemitem> and <systemitem>setfiles</systemitem> utilities to restore files and directories to their default contexts.
</para>
</footnote>.
</para>
<para>
- The <computeroutput>default_t</computeroutput> type is used on files that do not match any other pattern in file-context configuration, so that such files can be distinguished from files that do not have a context on disk, and generally kept inaccessible to confined domains. If you create a new top-level directory, such as <filename>/mydirectory/</filename>, this directory may be labeled with the <computeroutput>default_t</computeroutput> type. If services need access to such a directory, update the file-contexts configuration for this location. Refer to <xref linkend="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext" /> for details on adding a context to the file-context configuration.
+ The <systemitem>default_t</systemitem> type is used on files that do not match any pattern in file-context configuration, so that such files can be distinguished from files that do not have a context on disk, and generally are kept inaccessible to confined domains. For example, if you create a new top-level directory, such as <filename class="directory">/mydirectory/</filename>, this directory may be labeled with the default_t type. If services need access to this directory, you need to update the file-contexts configuration for this location. See <xref linkend="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext" /> for details on adding a context to the file-context configuration.
</para>
</section>
@@ -1001,7 +1175,7 @@ restorecon reset /web/file1 context unconfined_u:object_r:default_t:s0->syste
By default, when a file system that supports extended attributes is mounted, the security context for each file is obtained from the <emphasis>security.selinux</emphasis> extended attribute of the file. Files in file systems that do not support extended attributes are assigned a single, default security context from the policy configuration, based on file system type.
</para>
<para>
- Use the <command>mount -o context</command> command to override existing extended attributes, or to specify a different, default context for file systems that do not support extended attributes. This is useful if you do not trust a file system to supply the correct attributes, for example, removable media used in multiple systems. The <command>mount -o context</command> command can also be used to support labeling for file systems that do not support extended attributes, such as File Allocation Table (FAT) or NFS file systems. The context specified with the <option>context</option> is not written to disk: the original contexts are preserved, and are seen when mounting without a <option>context</option> option (if the file system had extended attributes in the first place).
+ Use the <command>mount -o context</command> command to override existing extended attributes, or to specify a different, default context for file systems that do not support extended attributes. This is useful if you do not trust a file system to supply the correct attributes, for example, removable media used in multiple systems. The <command>mount -o context</command> command can also be used to support labeling for file systems that do not support extended attributes, such as File Allocation Table (FAT) or NFS volumes. The context specified with the <option>context</option> option is not written to disk: the original contexts are preserved, and are seen when mounting without <option>context</option> (if the file system had extended attributes in the first place).
</para>
<para>
For further information about file system labeling, refer to James Morris's "Filesystem Labeling in SELinux" article: <ulink url="http://www.linuxjournal.com/article/7426"></ulink>.
@@ -1009,23 +1183,19 @@ restorecon reset /web/file1 context unconfined_u:object_r:default_t:s0->syste
<section id="sect-Security-Enhanced_Linux-Mounting_File_Systems-Context_Mounts">
<title>Context Mounts</title>
<para>
- To mount a file system with the specified context, overriding existing contexts if they exist, or to specify a different, default context for a file system that does not support extended attributes, as the Linux root user, use the <command>mount -o context=<replaceable>SELinux_user:role:type:level</replaceable></command> command when mounting the desired file system. Context changes are not written to disk. By default, NFS mounts on the client side are labeled with a default context defined by policy for NFS file systems. In common policies, this default context uses the <computeroutput>nfs_t</computeroutput> type. Without additional mount options, this may prevent sharing NFS file systems via other services, such as the Apache HTTP Server. The following example mounts an NFS file system so that it can be shared via the Apache HTTP Server:
+ To mount a file system with the specified context, overriding existing contexts if they exist, or to specify a different, default context for a file system that does not support extended attributes, as the root user, use the <command>mount -o context=<replaceable>SELinux_user:role:type:level</replaceable></command> command when mounting the desired file system. Context changes are not written to disk. By default, NFS mounts on the client side are labeled with a default context defined by policy for NFS volumes. In common policies, this default context uses the <systemitem>nfs_t</systemitem> type. Without additional mount options, this may prevent sharing NFS volumes using other services, such as the Apache HTTP Server. The following example mounts an NFS volume so that it can be shared via the Apache HTTP Server:
</para>
-
-
-<screen># mount server:/export /local/mount/point -o\
-context="system_u:object_r:httpd_sys_content_t:s0"
-</screen>
-
+<screen><prompt>~]#</prompt> <command>mount server:/export /local/mount/point -o \
+context="system_u:object_r:httpd_sys_content_t:s0"</command></screen>
<para>
- Newly-created files and directories on this file system appear to have the SELinux context specified with <option>-o context</option>; however, since context changes are not written to disk for these situations, the context specified with the <option>context</option> option is only retained if the <option>context</option> option is used on the next mount, and if the same context is specified.
+ Newly-created files and directories on this file system appear to have the SELinux context specified with <option>-o context</option>. However, since these changes are not written to disk, the context specified with this option does not persist between mounts. Therefore, this option must be used with the same context specified during every mount to retain the desired context. For information about making context mount persistent, refer to <xref linkend="sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent" />.
</para>
<para>
- Type Enforcement is the main permission control used in SELinux targeted policy. For the most part, SELinux users and roles can be ignored, so, when overriding the SELinux context with <option>-o context</option>, use the SELinux <computeroutput>system_u</computeroutput> user and <computeroutput>object_r</computeroutput> role, and concentrate on the type. If you are not using the MLS policy or multi-category security, use the <computeroutput>s0</computeroutput> level.
+ Type Enforcement is the main permission control used in SELinux targeted policy. For the most part, SELinux users and roles can be ignored, so, when overriding the SELinux context with <option>-o context</option>, use the SELinux <systemitem>system_u</systemitem> user and <systemitem>object_r</systemitem> role, and concentrate on the type. If you are not using the MLS policy or multi-category security, use the <systemitem>s0</systemitem> level.
</para>
<note>
<para>
- When a file system is mounted with a <option>context</option> option, context changes (by users and processes) are prohibited. For example, running <command>chcon</command> on a file system mounted with a <option>context</option> option results in a <computeroutput>Operation not supported</computeroutput> error.
+ When a file system is mounted with a <option>context</option> option, context changes (by users and processes) are prohibited. For example, running the <command>chcon</command> command on a file system mounted with a <option>context</option> option results in a <computeroutput>Operation not supported</computeroutput> error.
</para>
</note>
</section>
@@ -1033,14 +1203,12 @@ context="system_u:object_r:httpd_sys_content_t:s0"
<section id="sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context">
<title>Changing the Default Context</title>
<para>
- As mentioned in <xref linkend="sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types" />, on file systems that support extended attributes, when a file that lacks an SELinux context on disk is accessed, it is treated as if it had a default context as defined by SELinux policy. In common policies, this default context uses the <computeroutput>file_t</computeroutput> type. If it is desirable to use a different default context, mount the file system with the <option>defcontext</option> option.
+ As mentioned in <xref linkend="sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types" />, on file systems that support extended attributes, when a file that lacks an SELinux context on disk is accessed, it is treated as if it had a default context as defined by SELinux policy. In common policies, this default context uses the <systemitem>file_t</systemitem> type. If it is desirable to use a different default context, mount the file system with the <option>defcontext</option> option.
</para>
<para>
- The following example mounts a newly-created file system (on <filename>/dev/sda2</filename>) to the newly-created <filename>/test/</filename> directory. It assumes that there are no rules in <filename>/etc/selinux/targeted/contexts/files/</filename> that define a context for the <filename>/test/</filename> directory:
+ The following example mounts a newly-created file system (on <filename>/dev/sda2</filename>) to the newly-created <filename class="directory">/test/</filename> directory. It assumes that there are no rules in <filename class="directory">/etc/selinux/targeted/contexts/files/</filename> that define a context for the <filename>/test/</filename> directory:
</para>
-
-<screen>
-# mount /dev/sda2 /test/ -o defcontext="system_u:object_r:samba_share_t:s0"
+<screen><prompt>~]#</prompt> <command>mount /dev/sda2 /test/ -o defcontext="system_u:object_r:samba_share_t:s0"</command>
</screen>
<para>
In this example:
@@ -1057,50 +1225,43 @@ context="system_u:object_r:httpd_sys_content_t:s0"
</listitem>
<listitem>
<para>
- when mounted, the root directory (<filename>/test/</filename>) of the file system is treated as if it is labeled with the context specified by <option>defcontext</option> (this label is not stored on disk). This affects the labeling for files created under <filename>/test/</filename>: new files inherit the <computeroutput>samba_share_t</computeroutput> type, and these labels are stored on disk.
+ when mounted, the root directory (<filename class="directory">/test/</filename>) of the file system is treated as if it is labeled with the context specified by <option>defcontext</option> (this label is not stored on disk). This affects the labeling for files created under <filename class="directory">/test/</filename>: new files inherit the <systemitem>samba_share_t</systemitem> type, and these labels are stored on disk.
</para>
</listitem>
<listitem>
<para>
- files created under <filename>/test/</filename> while the file system was mounted with a <option>defcontext</option> option retain their labels.
+ files created under <filename class="directory">/test/</filename> while the file system was mounted with a <option>defcontext</option> option retain their labels.
</para>
</listitem>
</itemizedlist>
</section>
<section id="sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System">
- <title>Mounting an NFS File System</title>
+ <title>Mounting an NFS Volume</title>
<para>
- By default, NFS mounts on the client side are labeled with a default context defined by policy for NFS file systems. In common policies, this default context uses the <computeroutput>nfs_t</computeroutput> type. Depending on policy configuration, services, such as Apache HTTP Server and MySQL, may not be able to read files labeled with the <computeroutput>nfs_t</computeroutput> type. This may prevent file systems labeled with this type from being mounted and then read or exported by other services.
+ By default, NFS mounts on the client side are labeled with a default context defined by policy for NFS volumes. In common policies, this default context uses the <systemitem>nfs_t</systemitem> type. Depending on policy configuration, services, such as Apache HTTP Server and MariaDB, may not be able to read files labeled with the <systemitem>nfs_t</systemitem> type. This may prevent file systems labeled with this type from being mounted and then read or exported by other services.
</para>
<para>
- If you would like to mount an NFS file system and read or export that file system with another service, use the <option>context</option> option when mounting to override the <computeroutput>nfs_t</computeroutput> type. Use the following context option to mount NFS file systems so that they can be shared via the Apache HTTP Server:
+ If you would like to mount an NFS volume and read or export that file system with another service, use the <option>context</option> option when mounting to override the <systemitem>nfs_t</systemitem> type. Use the following context option to mount NFS volumes so that they can be shared via the Apache HTTP Server:
</para>
-<screen>mount server:/export /local/mount/point -o\
-context="system_u:object_r:httpd_sys_content_t:s0"
-</screen>
+<screen><prompt>~]#</prompt> <command>mount server:/export /local/mount/point -o context="system_u:object_r:httpd_sys_content_t:s0"</command></screen>
<para>
- Since context changes are not written to disk for these situations, the context specified with the <option>context</option> option is only retained if the <option>context</option> option is used on the next mount, and if the same context is specified.
+ Since these changes are not written to disk, the context specified with this option does not persist between mounts. Therefore, this option must be used with the same context specified during every mount to retain the desired context. For information about making context mount persistent, refer to <xref linkend="sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent" />.
</para>
<para>
- As an alternative to mounting file systems with <option>context</option> options, Booleans can be turned on to allow services access to file systems labeled with the <computeroutput>nfs_t</computeroutput> type. Refer to <xref linkend="sect-Security-Enhanced_Linux-Booleans-Booleans_for_NFS_and_CIFS" /> for instructions on configuring Booleans to allow services access to the <computeroutput>nfs_t</computeroutput> type.
+ As an alternative to mounting file systems with <option>context</option> options, Booleans can be enabled to allow services access to file systems labeled with the <systemitem>nfs_t</systemitem> type. <!--Refer to <xref linkend="Managing_Confined_Services.xml" /> --> for instructions on configuring Booleans to allow services access to the <systemitem>nfs_t</systemitem> type.
</para>
</section>
<section id="sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts">
<title>Multiple NFS Mounts</title>
<para>
- When mounting multiple mounts from the same NFS export, attempting to override the SELinux context of each mount with a different context, results in subsequent mount commands failing. In the following example, the NFS server has a single export, <filename>/export</filename>, which has two subdirectories, <filename>web/</filename> and <filename>database/</filename>. The following commands attempt two mounts from a single NFS export, and try to override the context for each one:
+ When mounting multiple mounts from the same NFS export, attempting to override the SELinux context of each mount with a different context, results in subsequent mount commands failing. In the following example, the NFS server has a single export, <filename class="directory">/export/</filename>, which has two subdirectories, <filename class="directory">/web/</filename> and <filename class="directory">/database/</filename>. The following commands attempt two mounts from a single NFS export, and try to override the context for each one:
</para>
-
-<screen>
-# mount server:/export/web /local/web -o\
-context="system_u:object_r:httpd_sys_content_t:s0"
+<screen><prompt>~]#</prompt> <command>mount server:/export/web /local/web -o context="system_u:object_r:httpd_sys_content_t:s0"</command></screen>
-# mount server:/export/database /local/database -o\
-context="system_u:object_r:mysqld_db_t:s0"
-</screen>
+<screen><prompt>~]#</prompt> <command>mount server:/export/database /local/database -o context="system_u:object_r:mysqld_db_t:s0"</command></screen>
<para>
The second mount command fails, and the following is logged to <filename>/var/log/messages</filename>:
</para>
@@ -1111,20 +1272,16 @@ kernel: SELinux: mount invalid. Same superblock, different security settings fo
<para>
To mount multiple mounts from a single NFS export, with each mount having a different context, use the <option>-o nosharecache,context</option> options. The following example mounts multiple mounts from a single NFS export, with a different context for each mount (allowing a single service access to each one):
</para>
-
-<screen>
-# mount server:/export/web /local/web -o\
-nosharecache,context="system_u:object_r:httpd_sys_content_t:s0"
-
-# mount server:/export/database /local/database -o\
-nosharecache,context="system_u:object_r:mysqld_db_t:s0"
-</screen>
+
+<screen><prompt>~]#</prompt> <command>mount server:/export/web /local/web -o nosharecache,context="system_u:object_r:httpd_sys_content_t:s0"</command></screen>
+<screen><prompt>~]#</prompt> <command>mount server:/export/database /local/database -o \
+nosharecache,context="system_u:object_r:mysqld_db_t:s0"</command></screen>
<para>
- In this example, <computeroutput>server:/export/web</computeroutput> is mounted locally to <filename>/local/web/</filename>, with all files being labeled with the <computeroutput>httpd_sys_content_t</computeroutput> type, allowing Apache HTTP Server access. <computeroutput>server:/export/database</computeroutput> is mounted locally to <filename>/local/database</filename>, with all files being labeled with the <computeroutput>mysqld_db_t</computeroutput> type, allowing MySQL access. These type changes are not written to disk.
+ In this example, <computeroutput>server:/export/web</computeroutput> is mounted locally to the <filename class="directory">/local/web/</filename> directory, with all files being labeled with the <systemitem>httpd_sys_content_t</systemitem> type, allowing Apache HTTP Server access. <computeroutput>server:/export/database</computeroutput> is mounted locally to <filename class="directory">/local/database/</filename>, with all files being labeled with the <systemitem>mysqld_db_t</systemitem> type, allowing MariaDB access. These type changes are not written to disk.
</para>
<important>
<para>
- The <option>nosharecache</option> options allows you to mount the same subdirectory of an export multiple times with different contexts (for example, mounting <filename>/export/web</filename> multiple times). Do not mount the same subdirectory from an export multiple times with different contexts, as this creates an overlapping mount, where files are accessible under two different contexts.
+ The <option>nosharecache</option> options allows you to mount the same subdirectory of an export multiple times with different contexts (for example, mounting <filename class="directory">/export/web/</filename> multiple times). Do not mount the same subdirectory from an export multiple times with different contexts, as this creates an overlapping mount, where files are accessible under two different contexts.
</para>
</important>
</section>
@@ -1132,131 +1289,197 @@ nosharecache,context="system_u:object_r:mysqld_db_t:s0"
<section id="sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent">
<title>Making Context Mounts Persistent</title>
<para>
- To make context mounts persistent across remounting and reboots, add entries for the file systems in <filename>/etc/fstab</filename> or an automounter map, and use the desired context as a mount option. The following example adds an entry to <filename>/etc/fstab</filename> for an NFS context mount:
+ To make context mounts persistent across remounting and reboots, add entries for the file systems in the <filename>/etc/fstab</filename> file or an automounter map, and use the desired context as a mount option. The following example adds an entry to <filename>/etc/fstab</filename> for an NFS context mount:
</para>
<screen>
server:/export /local/mount/ nfs context="system_u:object_r:httpd_sys_content_t:s0" 0 0
</screen>
- <para>
- Refer to the <ulink url="http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deployment_Guide/s1-nfs-client-config.html">Red Hat Enterprise Linux 5 Deployment Guide, Section 19.2. "NFS Client Configuration"</ulink> for information about mounting NFS file systems.
- </para>
</section>
</section>
<section id="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_">
- <title>Maintaining SELinux Labels </title>
+ <title>Maintaining SELinux Labels</title>
<para>
These sections describe what happens to SELinux contexts when copying, moving, and archiving files and directories. Also, it explains how to preserve contexts when copying and archiving.
</para>
<section id="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Copying_Files_and_Directories">
<title>Copying Files and Directories</title>
<para>
- When a file or directory is copied, a new file or directory is created if it does not exist. That new file or directory's context is based on default-labeling rules, not the original file or directory's context (unless options were used to preserve the original context). For example, files created in user home directories are labeled with the <computeroutput>user_home_t</computeroutput> type:
+ When a file or directory is copied, a new file or directory is created if it does not exist. That new file or directory's context is based on default-labeling rules, not the original file or directory's context (unless options were used to preserve the original context). For example, files created in user home directories are labeled with the <systemitem>user_home_t</systemitem> type:
</para>
+<screen><prompt>~]$</prompt> <command>touch file1</command></screen>
<screen>
-$ touch file1
-$ ls -Z file1
+<prompt>~]$</prompt> <command>ls -Z file1</command>
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
</screen>
<para>
- If such a file is copied to another directory, such as <filename>/etc/</filename>, the new file is created in accordance to default-labeling rules for the <filename>/etc/</filename> directory. Copying a file (without additional options) may not preserve the original context:
+ If such a file is copied to another directory, such as <filename class="directory">/etc/</filename>, the new file is created in accordance to default-labeling rules for <filename class="directory">/etc/</filename>. Copying a file (without additional options) may not preserve the original context:
</para>
<screen>
-$ ls -Z file1
+<prompt>~]$</prompt> <command>ls -Z file1</command>
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
-# cp file1 /etc/
-$ ls -Z /etc/file1
+</screen>
+<screen><prompt>~]#</prompt> <command>cp file1 /etc/</command></screen>
+<screen>
+<prompt>~]$</prompt> <command>ls -Z /etc/file1</command>
-rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1
</screen>
<para>
- When <filename>file1</filename> is copied to <filename>/etc/</filename>, if <filename>/etc/file1</filename> does not exist, <filename>/etc/file1</filename> is created as a new file. As shown in the example above, <filename>/etc/file1</filename> is labeled with the <computeroutput>etc_t</computeroutput> type, in accordance to default-labeling rules.
+ When <filename>file1</filename> is copied to <filename class="directory">/etc/</filename>, if <filename>/etc/file1</filename> does not exist, <filename>/etc/file1</filename> is created as a new file. As shown in the example above, <filename>/etc/file1</filename> is labeled with the <systemitem>etc_t</systemitem> type, in accordance to default-labeling rules.
</para>
<para>
When a file is copied over an existing file, the existing file's context is preserved, unless the user specified <command>cp</command> options to preserve the context of the original file, such as <option>--preserve=context</option>. SELinux policy may prevent contexts from being preserved during copies.
- </para>
- <formalpara id="form-Security-Enhanced_Linux-Copying_Files_and_Directories-Copying_Without_Preserving_SELinux_Contexts">
- <title>Copying Without Preserving SELinux Contexts</title>
- <para>
- When copying a file with the <command>cp</command> command, if no options are given, the type is inherited from the targeted, parent directory:
- </para>
- </formalpara>
-
+ </para>
+ <procedure id="proc-Security-Enhanced_Linux-Copying_Files_and_Directories-Copying_Without_Preserving_SELinux_Contexts">
+ <title>Copying Without Preserving SELinux Contexts</title>
+ <para>
+ This procedure shows that when copying a file with the <command>cp</command> command, if no options are given, the type is inherited from the targeted, parent directory.
+ </para>
+ <step>
+ <para>
+ Create a file in a user's home directory. The file is labeled with the <systemitem>user_home_t</systemitem> type:
+ </para>
+<screen><prompt>~]$</prompt> <command>touch file1</command></screen>
<screen>
-$ touch file1
-$ ls -Z file1
+<prompt>~]$</prompt> <command>ls -Z file1</command>
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
-$ ls -dZ /var/www/html/
+</screen>
+ </step>
+ <step>
+ <para>
+ The <filename class="directory">/var/www/html/</filename> directory is labeled with the <systemitem>httpd_sys_content_t</systemitem> type, as shown with the following command:
+ </para>
+<screen>
+<prompt>~]$</prompt> <command>ls -dZ /var/www/html/</command>
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
-# cp file1 /var/www/html/
-$ ls -Z /var/www/html/file1
+</screen>
+ </step>
+ <step>
+ <para>
+ When <filename>file1</filename> is copied to <filename class="directory">/var/www/html/</filename>, it inherits the <systemitem>httpd_sys_content_t</systemitem> type:
+ </para>
+<screen><prompt>~]#</prompt> <command>cp file1 /var/www/html/</command></screen>
+<screen>
+<prompt>~]$</prompt> <command>ls -Z /var/www/html/file1</command>
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/file1
</screen>
- <para>
- In this example, <filename>file1</filename> is created in a user's home directory, and is labeled with the <computeroutput>user_home_t</computeroutput> type. The <filename>/var/www/html/</filename> directory is labeled with the <computeroutput>httpd_sys_content_t</computeroutput> type, as shown with the <command>ls -dZ /var/www/html/</command> command. When <filename>file1</filename> is copied to <filename>/var/www/html/</filename>, it inherits the <computeroutput>httpd_sys_content_t</computeroutput> type, as shown with the <command>ls -Z /var/www/html/file1</command> command.
- </para>
- <formalpara id="form-Security-Enhanced_Linux-Copying_Files_and_Directories-Preserving_SELinux_Contexts_When_Copying">
- <title>Preserving SELinux Contexts When Copying</title>
- <para>
- Use the <command>cp --preserve=context</command> command to preserve contexts when copying:
- </para>
- </formalpara>
-
+ </step>
+
+ </procedure>
+ <procedure id="proc-Security-Enhanced_Linux-Copying_Files_and_Directories-Preserving_SELinux_Contexts_When_Copying">
+ <title>Preserving SELinux Contexts When Copying</title>
+ <para>
+ This procedure shows how to use the <option>--preserve=context</option> option to preserve contexts when copying.
+ </para>
+ <step>
+ <para>
+ Create a file in a user's home directory. The file is labeled with the <systemitem>user_home_t</systemitem> type:
+ </para>
+<screen><prompt>~]$</prompt> <command>touch file1</command></screen>
<screen>
-$ touch file1
-$ ls -Z file1
+<prompt>~]$</prompt> <command>ls -Z file1</command>
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
-$ ls -dZ /var/www/html/
+</screen>
+ </step>
+ <step>
+ <para>
+ The <filename class="directory">/var/www/html/</filename> directory is labeled with the <systemitem>httpd_sys_content_t</systemitem> type, as shown with the following command:
+ </para>
+<screen>
+<prompt>~]$</prompt> <command>ls -dZ /var/www/html/</command>
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
-# cp --preserve=context file1 /var/www/html/
-$ ls -Z /var/www/html/file1
--rw-r--r-- root root unconfined_u:object_r:user_home_t:s0 /var/www/html/file1
</screen>
- <para>
- In this example, <filename>file1</filename> is created in a user's home directory, and is labeled with the <computeroutput>user_home_t</computeroutput> type. The <filename>/var/www/html/</filename> directory is labeled with the <computeroutput>httpd_sys_content_t</computeroutput> type, as shown with the <command>ls -dZ /var/www/html/</command> command. Using the <option>--preserve=context</option> option preserves SELinux contexts during copy operations. As shown with the <command>ls -Z /var/www/html/file1</command> command, the <filename>file1</filename> <computeroutput>user_home_t</computeroutput> type was preserved when the file was copied to <filename>/var/www/html/</filename>.
- </para>
- <formalpara id="form-Security-Enhanced_Linux-Copying_Files_and_Directories-Copying_and_Changing_the_Context">
- <title>Copying and Changing the Context</title>
+ </step>
+ <step>
+ <para>
+ Using the <option>--preserve=context</option> option preserves SELinux contexts during copy operations. As shown below, the <systemitem>user_home_t</systemitem> type of <filename>file1</filename> was preserved when the file was copied to <filename class="directory">/var/www/html/</filename>:
+ </para>
+<screen><prompt>~]#</prompt> <command>cp --preserve=context file1 /var/www/html/</command></screen>
+<screen>
+<prompt>~]$</prompt> <command>ls -Z /var/www/html/file1</command>
+-rw-r--r-- root root unconfined_u:object_r:user_home_t:s0 /var/www/html/file1
+</screen>
+ </step>
+ </procedure>
+ <procedure id="proc-Security-Enhanced_Linux-Copying_Files_and_Directories-Copying_and_Changing_the_Context">
+ <title>Copying and Changing the Context</title>
<para>
- Use the <command>cp -Z</command> command to change the destination copy's context. The following example was performed in the user's home directory:
- </para>
- </formalpara>
-
+ This procedure show how to use the <option>--context</option> option to change the destination copy's context. The following example is performed in the user's home directory:
+ </para>
+ <step>
+ <para>
+ Create a file in a user's home directory. The file is labeled with the <systemitem>user_home_t</systemitem> type:
+ </para>
+<screen><prompt>~]$</prompt> <command>touch file1</command></screen>
+<screen>
+<prompt>~]$</prompt> <command>ls -Z file1</command>
+-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
+</screen>
+ </step>
+ <step>
+ <para>
+ Use the <option>--context</option> option to define the SELinux context:
+ </para>
+<screen><prompt>~]$</prompt> <command>cp --context=system_u:object_r:samba_share_t:s0 file1 file2</command></screen>
+ </step>
+ <step>
+ <para>
+ Without <option>--context</option>, <filename>file2</filename> would be labeled with the <computeroutput>unconfined_u:object_r:user_home_t</computeroutput> context:
+ </para>
<screen>
-$ touch file1
-$ cp -Z system_u:object_r:samba_share_t:s0 file1 file2
-$ ls -Z file1 file2
+<prompt>~]$</prompt> <command>ls -Z file1 file2</command>
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
-rw-rw-r-- user1 group1 system_u:object_r:samba_share_t:s0 file2
-$ rm file1 file2
</screen>
- <para>
- In this example, the context is defined with the <option>-Z</option> option. Without the <option>-Z</option> option, <filename>file2</filename> would be labeled with the <computeroutput>unconfined_u:object_r:user_home_t</computeroutput> context.
- </para>
- <formalpara id="form-Security-Enhanced_Linux-Copying_Files_and_Directories-Copying_a_File_Over_an_Existing_File">
- <title>Copying a File Over an Existing File</title>
- <para>
- When a file is copied over an existing file, the existing file's context is preserved (unless an option is used to preserve contexts). For example:
- </para>
- </formalpara>
-
+ </step>
+
+ </procedure>
+ <procedure id="proc-Security-Enhanced_Linux-Copying_Files_and_Directories-Copying_a_File_Over_an_Existing_File">
+ <title>Copying a File Over an Existing File</title>
+ <para>
+ This procedure shows that when a file is copied over an existing file, the existing file's context is preserved (unless an option is used to preserve contexts).
+ </para>
+ <step>
+ <para>
+ As root, create a new file, <filename>file1</filename> in the <filename class="directory">/etc/</filename> directory. As shown below, the file is labeled with the <systemitem>etc_t</systemitem> type:
+ </para>
+<screen><prompt>~]#</prompt> <command>touch /etc/file1</command></screen>
<screen>
-# touch /etc/file1
-# ls -Z /etc/file1
+<prompt>~]$</prompt> <command>ls -Z /etc/file1</command>
-rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1
-# touch /tmp/file2
-# ls -Z /tmp/file2
+</screen>
+ </step>
+ <step>
+ <para>
+ Create another file, <filename>file2</filename>, in the <filename class="directory">/tmp/</filename> directory. As shown below, the file is labeled with the <systemitem>user_tmp_t</systemitem> type:
+ </para>
+<screen><prompt>~]$</prompt> <command>touch /tmp/file2</command></screen>
+<screen>
+<prompt>~$</prompt> <command>ls -Z /tmp/file2</command>
-rw-r--r-- root root unconfined_u:object_r:user_tmp_t:s0 /tmp/file2
-# cp /tmp/file2 /etc/file1
-# ls -Z /etc/file1
+</screen>
+ </step>
+ <step>
+ <para>
+ Overwrite <filename>file1</filename> with <filename>file2</filename>:
+ </para>
+<screen><prompt>~]#</prompt> <command>cp /tmp/file2 /etc/file1</command></screen>
+ </step>
+ <step>
+ <para>
+ After copying, the following command shows <filename>file1</filename> labeled with the <systemitem>etc_t</systemitem> type, not the <systemitem>user_tmp_t</systemitem> type from <filename>/tmp/file2</filename> that replaced <filename>/etc/file1</filename>:
+ </para>
+<screen>
+<prompt>~]$</prompt> <command>ls -Z /etc/file1</command>
-rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1
</screen>
- <para>
- In this example, two files are created: <filename>/etc/file1</filename>, labeled with the <computeroutput>etc_t</computeroutput> type, and <filename>/tmp/file2</filename>, labeled with the <computeroutput>user_tmp_t</computeroutput> type. The <command>cp /tmp/file2 /etc/file1</command> command overwrites <filename>file1</filename> with <filename>file2</filename>. After copying, the <command>ls -Z /etc/file1</command> command shows <filename>file1</filename> labeled with the <computeroutput>etc_t</computeroutput> type, not the <computeroutput>user_tmp_t</computeroutput> type from <filename>/tmp/file2</filename> that replaced <filename>/etc/file1</filename>.
- </para>
+ </step>
+
+ </procedure>
<important>
<para>
Copy files and directories, rather than moving them. This helps ensure they are labeled with the correct SELinux contexts. Incorrect SELinux contexts can prevent processes from accessing such files and directories.
@@ -1267,47 +1490,49 @@ $ rm file1 file2
<section id="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories">
<title>Moving Files and Directories</title>
<para>
- File and directories keep their current SELinux context when they are moved. In many cases, this is incorrect for the location they are being moved to. The following example demonstrates moving a file from a user's home directory to <filename>/var/www/html/</filename>, which is used by the Apache HTTP Server. Since the file is moved, it does not inherit the correct SELinux context:
+ Files and directories keep their current SELinux context when they are moved. In many cases, this is incorrect for the location they are being moved to. The following example demonstrates moving a file from a user's home directory to the <filename class="directory">/var/www/html/</filename> directory, which is used by the Apache HTTP Server. Since the file is moved, it does not inherit the correct SELinux context:
</para>
- <orderedlist>
- <listitem>
+ <procedure id="proc-Security-Enhanced_Linux-Copying_Files_and_Directories-Moving_Files_and_Directories">
+ <title>Moving Files and Directories</title>
+ <step>
<para>
- Run the <command>cd</command> command without any arguments to change into your home directory. Once in your home directory, run the <command>touch file1</command> command to create a file. This file is labeled with the <computeroutput>user_home_t</computeroutput> type:
+ Change into your home directory and create file in it. The file is labeled with the <systemitem>user_home_t</systemitem> type:
</para>
-
-<screen>$ ls -Z file1
+<screen><prompt>~]$</prompt> <command>touch file1</command></screen>
+<screen>
+<prompt>~]$</prompt> <command>ls -Z file1</command>
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
</screen>
- </listitem>
- <listitem>
+ </step>
+ <step>
<para>
- Run the <command>ls -dZ /var/www/html/</command> command to view the SELinux context of the <filename>/var/www/html/</filename> directory:
+ Run the following command to view the SELinux context of the <filename class="directory">/var/www/html/</filename> directory:
</para>
-
-<screen>$ ls -dZ /var/www/html/
+<screen>
+<prompt>~]$</prompt> <command>ls -dZ /var/www/html/</command>
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
</screen>
<para>
- By default, the <filename>/var/www/html/</filename> directory is labeled with the <computeroutput>httpd_sys_content_t</computeroutput> type. Files and directories created under the <filename>/var/www/html/</filename> directory inherit this type, and as such, they are labeled with this type.
+ By default, <filename class="directory">/var/www/html/</filename> is labeled with the <systemitem>httpd_sys_content_t</systemitem> type. Files and directories created under <filename class="directory">/var/www/html/</filename> inherit this type, and as such, they are labeled with this type.
</para>
- </listitem>
- <listitem>
+ </step>
+ <step>
<para>
- As the Linux root user, run the <command>mv file1 /var/www/html/</command> command to move <filename>file1</filename> to the <filename>/var/www/html/</filename> directory. Since this file is moved, it keeps its current <computeroutput>user_home_t</computeroutput> type:
+ As root, move <filename>file1</filename> to <filename>/var/www/html/</filename>. Since this file is moved, it keeps its current <systemitem>user_home_t</systemitem> type:
</para>
-
-<screen># mv file1 /var/www/html/
-# ls -Z /var/www/html/file1
+<screen><prompt>~]#</prompt> <command>mv file1 /var/www/html/</command></screen>
+<screen>
+<prompt>~]#</prompt> <command>ls -Z /var/www/html/file1</command>
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 /var/www/html/file1
</screen>
- </listitem>
- </orderedlist>
+ </step>
+ </procedure>
<para>
- By default, the Apache HTTP Server can not read files that are labeled with the <computeroutput>user_home_t</computeroutput> type. If all files comprising a web page are labeled with the <computeroutput>user_home_t</computeroutput> type, or another type that the Apache HTTP Server can not read, permission is denied when attempting to access them via Firefox or text-based Web browsers.
- </para>
+ By default, the Apache HTTP Server cannot read files that are labeled with the <systemitem>user_home_t</systemitem> type. If all files comprising a web page are labeled with the <systemitem>user_home_t</systemitem> type, or another type that the Apache HTTP Server cannot read, permission is denied when attempting to access them via web browsers, such as <application>Mozilla Firefox</application>.
+ </para>
<important>
<para>
- Moving files and directories with the <command>mv</command> command may result in the wrong SELinux context, preventing processes, such as the Apache HTTP Server and Samba, from accessing such files and directories.
+ Moving files and directories with the <command>mv</command> command may result in the incorrect SELinux context, preventing processes, such as the Apache HTTP Server and Samba, from accessing such files and directories.
</para>
</important>
</section>
@@ -1315,210 +1540,748 @@ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
<section id="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context">
<title>Checking the Default SELinux Context</title>
<para>
- Use the <command>/usr/sbin/matchpathcon</command> command to check if files and directories have the correct SELinux context. From the <citerefentry><refentrytitle>matchpathcon</refentrytitle><manvolnum>8</manvolnum></citerefentry> manual page: "<command>matchpathcon</command> queries the system policy and outputs the default security context associated with the file path."<footnote>
- <para>
- The <citerefentry><refentrytitle>matchpathcon</refentrytitle><manvolnum>8</manvolnum></citerefentry> manual page, as shipped with the <package>libselinux-utils</package> package in &PRODUCT;, is written by Daniel Walsh. Any edits or changes in this version were done by Murray McAllister.
- </para>
- </footnote>. The following example demonstrates using the <command>/usr/sbin/matchpathcon</command> command to verify that files in <filename>/var/www/html/</filename> directory are labeled correctly:
+ Use the <systemitem>matchpathcon</systemitem> utility to check if files and directories have the correct SELinux context. This utility queries the system policy and then provides the default security context associated with the file path.<footnote><para>Refer to the <citerefentry><refentrytitle>matchpathcon</refentrytitle><manvolnum>8</manvolnum></citerefentry> manual page for further information about <systemitem>matchpathcon</systemitem>.</para></footnote> The following example demonstrates using <command>matchpathcon</command> to verify that files in <filename class="directory">/var/www/html/</filename> directory are labeled correctly:
</para>
- <orderedlist>
- <listitem>
+ <procedure id="proc-Security-Enhanced_Linux-Copying_Files_and_Directories-Checking_the_Default_SELinux_Context">
+ <title>Checking the Default SELinux Conxtext with <systemitem>matchpathcon</systemitem></title>
+ <step>
<para>
- As the Linux root user, run the <command>touch /var/www/html/file{1,2,3}</command> command to create three files (<filename>file1</filename>, <filename>file2</filename>, and <filename>file3</filename>). These files inherit the <computeroutput>httpd_sys_content_t</computeroutput> type from the <filename>/var/www/html/</filename> directory:
+ As the root user, create three files (<filename>file1</filename>, <filename>file2</filename>, and <filename>file3</filename>) in the <filename class="directory">/var/www/html/</filename> directory. These files inherit the <systemitem>httpd_sys_content_t</systemitem> type from <filename>/var/www/html/</filename>:
</para>
-
-<screen># touch /var/www/html/file{1,2,3}
-# ls -Z /var/www/html/
+<screen><prompt>~]#</prompt> <command>touch /var/www/html/file{1,2,3}</command></screen>
+<screen>
+<prompt>~]#</prompt> <command>ls -Z /var/www/html/</command>
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
</screen>
- </listitem>
- <listitem>
+ </step>
+ <step>
<para>
- As the Linux root user, run the <command>chcon -t samba_share_t /var/www/html/file1</command> command to change the <filename>file1</filename> type to <computeroutput>samba_share_t</computeroutput>. Note: the Apache HTTP Server can not read files or directories labeled with the <computeroutput>samba_share_t</computeroutput> type.
+ As root, change the <filename>file1</filename> type to <systemitem>samba_share_t</systemitem>. Note that the Apache HTTP Server cannot read files or directories labeled with the <systemitem>samba_share_t</systemitem> type.
</para>
- </listitem>
- <listitem>
+<screen><prompt>~]#</prompt> <command>chcon -t samba_share_t /var/www/html/file1</command></screen>
+ </step>
+ <step>
<para>
- The <command>/usr/sbin/matchpathcon</command> <option>-V</option> option compares the current SELinux context to the correct, default context in SELinux policy. Run the <command>/usr/sbin/matchpathcon -V /var/www/html/*</command> command to check all files in the <filename>/var/www/html/</filename> directory:
+ The <systemitem>matchpathcon</systemitem> <option>-V</option> option compares the current SELinux context to the correct, default context in SELinux policy. Run the following command to check all files in the <filename class="directory">/var/www/html/</filename> directory:
</para>
-
-<screen>$ /usr/sbin/matchpathcon -V /var/www/html/*
+<screen>
+<prompt>~]$</prompt> <command>matchpathcon -V /var/www/html/*</command>
/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
/var/www/html/file2 verified.
/var/www/html/file3 verified.
</screen>
- </listitem>
- </orderedlist>
+ </step>
+ </procedure>
<para>
- The following output from the <command>/usr/sbin/matchpathcon</command> command explains that <filename>file1</filename> is labeled with the <computeroutput>samba_share_t</computeroutput> type, but should be labeled with the <computeroutput>httpd_sys_content_t</computeroutput> type:
+ The following output from the <command>matchpathcon</command> command explains that <filename>file1</filename> is labeled with the <systemitem>samba_share_t</systemitem> type, but should be labeled with the <systemitem>httpd_sys_content_t</systemitem> type:
</para>
-<screen>/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
-</screen>
+<screen>/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0</screen>
<para>
- To resolve the label problem and allow the Apache HTTP Server access to <filename>file1</filename>, as the Linux root user, run the <command>/sbin/restorecon -v /var/www/html/file1</command> command:
+ To resolve the label problem and allow the Apache HTTP Server access to <filename>file1</filename>, as root, use the <systemitem>restorecon</systemitem> utility:
</para>
-<screen># /sbin/restorecon -v /var/www/html/file1
+<screen>
+<prompt>~]#</prompt> <command>restorecon -v /var/www/html/file1</command>
restorecon reset /var/www/html/file1 context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0
</screen>
+<para>
+ </para>
</section>
<section id="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar">
- <title>Archiving Files with tar</title>
+ <title>Archiving Files with <systemitem>tar</systemitem></title>
<para>
- <command>tar</command> does not retain extended attributes by default. Since SELinux contexts are stored in extended attributes, contexts can be lost when archiving files. Use <command>tar --selinux</command> to create archives that retain contexts. If a Tar archive contains files without extended attributes, or if you want the extended attributes to match the system defaults, run the archive through <command>/sbin/restorecon</command>:
+ The <systemitem>tar</systemitem> utility does not retain extended attributes by default. Since SELinux contexts are stored in extended attributes, contexts can be lost when archiving files. Use the <command>tar --selinux</command> command to create archives that retain contexts. If a <systemitem>tar</systemitem> archive contains files without extended attributes, or if you want the extended attributes to match the system defaults, use the <systemitem>restorecon</systemitem> utility:
</para>
-
<screen>
-$ tar -xvf <replaceable>archive.tar</replaceable> | /sbin/restorecon -f -
+<prompt>~]$</prompt> <command>tar -xvf <replaceable>archive.tar</replaceable> | restorecon -f -</command>
</screen>
<para>
- Note: depending on the directory, you may need to be the Linux root user to run the <command>/sbin/restorecon</command> command.
+ Note that depending on the directory, you may need to be the root user to run the <systemitem>restorecon</systemitem>.
</para>
<para>
- The following example demonstrates creating a Tar archive that retains SELinux contexts:
+ The following example demonstrates creating a <systemitem>tar</systemitem> archive that retains SELinux contexts:
</para>
- <orderedlist>
- <listitem>
+ <procedure id="proc-Security-Enhanced_Linux-Archiving_Files_with_tar-Creating_a_tar_Archive">
+ <title>Creating a tar Archive</title>
+ <step>
<para>
- As the Linux root user, run the <command>touch /var/www/html/file{1,2,3}</command> command to create three files (<filename>file1</filename>, <filename>file2</filename>, and <filename>file3</filename>). These files inherit the <computeroutput>httpd_sys_content_t</computeroutput> type from the <filename>/var/www/html/</filename> directory:
+ As root, create three files (<filename>file1</filename>, <filename>file2</filename>, and <filename>file3</filename>) in the <filename class="directory">/var/www/html/</filename> directory. These files inherit the <systemitem>httpd_sys_content_t</systemitem> type from <filename>/var/www/html/</filename>:
</para>
-
+<screen><prompt>~]#</prompt> <command>touch /var/www/html/file{1,2,3}</command></screen>
<screen>
-# touch /var/www/html/file{1,2,3}
-# ls -Z /var/www/html/
+<prompt>~]#</prompt> <command>ls -Z /var/www/html/</command>
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
</screen>
- </listitem>
- <listitem>
- <para>
- Run the <command>cd /var/www/html/</command> command to change into the <filename>/var/www/html/</filename> directory. Once in this directory, as the Linux root user, run the <command>tar --selinux -cf test.tar file{1,2,3}</command> command to create a Tar archive named <filename>test.tar</filename>.
- </para>
- </listitem>
- <listitem>
- <para>
- As the Linux root user, run the <command>mkdir /test</command> command to create a new directory, and then, run the <command>chmod 777 /test/</command> command to allow all users full-access to the <filename>/test/</filename> directory.
- </para>
- </listitem>
- <listitem>
- <para>
- Run the <command>cp /var/www/html/test.tar /test/</command> command to copy the <filename>test.tar</filename> file in to the <filename>/test/</filename> directory.
- </para>
- </listitem>
- <listitem>
- <para>
- Run the <command>cd /test/</command> command to change into the <filename>/test/</filename> directory. Once in this directory, run the <command>tar -xvf test.tar</command> command to extract the Tar archive.
- </para>
- </listitem>
- <listitem>
- <para>
- Run the <command>ls -lZ /test/</command> command to view the SELinux contexts. The <computeroutput>httpd_sys_content_t</computeroutput> type has been retained, rather than being changed to <computeroutput>default_t</computeroutput>, which would have happened had the <option>--selinux</option> not been used:
- </para>
-
+ </step>
+ <step>
+ <para>
+ Change into <filename class="directory">/var/www/html/</filename>. Once in this directory, as root, run the following command to create a <systemitem>tar</systemitem> archive named <filename>test.tar</filename>:
+ </para>
+<screen><prompt>~]$</prompt> <command>cd /var/www/html/</command></screen>
+<screen><prompt>html]#</prompt> <command>tar --selinux -cf test.tar file{1,2,3}</command></screen>
+ </step>
+ <step>
+ <para>
+ As root, create a new directory named <filename class="directory">/test/</filename>, and then allow all users full access to it:
+ </para>
+<screen><prompt>~]#</prompt> <command>mkdir /test</command></screen>
+<screen><prompt>~]#</prompt> <command>chmod 777 /test/</command></screen>
+ </step>
+ <step>
+ <para>
+ Copy the <filename>test.tar</filename> file into <filename class="directory">/test/</filename>:
+ </para>
+<screen><prompt>~]$</prompt> <command>cp /var/www/html/test.tar /test/</command></screen>
+ </step>
+ <step>
+ <para>
+ Change into <filename class="directory">/test/</filename> directory. Once in this directory, run the following command to extract the <systemitem>tar</systemitem> archive:
+ </para>
+<screen><prompt>test]$</prompt> <command>tar -xvf test.tar</command></screen>
+ </step>
+ <step>
+ <para>
+ View the SELinux contexts. The <systemitem>httpd_sys_content_t</systemitem> type has been retained, rather than being changed to <systemitem>default_t</systemitem>, which would have happened had the <option>--selinux</option> not been used:
+ </para>
<screen>
-$ ls -lZ /test/
+<prompt>~]$</prompt> <command>ls -lZ /test/</command>
-rw-r--r-- user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r-- user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r-- user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file3
-rw-r--r-- user1 group1 unconfined_u:object_r:default_t:s0 test.tar
</screen>
- </listitem>
- <listitem>
+ </step>
+ <step>
<para>
- If the <filename>/test/</filename> directory is no longer required, as the Linux root user, run the <command> rm -ri /test/</command> command to remove it, as well as all files in it.
- </para>
- </listitem>
- </orderedlist>
+ If the <filename class="directory">/test/</filename> directory is no longer required, as root, run the following command to remove it, as well as all files in it:
+ </para>
+<screen><prompt>~]#</prompt> <command>rm -ri /test/</command></screen>
+ </step>
+ </procedure>
<para>
- Refer to the <citerefentry><refentrytitle>tar</refentrytitle><manvolnum>1</manvolnum></citerefentry> manual page for further information about <command>tar</command>, such as the <option>--xattrs</option> option that retains all extended attributes.
+ See the <citerefentry><refentrytitle>tar</refentrytitle><manvolnum>1</manvolnum></citerefentry> manual page for further information about <systemitem>tar</systemitem>, such as the <option>--xattrs</option> option that retains all extended attributes.
</para>
</section>
<section id="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star">
- <title>Archiving Files with star</title>
+ <title>Archiving Files with <systemitem>star</systemitem></title>
<para>
- <command>star</command> does not retain extended attributes by default. Since SELinux contexts are stored in extended attributes, contexts can be lost when archiving files. Use <command>star -xattr -H=exustar</command> to create archives that retain contexts. The <package>star</package> package is not installed by default. To install <command>star</command>, run the <command>yum install star</command> command as the Linux root user.
+ The <systemitem>star</systemitem> utility does not retain extended attributes by default. Since SELinux contexts are stored in extended attributes, contexts can be lost when archiving files. Use the <command>star -xattr -H=exustar</command> command to create archives that retain contexts. The <package>star</package> package is not installed by default. To install <command>star</command>, run the <command>yum install star</command> command as the root user.
</para>
<para>
- The following example demonstrates creating a Star archive that retains SELinux contexts:
+ The following example demonstrates creating a <systemitem>star</systemitem> archive that retains SELinux contexts:
</para>
- <orderedlist>
- <listitem>
+ <procedure id="proc-Security-Enhanced_Linux-Archiving_Files_with_star">
+ <title>Creating a <systemitem>star</systemitem> Archive</title>
+ <step>
<para>
- As the Linux root user, run the <command>touch /var/www/html/file{1,2,3}</command> command to create three files (<filename>file1</filename>, <filename>file2</filename>, and <filename>file3</filename>). These files inherit the <computeroutput>httpd_sys_content_t</computeroutput> type from the <filename>/var/www/html/</filename> directory:
+ As root, create three files (<filename>file1</filename>, <filename>file2</filename>, and <filename>file3</filename>) in the <filename class="directory">/var/www/html/</filename>. These files inherit the <systemitem>httpd_sys_content_t</systemitem> type from <filename>/var/www/html/</filename>:
</para>
-
+<screen><prompt>~]#</prompt> <command>touch /var/www/html/file{1,2,3}</command></screen>
<screen>
-# touch /var/www/html/file{1,2,3}
-# ls -Z /var/www/html/
+<prompt>~]#</prompt> <command>ls -Z /var/www/html/</command>
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
</screen>
- </listitem>
- <listitem>
+ </step>
+ <step>
<para>
- Run the <command>cd /var/www/html/</command> command to change into the <filename>/var/www/html/</filename> directory. Once in this directory, as the Linux root user, run the <command>star -xattr -H=exustar -c -f=test.star file{1,2,3}</command> command to create a Star archive named <filename>test.star</filename>:
+ Change into <filename class="directory">/var/www/html/</filename> directory. Once in this directory, as root, run the following command to create a <systemitem>star</systemitem> archive named <filename>test.star</filename>:
</para>
-
+<screen><prompt>~]$</prompt> <command>cd /var/www/html</command></screen>
<screen>
-# star -xattr -H=exustar -c -f=test.star file{1,2,3}
+<prompt>html]#</prompt> <command>star -xattr -H=exustar -c -f=test.star file{1,2,3}</command>
star: 1 blocks + 0 bytes (total of 10240 bytes = 10.00k).
</screen>
- </listitem>
- <listitem>
- <para>
- As the Linux root user, run the <command>mkdir /test</command> command to create a new directory, and then, run the <command>chmod 777 /test/</command> command to allow all users full-access to the <filename>/test/</filename> directory.
- </para>
- </listitem>
- <listitem>
- <para>
- Run the <command>cp /var/www/html/test.star /test/</command> command to copy the <filename>test.star</filename> file in to the <filename>/test/</filename> directory.
- </para>
- </listitem>
- <listitem>
- <para>
- Run the <command>cd /test/</command> command to change into the <filename>/test/</filename> directory. Once in this directory, run the <command>star -x -f=test.star</command> command to extract the Star archive:
- </para>
-
+ </step>
+ <step>
+ <para>
+ As root, create a new directory named <filename class="directory">/test/</filename>, and then allow all users full access to it:
+ </para>
+<screen><prompt>~]#</prompt> <command>mkdir /test</command></screen>
+<screen><prompt>~]#</prompt> <command>chmod 777 /test/</command></screen>
+ </step>
+ <step>
+ <para>
+ Run the following command to copy the <filename>test.star</filename> file into <filename class="directory">/test/</filename>:
+ </para>
+ <screen><prompt>~]$</prompt> <command>cp /var/www/html/test.star /test/</command></screen>
+ </step>
+ <step>
+ <para>
+ Change into <filename class="directory">/test/</filename>. Once in this directory, run the following command to extract the <systemitem>star</systemitem> archive:
+ </para>
+<screen><prompt>~]$</prompt> <command>cd /test/</command></screen>
<screen>
-$ star -x -f=test.star
+<prompt>test]$</prompt> <command>star -x -f=test.star </command>
star: 1 blocks + 0 bytes (total of 10240 bytes = 10.00k).
</screen>
- </listitem>
- <listitem>
+ </step>
+ <step>
<para>
- Run the <command>ls -lZ /test/</command> command to view the SELinux contexts. The <computeroutput>httpd_sys_content_t</computeroutput> type has been retained, rather than being changed to <computeroutput>default_t</computeroutput>, which would have happened had the <option>--selinux</option> not been used:
- </para>
-
+ View the SELinux contexts. The <systemitem>httpd_sys_content_t</systemitem> type has been retained, rather than being changed to
+<systemitem>default_t</systemitem>, which would have happened had the <option>-xattr -H=exustar</option> option not been used:
+ </para>
<screen>
-$ ls -lZ /test/
+<prompt>~]$</prompt> <command>ls -lZ /test/</command>
-rw-r--r-- user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r-- user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r-- user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file3
-rw-r--r-- user1 group1 unconfined_u:object_r:default_t:s0 test.star
</screen>
- </listitem>
- <listitem>
+ </step>
+ <step>
<para>
- If the <filename>/test/</filename> directory is no longer required, as the Linux root user, run the <command> rm -ri /test/</command> command to remove it, as well as all files in it.
- </para>
- </listitem>
- <listitem>
+ If the <filename class="directory">/test/</filename> directory is no longer required, as root, run the following command to remove it, as well as all files in it:
+ </para>
+<screen><prompt>~]#</prompt> <command> rm -ri /test/</command></screen>
+ </step>
+ <step>
<para>
- If <command>star</command> is no longer required, as the Linux root user, run the <command>yum remove star</command> command to remove the package.
- </para>
- </listitem>
- </orderedlist>
+ If <systemitem>star</systemitem> is no longer required, as root, remove the package:
+ </para>
+<screen><prompt>~]#</prompt> <command>yum remove star</command></screen>
+ </step>
+ </procedure>
<para>
- Refer to the <citerefentry><refentrytitle>star</refentrytitle><manvolnum>1</manvolnum></citerefentry> manual page for further information about <command>star</command>.
+ See the <citerefentry><refentrytitle>star</refentrytitle><manvolnum>1</manvolnum></citerefentry> manual page for further information about <systemitem>star</systemitem>.
</para>
</section>
-</section>
+ </section>
+ <section id="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels-Information_Gathering_Tools">
+ <title>Information Gathering Tools</title>
+ <para>
+ The utilities listed below are command-line tools that provide well-formatted information, such as access vector cache statistics or the number of classes, types, or Booleans.
+ </para>
+ <bridgehead renderas="sect2">avcstat</bridgehead>
+ <para>
+ This command provides a short output of the access vector cache statistics since boot. You can watch the statistics in real time by specifying a time interval in seconds. This provides updated statistics since the initial output. The statistics file used is <filename>/selinux/avc/cache_stats</filename>, and you can specify a different cache file with the <option>-f /path/to/file</option> option.
+ </para>
+<screen>
+<prompt>~]#</prompt> <command>avcstat </command>
+ lookups hits misses allocs reclaims frees
+ 47517410 47504630 12780 12780 12176 12275
+</screen>
+ <bridgehead renderas="sect2">seinfo</bridgehead>
+ <para>
+ This utility is useful in describing the break-down of a policy, such as the number of classes, types, Booleans, allow rules, and others. <systemitem>seinfo</systemitem> is a command-line utility that uses a policy.conf file (a single text file containing policy source for versions 12 through 21), a binary policy file, a modular list of policy packages, or a policy list file as input. You must have the <package>setools-console</package> package installed to use the <systemitem>seinfo</systemitem> utility.
+ </para>
+ <para>
+ The output of <systemitem>seinfo</systemitem> will vary between binary and source files. For example, the policy source file uses the <computeroutput>{ }</computeroutput> brackets to group multiple rule elements onto a single line. A similar effect happens with attributes, where a single attribute expands into one or many types. Because these are expanded and no longer relevant in the binary policy file, they have a return value of zero in the search results. However, the number of rules greatly increases as each formerly one line rule using brackets is now a number of individual lines.
+ </para>
+ <para>
+ Some items are not present in the binary policy. For example, neverallow rules are only checked during policy compile, not during runtime, and initial Security Identifiers (SIDs) are not part of the binary policy since they are required prior to the policy being loaded by the kernel during boot.
+ </para>
+<screen>
+<prompt>~]#</prompt> <command>seinfo</command>
+
+Statistics for policy file: /etc/selinux/targeted/policy/policy.24
+Policy Version & Type: v.24 (binary, mls)
+
+ Classes: 77 Permissions: 229
+ Sensitivities: 1 Categories: 1024
+ Types: 3001 Attributes: 244
+ Users: 9 Roles: 13
+ Booleans: 158 Cond. Expr.: 193
+ Allow: 262796 Neverallow: 0
+ Auditallow: 44 Dontaudit: 156710
+ Type_trans: 10760 Type_change: 38
+ Type_member: 44 Role allow: 20
+ Role_trans: 237 Range_trans: 2546
+ Constraints: 62 Validatetrans: 0
+ Initial SIDs: 27 Fs_use: 22
+ Genfscon: 82 Portcon: 373
+ Netifcon: 0 Nodecon: 0
+ Permissives: 22 Polcap: 2
+</screen>
+ <para>
+ The <systemitem>seinfo</systemitem> utility can also list the number of types with the domain attribute, giving an estimate of the number of different confined processes:
+ </para>
+<screen>
+<prompt>~]#</prompt> <command>seinfo -adomain -x | wc -l</command>
+550</screen>
+ <para>
+ Not all domain types are confined. To look at the number of unconfined domains, use the <systemitem>unconfined_domain</systemitem> attribute:
+ </para>
+<screen>
+<prompt>~]#</prompt> <command>seinfo -aunconfined_domain_type -x | wc -l</command>
+52
+</screen>
+ <para>
+ Permissive domains can be counted with the <option>--permissive</option> option:
+ </para>
+<screen>
+<prompt>~]#</prompt> <command>seinfo --permissive -x | wc -l</command>
+31
+</screen>
+ <para>
+ Remove the additional <command>| wc -l</command> command in the above commands to see the full lists.
+ </para>
+ <bridgehead renderas="sect2">sesearch</bridgehead>
+ <para>
+ You can use the <systemitem>sesearch</systemitem> utility to search for a particular rule in the policy. It is possible to search either policy source files or the binary file. For example:
+ </para>
+<screen>
+<prompt>~]$</prompt> <command>sesearch --role_allow -t httpd_sys_content_t /etc/selinux/targeted/policy/policy.24</command>
+Found 20 role allow rules:
+ allow system_r sysadm_r;
+ allow sysadm_r system_r;
+ allow sysadm_r staff_r;
+ allow sysadm_r user_r;
+ allow system_r git_shell_r;
+ allow system_r guest_r;
+ allow logadm_r system_r;
+ allow system_r logadm_r;
+ allow system_r nx_server_r;
+ allow system_r staff_r;
+ allow staff_r logadm_r;
+ allow staff_r sysadm_r;
+ allow staff_r unconfined_r;
+ allow staff_r webadm_r;
+ allow unconfined_r system_r;
+ allow system_r unconfined_r;
+ allow system_r user_r;
+ allow webadm_r system_r;
+ allow system_r webadm_r;
+ allow system_r xguest_r;
+</screen>
+ <para>
+ The <systemitem>sesearch</systemitem> utility can provide the number of <emphasis>allow</emphasis> rules:
+ </para>
+<screen>
+<prompt>~]#</prompt> <command>sesearch --allow | wc -l</command>
+262798
+</screen>
+ <para>
+ And the number of <emphasis>dontaudit</emphasis> rules:
+ </para>
+<screen>
+<prompt>~]#</prompt> <command>sesearch --dontaudit | wc -l</command>
+156712
+</screen>
+ </section>
+ <section id="mls">
+ <title>Multi-Level Security (MLS)</title>
+ <para>
+ The Multi-Level Security technology refers to a security scheme that enforces the Bell-La Padula Mandatory Access Model. Under MLS, users and processes are called <firstterm>subjects</firstterm>, and files, devices, and other passive components of the system are called <firstterm>objects</firstterm>. Both subjects and objects are labeled with a security level, which entails a subject's clearance or an object's classification. Each security level is composed of a <firstterm>sensitivity</firstterm> and a <firstterm>category</firstterm>, for example, an internal release schedule is filed under the internal documents category with a confidential sensitivity.
+ </para>
+ <para>
+ <xref linkend="fig-mls-levels-of-clearance"/> shows levels of clearance as originally designed by the US defense community. Relating to our internal schedule example above, only users that have gained the confidential clearance are allowed to view documents in the confidential category. However, users who only have the confidential clearance are not allowed to view documents that require higher levels or clearance; they are allowed read access only to documents with lower levels of clearance, and write access to documents with higher levels of clearance.
+ </para>
+ <figure id="fig-mls-levels-of-clearance">
+ <title>Levels of clearance</title>
+ <mediaobject>
+ <imageobject>
+ <imagedata fileref="images/security-intro-to-mls.png" format="PNG" scalefit="0"/>
+ </imageobject>
+ <textobject>
+ <para>
+ Levels of Clearance
+ </para>
+ </textobject>
+ </mediaobject>
+ </figure>
+ <para>
+ <xref linkend="fig-mls-data-flow"/> shows all allowed data flows between a subject running under the "Secret" security level and various objects with different security levels. In simple terms, the Bell-LaPadula model enforces two properties: <firstterm>no read up</firstterm> and <firstterm>no write down</firstterm>.
+ </para>
+ <figure id="fig-mls-data-flow">
+ <title>Allowed data flows using MLS</title>
+ <mediaobject>
+ <imageobject>
+ <imagedata fileref="images/security-mls-data-flow.png" format="PNG" scalefit="0"/>
+ </imageobject>
+ <textobject>
+ <para>
+ Allowed data flows using MLS
+ </para>
+ </textobject>
+ </mediaobject>
+ </figure>
+ <section id="MLS-and-system-privileges">
+ <title>MLS and System Privileges</title>
+ <para>
+ MLS access rules are always combined with conventional access permissions (file permissions). For example, if a user with a security level of "Secret" uses Discretionary Access Control (DAC) to block access to a file by other users, this also blocks access by users with a security level of "Top Secret". It is important to remember that SELinux MLS policy rules are checked <emphasis>after</emphasis> DAC rules. A higher security clearance does not automatically give permission to arbitrarily browse a file system.
+ </para>
+ <para>
+ Users with top-level clearances do not automatically acquire administrative rights on multi-level systems. While they may have access to all information on the computer, this is different from having administrative rights.
+ </para>
+ </section>
+ <section id="enabling-mls-in-selinux">
+ <title>Enabling MLS in SELinux</title>
+ <note>
+ <para>
+ It is not recommended to use the MLS policy on a system that is running the X Window System.
+ </para>
+ </note>
+ <para>
+ Follow these steps to enable the SELinux MLS policy on your system.
+ </para>
+ <procedure id="Security-Enhanced_Linux-Enabling_MLS_in_SELinux">
+ <title>Enabling SELinux MLS Policy</title>
+ <step>
+ <para>
+ Install the <package>selinux-policy-mls</package> package:
+ </para>
+<screen><prompt>~]#</prompt> <command>yum install selinux-policy-mls</command></screen>
+ </step>
+ <step>
+ <para>
+ Before the MLS policy is enabled, each file on the file system must be relabeled with an MLS label. When the file system is relabeled, confined domains may be denied access, which may prevent your system from booting correctly. To prevent this from happening, configure <computeroutput>SELINUX=permissive</computeroutput> in the <filename>/etc/selinux/config</filename> file. Also, enable the MLS policy by configuring <computeroutput>SELINUXTYPE=mls</computeroutput>. Your configuration file should look like this:
+ </para>
+<screen>
+# This file controls the state of SELinux on the system.
+# SELINUX= can take one of these three values:
+# enforcing - SELinux security policy is enforced.
+# permissive - SELinux prints warnings instead of enforcing.
+# disabled - No SELinux policy is loaded.
+SELINUX=permissive
+# SELINUXTYPE= can take one of these two values:
+# targeted - Targeted processes are protected,
+# mls - Multi Level Security protection.
+SELINUXTYPE=mls
+</screen>
+ </step>
+ <step>
+ <para>
+ Make sure SELinux is running in the permissive mode:
+ </para>
+<screen><prompt>~]#</prompt> <command>setenforce 0</command></screen>
+<screen>
+<prompt>~]$</prompt> <command>getenforce</command>
+Permissive
+</screen>
+ </step>
+ <step>
+ <para>
+ Create the <filename>.autorelabel</filename> file in root's home directory to ensure that files are relabeled upon next reboot:
+ </para>
+<screen><prompt>~]#</prompt> <command>touch /.autorelabel</command></screen>
+ <para>
+ Note that it is necessary to add the <option>-F</option> option to this file. This can be done by executing the following command:
+ </para>
+<screen><prompt>~]#</prompt> <command>echo "-F" >> /.autorelabel</command></screen>
+ </step>
+ <step>
+ <para>
+ Reboot your system. During the next boot, all file systems will be relabeled according to the MLS policy. The label process labels all files with an appropriate SELinux context:
+ </para>
+<screen>
+*** Warning -- SELinux mls policy relabel is required.
+*** Relabeling could take a very long time, depending on file
+*** system size and speed of hard drives.
+***********
+</screen>
+ <para>
+ Each <computeroutput>*</computeroutput> (asterisk) character on the bottom line represents 1000 files that have been labeled. In the above example, eleven <computeroutput>*</computeroutput> characters represent 11000 files which have been labeled. The time it takes to label all files depends upon the number of files on the system, and the speed of the hard disk drives. On modern systems, this process can take as little as 10 minutes. Once the labeling process finishes, the system will automatically reboot.
+ </para>
+ </step>
+ <step>
+ <para>
+ In permissive mode, SELinux policy is not enforced, but denials are still logged for actions that would have been denied if running in enforcing mode. Before changing to enforcing mode, as root, run the following command to confirm that SELinux did not deny actions during the last boot. If SELinux did not deny actions during the last boot, this command does not return any output. Refer to <xref linkend="sect-Security-Enhanced_Linux-Troubleshooting" /> for troubleshooting information if SELinux denied access during boot.
+ </para>
+<screen><prompt>~]#</prompt> <command>grep "SELinux is preventing" /var/log/messages</command></screen>
+ </step>
+ <step>
+ <para>
+ If there were no denial messages in the <filename>/var/log/messages</filename> file, or you have resolved all existing denials, configure <computeroutput>SELINUX=enforcing</computeroutput> in the <filename>/etc/selinux/config</filename> file:
+ </para>
+<screen>
+# This file controls the state of SELinux on the system.
+# SELINUX= can take one of these three values:
+# enforcing - SELinux security policy is enforced.
+# permissive - SELinux prints warnings instead of enforcing.
+# disabled - No SELinux policy is loaded.
+SELINUX=enforcing
+# SELINUXTYPE= can take one of these two values:
+# targeted - Targeted processes are protected,
+# mls - Multi Level Security protection.
+SELINUXTYPE=mls
+</screen>
+ </step>
+ <step>
+ <para>
+ Reboot your system and make sure SELinux is running in enforcing mode:
+ </para>
+<screen>
+<prompt>~]$</prompt> <command>getenforce</command>
+Enforcing
+</screen>
+ <para>
+ and the MLS policy is enabled:
+ </para>
+<screen><prompt>~]#</prompt> <command>sestatus |grep mls</command>
+Policy from config file: mls
+</screen>
+ </step>
+ </procedure>
+ </section>
+ <section id="creating-a-user-with-a-specific-mls-range">
+ <title>Creating a User With a Specific MLS Range</title>
+ <para>
+ Follow these steps to create a new Linux user with a specific MLS range:
+ </para>
+ <procedure id="proc-Security-Enhanced_Linux-Creating_a_User_With_a_Specific_MLS_Range">
+ <title>Creating a User With a Specific MLS Range</title>
+ <step>
+ <para>
+ Add a new Linux user using the <command>useradd</command> command and map the new Linux user to an existing SELinux user (in this case, <systemitem>user_u</systemitem>):
+ </para>
+<screen><prompt>~]#</prompt> <command>useradd -Z user_u john</command></screen>
+ </step>
+ <step>
+ <para>
+ Assign the newly-created Linux user a password:
+ </para>
+<screen>prompt~]# <command>passwd john</command></screen>
+ </step>
+ <step>
+ <para>
+ Run the following command as root to view the mapping between SELinux and Linux users. The output should be as follows:
+ </para>
+<screen>
+<prompt>~]#</prompt> <command>semanage login -l</command>
+
+Login Name SELinux User MLS/MCS Range Service
+
+__default__ unconfined_u s0-s0:c0.c1023 *
+john user_u s0 *
+root unconfined_u s0-s0:c0.c1023 *
+system_u system_u s0-s0:c0.c1023 *
+</screen>
+ </step>
+ <step>
+ <para>
+ Define a specific range for user <literal>john</literal>:
+ </para>
+<screen><prompt>~]#</prompt> <command>semanage login --modify --seuser user_u --range s2:c100 john</command></screen>
+ </step>
+ <step>
+ <para>
+ View the mapping between SELinux and Linux users again. Note that the user <literal>john</literal> now has a specific MLS range defined:
+ </para>
+<screen>
+<prompt>~]#</prompt> <command>semanage login -l</command>
+
+Login Name SELinux User MLS/MCS Range Service
+
+__default__ unconfined_u s0-s0:c0.c1023 *
+john user_u s2:c100 *
+root unconfined_u s0-s0:c0.c1023 *
+system_u system_u s0-s0:c0.c1023 *
+</screen>
+ </step>
+ <step>
+ <para>
+ To correct the label on john's home directory (if needed), run the following command:
+ </para>
+<screen><prompt>~]#</prompt> <command>chcon -R -l s2:c100 /home/john</command></screen>
+ </step>
+ </procedure>
+ </section>
+ <section id="polyinstantiated-directories">
+ <title>Setting Up Polyinstantiated Directories</title>
+ <para>
+ The <filename class="directory">/tmp/</filename> and <filename class="directory">/var/tmp/</filename> directories are normally used for temporary storage by all programs, services, and users. Such setup, however, makes these directories vulnerable to race condition attacks, or an information leak based on file names. SELinux offers a solution in the form of <firstterm>polyinstantiated</firstterm> directories. This effectively means that both <filename class="directory">/tmp/</filename> and <filename class="directory">/var/tmp/</filename> are instantiated, making them appear private for each user. When instantiation of directories is enabled, each user's <filename class="directory">/tmp/</filename> and <filename class="directory">/var/tmp/</filename> directory is automatically mounted under <filename>/tmp-inst</filename> and <filename>/var/tmp/tmp-inst</filename>.
+ </para>
+ <para>
+ Follow these steps to enable polyinstantiation of directories:
+ </para>
+ <procedure id="proc-Security-Enhanced_Linux-Enabling_Polyinstantiation_Directories">
+ <title>Enabling Polyinstantiation Directories</title>
+ <step>
+ <para>
+ Uncomment the last three lines in the <filename>/etc/security/namespace.conf</filename> file to enable instantiation of the <filename class="directory">/tmp/</filename>, <filename class="directory">/var/tmp/</filename>, and users' home directories:
+ </para>
+<screen>
+<prompt>~]$</prompt> <command>tail -n 3 /etc/security/namespace.conf</command>
+/tmp /tmp-inst/ level root,adm
+/var/tmp /var/tmp/tmp-inst/ level root,adm
+$HOME $HOME/$USER.inst/ level
+</screen>
+ </step>
+ <step>
+ <para>
+ Ensure that in the <filename>/etc/pam.d/login</filename> file, the <systemitem>pam_namespace.so</systemitem> module is configured for session:
+ </para>
+<screen>
+<prompt>~]$</prompt> <command>grep namespace /etc/pam.d/login</command>
+session required pam_namespace.so
+</screen>
+ </step>
+ <step>
+ <para>
+ Reboot your system.
+ </para>
+ </step>
+ </procedure>
+ </section>
+
+ </section>
+ <section id="sec-file-name-transition">
+ <title>File Name Transition</title>
+ <para>
+ The <firstterm>file name transition</firstterm> feature allows policy writers to specify the file name when writing policy transition rules. It is possible to write a rule that states: If a process labeled <computeroutput>A_t</computeroutput> creates a specified object class in a directory labeled <computeroutput>B_t</computeroutput> and the specified object class is named <literal>objectname</literal>, it gets the label <computeroutput>C_t</computeroutput>. This mechanism provides more fine-grained control over processes on the system.
+ </para>
+ <para>
+ Without file name transition, there are three possible ways how to label an object:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ By default, objects inherit labels from parent directories. For example, if the user creates a file in a directory labeled <systemitem>etc_t</systemitem>, then the file is labeled also <systemitem>etc_t</systemitem>. However, this method is useless when it is desirable to have multiple files within a directory with different labels.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Policy writers can write a rule in policy that states: If a process with type <systemitem>A_t</systemitem> creates a specified object class in a directory labeled <systemitem>B_t</systemitem>, the object gets the new <systemitem>C_t</systemitem> label. This practice is problematic if a single program creates multiple objects in the same directory where each object requires a separate label. Moreover, these rules provide only partial control, because names of the created objects are not specified.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Certain applications have SELinux awareness that allow such an application to ask the system what the label of a certain path should be. These applications then request the kernel to create the object with the required label. Examples of applications with SELinux awareness are the <application>rpm</application> package manager, the <application>restorecon</application> utility, or the <application>udev</application> device manager. However, it is not possible to instruct every application that creates files or directories with SELinux awareness. It is often necessary to relabel objects with the correct label after creating. Otherwise, when a confined domain attempts to use the object, AVC messages are returned.
+ </para>
+ </listitem>
+ </itemizedlist>
+ <para>
+ The file name transition feature decreases problems related to incorrect labeling and improves the system to be more secure. Policy writers are able to state properly that a certain application can only create a file with a specified name in a specified directory. The rules take into account the file name, not the file path. This is the basename of the file path. Note that file name transition uses an exact match done by the <function>strcmp()</function> function. Use of regular expressions or wildcard characters is not considered.
+ </para>
+ <note>
+ <para>
+ File paths can vary in the kernel and file name transition does not use the paths to determine labels. Consequently, this feature only affects initial file creation and does not fix incorrect labels of already created objects.
+ </para>
+ </note>
+ <example id="ex-Examples_of_Policy_Rules_Written_with_File_Name_Transition">
+ <title>Examples of Policy Rules Written with File Name Transition</title>
+ <para>
+ The example below shows a policy rule with file name transition:
+ </para>
+<screen>filetrans_pattern(unconfined_t, admin_home_t, ssh_home_t, dir, ".ssh")</screen>
+ <para>
+ This rule states that if a process with the <systemitem>unconfined_t</systemitem> type creates the <filename class="directory">~/.ssh/</filename> directory in a directory labeled <systemitem>admin_home_t</systemitem>, the <filename class="directory">~/.ssh/</filename> directory gets the label <systemitem>ssh_home_t</systemitem>.
+ </para>
+ <para>
+ Similar examples of policy rules written with file name transition are presented below:
+ </para>
+<screen>
+filetrans_pattern(staff_t, user_home_dir_t, httpd_user_content_t, dir, "public_html")
+filetrans_pattern(thumb_t, user_home_dir_t, thumb_home_t, file, "missfont.log")
+filetrans_pattern(kernel_t, device_t, xserver_misc_device_t, chr_file, "nvidia0")
+filetrans_pattern(puppet_t, etc_t, krb5_conf_t, file, "krb5.conf")
+</screen>
+ </example>
+ <note>
+ <para>
+ The file name transition feature affects mainly policy writers, but users can notice that instead of file objects almost always created with the default label of the containing directory, some file objects have a different label as specified in policy.
+ </para>
+ </note>
+ </section>
+ <section id="sect-Security-Enhanced_Linux-Working_with_SELinux-Disable_ptrace">
+ <title>Disable ptrace()</title>
+ <para>
+ The <systemitem>ptrace()</systemitem> system call allows one process to observe and control the execution of another process and change its memory and registers. This call is used primarily by developers during debugging, for example when using the <systemitem>strace</systemitem> utility. When <systemitem>ptrace()</systemitem> is not needed, it can be disabled to improve system security. This can be done by enabling the <computeroutput>deny_ptrace</computeroutput> Boolean, which denies all processes, even those that are running in <computeroutput>unconfined_t</computeroutput> domains, from being able to use <systemitem>ptrace()</systemitem> on other processes.
+ </para>
+ <para>
+ The <computeroutput>deny_ptrace</computeroutput> Boolean is disabled by default. To enable it, run the <command>setsebool -P deny_ptrace on</command> command as the root user:
+<screen><prompt>~]#</prompt> <command>setsebool -P deny_ptrace on</command></screen>
+ </para>
+ <para>
+ To verify if this Boolean is enabled, use the following command:
+<screen>
+<prompt>~]$</prompt> <command>getsebool deny_ptrace</command>
+deny_ptrace --> on
+</screen>
+ </para>
+ <para>
+ To disable this Boolean, run the <command>setsebool -P deny_ptrace off</command> command as root:
+<screen><prompt>~]#</prompt> <command>setsebool -P deny_ptrace off</command></screen>
+ </para>
+ <note>
+ <para>
+ The <command>setsebool -P</command> command makes persistent changes. Do not use the <option>-P</option> option if you do not want changes to persist across reboots.
+ </para>
+ </note>
+ <para>
+ This Boolean influences only packages that are part of &PRODUCT;. Consequently, third-party packages could still use the <systemitem>ptrace()</systemitem> system call. To list all domains that are allowed to use <systemitem>ptrace()</systemitem>, run the following command. Note that the <package>setools-console</package> package provides the <systemitem>sesearch</systemitem> utility and that the package is not installed by default.
+ </para>
+<screen><prompt>~]#</prompt> <command>sesearch -A -p ptrace,sys_ptrace -C | grep -v deny_ptrace | cut -d ' ' -f 5</command></screen>
+ </section>
+ <section id="sect-thumbnail_protection">
+ <title>Thumbnail Protection</title>
+ <para>
+ The thumbnail icons can potentially allow an attacker to break into a locked machine using removable media, such as USB devices or CDs. When the system detects a removable media, the Nautilus file manager executes the thumbnail driver code to display thumbnail icons in an appropriate file browser even if the machine is locked. This behavior is unsafe because if the thumbnail executables were vulnerable, the attacker could use the thumbnail driver code to bypass the lock screen without entering the password.
+ </para>
+ <para>
+ Therefore, a new SELinux policy is used to prevent such attacks. This policy ensures that all thumbnail drivers are locked when the screen is locked. The thumbnail protection is enabled for both confined users and unconfined users. This policy affects the following applications:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ /usr/bin/evince-thumbnailer
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ /usr/bin/ffmpegthumbnailer
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ /usr/bin/gnome-exe-thumbnailer.sh
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ /usr/bin/gnome-nds-thumbnailer
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ /usr/bin/gnome-xcf-thumbnailer
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ /usr/bin/gsf-office-thumbnailer
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ /usr/bin/raw-thumbnailer
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ /usr/bin/shotwell-video-thumbnailer
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ /usr/bin/totem-video-thumbnailer
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ /usr/bin/whaaw-thumbnailer
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ /usr/lib/tumbler-1/tumblerd
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ /usr/lib64/tumbler-1/tumblerd
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
</section>
diff --git a/en-US/images/security-intro-to-mls.png b/en-US/images/security-intro-to-mls.png
new file mode 100644
index 0000000..2e0fa95
Binary files /dev/null and b/en-US/images/security-intro-to-mls.png differ
diff --git a/en-US/images/security-mls-data-flow.png b/en-US/images/security-mls-data-flow.png
new file mode 100644
index 0000000..a2ecd24
Binary files /dev/null and b/en-US/images/security-mls-data-flow.png differ
More information about the docs-commits
mailing list