SELinux Information Commands

SELinux Information Commands @@ -40,7 +40,7 @@ The first command we will talk about is sestatus= .
=20
-~# sestatus
+# sestatus
 SELinux status:                 enabled
 SELinuxfs mount:                /selinux
 Current mode:                   permissive
@@ -55,6 +55,56 @@ the permissive mode. It also tells you that the=
 system is configured to
 run in strict mode - so no unconfined_t domain here.
 
=20
+
+The sestatus command also has an extended output if you run it wi=
th the
+-v option. When this is done, the command returns the contexts of
+important processes and files:
+
+
++# sestatus -v
+SELinux status:                 enabled
+SELinuxfs mount:                /selinux
+Current mode:                   enforcing
+Mode from config file:          enforcing
+Policy version:                 24
+Policy from config file:        strict
+
+Process contexts:
+Current context:                staff_u:sysadm_r:sysadm_t
+Init context:                   system_u:system_r:init_t
+/sbin/agetty                    system_u:system_r:getty_t
+/usr/sbin/sshd                  system_u:system_r:sshd_t
+
+File contexts:
+Controlling term:               staff_u:object_r:user_devpts_t
+/sbin/init                      system_u:object_r:init_exec_t
+/sbin/agetty                    system_u:object_r:getty_exec_t
+/bin/login                      system_u:object_r:login_exec_t
+/sbin/rc                        system_u:object_r:rc_exec_t
+/usr/sbin/sshd                  system_u:object_r:sshd_exec_t
+/sbin/unix_chkpwd               system_u:object_r:chkpwd_exec_t
+/etc/passwd                     system_u:object_r:etc_t
+/etc/shadow                     system_u:object_r:shadow_t
+/bin/sh                         system_u:object_r:bin_t -> system_u:obje=
ct_r:shell_exec_t
+/bin/bash                       system_u:object_r:shell_exec_t
+/usr/bin/newrole                system_u:object_r:newrole_exec_t
+/lib/libc.so.6                  system_u:object_r:lib_t -> system_u:obje=
ct_r:lib_t
+/lib/ld-linux.so.2              system_u:object_r:lib_t -> system_u:obje=
ct_r:ld_so_t
+
+
+
+Another general SELinux status command is getenforce, which allow=
s you to
+quickly see if your SELinux is running in enforcing mode (SELinux polici=
es are
+enforced), permissive (SELinux policies are checked and logged, but not
+enforced) or disabled (SELinux policy is not loaded and thus not checked=
).
+
+
++# getenforce
+Enforcing
+
+
 
 
 
@@ -95,9 +145,9 @@ attribute set.
 
=20
 -~# seinfo -tcrontab_t
+# seinfo -tcrontab_t
   crontab_t
-~# seinfo -ruser_r -x
+# seinfo -ruser_r -x
   user_r
     Dominated Roles:
       user_r
@@ -105,7 +155,7 @@ attribute set.
       [...]
       crontab_t
       [...]
-~# seinfo -acron_spool_type -x
+# seinfo -acron_spool_type -x
   cron_spool_type
     user_cron_spool_t
     system_cron_spool_t
@@ -136,7 +186,7 @@ shadow_t domain:
 
=20
 -~# sesearch -t shadow_t -c file -p write -A
+# sesearch -t shadow_t -c file -p write -A
 Found 8 semantic av rules:
   [...]
   allow portage_t shadow_t : file { ioctl read write ... };
@@ -163,7 +213,7 @@ that this is only portage:
 
=20
 -~# sesearch -t file_type -c file -p write -A -d
+# sesearch -t file_type -c file -p write -A -d
 Found 1 semantic av rules:
   allow portage_t file_type : file { ioctl read write ... };
 
@@ -190,7 +240,7 @@ boolean is set:
 
=20
 -~# sesearch -b global_ssp -A -C -d
+# sesearch -b global_ssp -A -C -d
 Found 2 semantic av rules:
 ET allow domain device_t : dir { getattr search open } ; [ global_ssp ]
 ET allow domain urandom_device_t : chr_file { ioctl read getattr lock op=
en } ; [ global_ssp ]
@@ -237,7 +287,7 @@ To get the security context of a process, use ps -=
Z:
 
=20
 -~# ps -Z $(pidof init)
+# ps -Z $(pidof init)
 LABEL                             PID TTY      STAT   TIME COMMAND
 system_u:system_r:init_t            1 ?        Ss     0:00 init [3] =20
 
@@ -283,7 +333,7 @@ this area).
 
=20
 -~# semanage boolean -l
+# semanage boolean -l
 SELinux boolean                 Description
=20
 allow_ptrace            -> off  allow_ptrace
@@ -301,7 +351,7 @@ You can set a boolean with both setsebool and =
semanage:
 
=20
 -~# semanage boolean -m --on -F user_dmesg
+# semanage boolean -m --on -F user_dmesg
 
=20
 
@@ -316,7 +366,7 @@ you to map a Unix account to a SELinux user:
 
=20
 -~# semanage login -l
+# semanage login -l
 Login Name          SELinux User
=20
 __default__         user_u
@@ -339,7 +389,7 @@ can be accomplished as follows (example with the Unix=
 account anna):
 
=20
 -~# semanage login -a -s staff_u anna
+# semanage login -a -s staff_u anna
 
=20
 
@@ -354,7 +404,7 @@ roles. To list the available roles, you can use se=
manage user -l:
 
=20
 -~# semanage user -l
+# semanage user -l
 SELinux User        SELinux Roles
=20
 root                staff_r sysadm_r
@@ -375,7 +425,7 @@ overview of which domains are assigned to which ports=
 (or port ranges) use
 
=20
 -~# semanage port -l | grep '22$'
+# semanage port -l | grep '22$'
 ssh_port_t             tcp     22
 
=20

diff --git a/xml/selinux/hb-using-states.xml b/xml/selinux/hb-using-state=
s.xml
new file mode 100644
index 0000000..63d3f52
--- /dev/null
+++ b/xml/selinux/hb-using-states.xml
@@ -0,0 +1,290 @@
+
+
+
+
+
+
+
+
+
+1
+2011-10-15
+
+
+SELinux States
+
+Introduction
+
+
+
+When SELinux is available, it will generally be in one of three states o=
n your
+system: disabled, permissive or enforcing.
+
+
+
+
+
+Disabled
+
+
+
+When getenforce returns "Disabled", then SELinux is not running o=
n your
+system. Even though it might be built in your kernel, it is definitely d=
isabled.
+Your system will still run with regular discretionary access controls (t=
he usual
+permission rules for standard Linux environments) but the mandatory acce=
ss
+controls are not active.
+
+
+
+When SELinux is disabled, it also means that files, directories, etc tha=
t are
+modified or created will not get the proper SELinux context assigned to =
them.
+When you later start your system with SELinux enabled (permissive or enf=
orcing),
+issues will arise since the SELinux subsystem will not know which label =
the
+files have (it will default the label to one that is not accessible by m=
ost
+domains).
+
+
+
+The best way to go forward in such case is to boot in permissive mode an=
d then
+relabel the entire file system:
+
+
++# rlpkg -a -r
+
+
+
+
+
+Permissive
+
+
+
+When SELinux is enabled in permissive mode (getenforce returns
+"Permissive"), then SELinux is enabled and it has a policy loaded. Every=
 access
+a process makes is checked against the policy rules and, if an access is=
 not
+allowed, it will be logged (unless the denial is marked as dontaudit) bu=
t it
+will not be prohibited.
+
+
+
+The permissive mode is perfect to get acquainted with SELinux and have t=
he
+system made ready for future "enforcing" mode. While running in permissi=
ve mode,
+applications that are not SELinux aware will behave as if SELinux=
 is not
+running. This is perfect to validate if a problem is caused by SELinux o=
r not:
+if in permissive mode the problem still persists, then it is not caused =
by
+SELinux.
+
+
+
+There is one caveat though: if the application is SELinux-aware (=
it knows
+that it can run in a SELinux environment and is able to make SELinux-spe=
cific
+calls) it might still react differently. Although this is often (but not=
 always)
+a bad programming practice, some applications check if SELinux is enable=
d and
+base their functional flow on the results, regardless of the state being
+permissive or enforcing.
+
+
+
+To find out if an application is SELinux aware, simply check if it is li=
nked
+against libselinux (with ldd or scanelf - part of
+app-misc/pax-utils):
+
+
++# scanelf -n /bin/ls
+ TYPE     NEEDED FILE
+ET_DYN   libselinux.so.1,librt.so.1,libc.so.6   /bin/ls
+
+
+
+
+
+Enforcing
+
+
+
+If getenforce returns "Enforcing", then SELinux is loaded and wil=
l act
+based on the policy. When a process tries some activity that is not allo=
wed by
+the policy, it will be logged (unless a dontaudit is set) and the activi=
ty will
+not go through. This is the only mode where you can truely say that SELi=
nux is
+active, because it is only now that the policy is acted upon.
+
+
+
+
+
+Switching States
+
+
+
+Depending on your Linux kernel configuration, you can switch between sta=
tes
+using one of the following methods. The kernel configuration however can=
 be made
+so that some of these options are disabled (for instance, a fully harden=
ed
+system will not allow disabling SELinux in any way).
+
+
+
+Using the command setenforce:
+
+
++(Switching to permissive mode)
+# setenforce 0
+
+(Switching to enforcing mode)
+# setenforce 1
+
+
+
+Using the kernel boot option enforcing:
+
+
++(The following GRUB kernel line would boot in permissive mode)<=
/comment>
+kernel /kernel-2.6.39-hardened-r8 root=3D/dev/md3 rootflags=3Ddata=3Djou=
rnal enforcing=3D0
+
+
+
+Using the /etc/selinux/config SELINUX variable:
+
+
++# cat /etc/selinux/config
+# This file controls the state of SELinux on the system on boot.
+
+# SELINUX can take one of these three values:
+#       enforcing - SELinux security policy is enforced.
+#       permissive - SELinux prints warnings instead of enforcing.
+#       disabled - No SELinux policy is loaded.
+SELINUX=3Denforcing
+
+# SELINUXTYPE can take one of these four values:
+#       targeted - Only targeted network daemons are protected.
+#       strict   - Full SELinux protection.
+#       mls      - Full SELinux protection with Multi-Level Security
+#       mcs      - Full SELinux protection with Multi-Category Security=20
+#                  (mls, but only one sensitivity level)
+SELINUXTYPE=3Dstrict
+
+
+
+
+
+
+
+SELinux Policy Types
+
+Introduction
+
+
+
+Next to the SELinux state, SELinux also offers different policy types. T=
hese
+types differentiate themselves in specific SELinux features that are ena=
bled or
+disabled. Within Gentoo, three are supported (and a fourth is available)=
:
+targeted, strict, mcs (and mls).
+
+
+
+The type used on a system is declared in /etc/selinux/config:
+
+
++# cat /etc/selinux/config
+# This file controls the state of SELinux on the system on boot.
+
+# SELINUX can take one of these three values:
+#       enforcing - SELinux security policy is enforced.
+#       permissive - SELinux prints warnings instead of enforcing.
+#       disabled - No SELinux policy is loaded.
+SELINUX=3Denforcing
+
+# SELINUXTYPE can take one of these four values:
+#       targeted - Only targeted network daemons are protected.
+#       strict   - Full SELinux protection.
+#       mls      - Full SELinux protection with Multi-Level Security
+#       mcs      - Full SELinux protection with Multi-Category Security=20
+#                  (mls, but only one sensitivity level)
+SELINUXTYPE=3Dstrict
+
+
+
+
+
+strict (without unconfined domains)
+
+
+
+The strict policy type is the policy type that was described in t=
he
+earlier chapters, and coincidentally the type that is the easiest to und=
erstand.
+With the strict policy type, each and every application runs in a domain=
 that
+has limited privileges. Although there are highly privileged domains, th=
ey are
+never truely unlimited in their privileges.
+
+
+
+
+
+targeted (using unconfined domains)
+
+
+
+The targeted policy type is similar to the strict one, with one m=
ajor
+addition: support for unconfined domains. Applications (or users) that r=
un in an
+unconfined domain are almost unlimited in their privileges. The unconfin=
ed
+domains are usually used for users and user applications, but also the i=
nit
+system and other domains are marked as "unconfined" domains.
+
+
+
+The idea behind the targeted policy is that network-facing services are =
running
+in (confined) regular domains whereas the rest uses the standard discret=
ionary
+access controls offered by Linux. These other domains are running as
+"unconfined".
+
+
+
+
+
+mcs (using multiple categories)
+
+
+
+The introduction of mls and mcs offers the ability for
+multi-tenancy: multiple instances of the same application should =
be able
+to run, but each instance should be confined with respect to the others =
(instead
+of all these processes running in the same domain and, hence, the same
+privileges).
+
+
+
+A simple example is virtualization: a virtual guest which runs in the
+qemu_t domain needs write privileges on the image file that conta=
ins the
+guest operating system. However, if you run two guests, you do not want =
each
+guest to write to the other guests' file. With regular domains, you will=
 need to
+provide this. With mcs, you can give each running instance a spec=
ific
+category (number) and only grant it write privileges to the guest file w=
ith the
+correct category (number).
+
+
+
+
+
+mls (using multiple security levels)
+
+
+
+The mls policy type is available but not yet supported by Gentoo
+Hardened. With this policy type, it is possible to give sensitivity leve=
ls on
+files and resources as well as domains. Sensitivity levels can best be e=
xpressed
+in terms of public, private, confidential or str=
ictly
+confidential. With MLS, you can mark a file as one (or a set of)
+sensitivity level(s) and ensure that only domains with the right sensiti=
vity
+level can access it.
+
+
+
+
+
+
+