Dan Walsh's Blog

Got SELinux?

Previous Entry Share Next Entry
First a little history: The first policy developed for SELinux was called the "example" policy. Red Hat developed a policy package off of this called targeted which we used for the basis of Red Hat Enterprise Linux 4 and Fedora 2/3,

The SELinux community rewrote the "example" policy and created the "reference" policy.  Out of this Red Hat created three policy variants "targeted", "strict" and "mls".  These three policies are available in Red Hat Enterprise Linux 5.

targeted policy goal is to lock down all processes that listen for network connections and pretty much all processes that start at boot.  Processes that are started by a logged in user were unconfined (unconfined_t).  Services started by the init scripts that did not have a policy were also run in an unconfined domain (initrc_t).

strict policy was basically the same as targeted except logged in  users are confined.  And processes started during the init process that do not have a policy are also confined.

MLS Policy is a strict policy that also adds in the MLS Requirements guiding information flow.

In the latest Fedora Releases we have merged the targeted and strict policy into one policy called "targeted".  So now you can choose to run confined and unconfined users on the same machine at the same time.  MLS Policy is also growing to take all of the domains that are in targeted and work on a full desktop system.

A goal of SELinux was to allow people to experiment with multiple policies and we have somewhat achieved this.

But we lost something along the way.

What about someone who wants to experiment with only a little SELinux?  I often get asked, "I want to run everything unconfined, but only confine this one daemon, how do I do this?"

This is a difficult problem since starting from scratch is a daunting task, but taking targeted policy and slowly removing packages is also difficult.

The ovirt team was looking for a minimal policy to run on low memory machines platforms, that only confines virtual machines.  ovirt does not run any of the services confined by targeted policy so they did not want to overhead of having those policies on the machine.  Similarly people are experimenting with using SELinux on "devices" like smart phones.  What policy do we have for them?

In Fedora 10 we introduced selinux-policy-minimum.  Minimum policy built exactly the same as targeted policy, but installs ONLY the base policy package and the unconfined.pp . All of the SELinux policy modules from the targeted policy are in the selinux-policy-minimum rpm package but they are not compiled and loaded into the kernel in the post install.  

Pretty much everything on this system runs as initrc_t or unconfined_t so all of the domains are unconfined.   

If you want to experiment with an SELinux machine with just Apache policy, you could install minimum and then execute:

# semodule -i /usr/share/selinux/minimum/Apache.pp.bz2

Next you would have to make sure the labeling is correct, you need to execute the fixfiles command on the rpm package.

# fixfiles -R httpd restore

ovirt just needs to install /usr/share/selinux/minimum/virt.pp.bz2 and

For a comparison of size between the two compiled policies.

# du  /etc/selinux/minimum/policy/policy.24  /etc/selinux/targeted/policy/policy.24
640    /etc/selinux/minimum/policy/policy.24
3512    /etc/selinux/targeted/policy/policy.24

You can use system-config-selinux to change from targeted to minimum or edit /etc/selinux/config

Then you need to relabel the system.

# touch /.autorelabel
# reboot

Minimum is not a perfect world though since interactions between different domains will not necessarily be handled correctly.  For example if you installed just Apache policy but had a mysql database running on the machine.  Apache (httpd_t) would not be allowed to connect to the mysql stream since mysql will be running as initrc_t.   You would need to customize your policy to make it work or add the mysql.pp policy.

In conclusion, this policy is good for people who want to experiment with SELinux in different ways and people who want to use SELinux on small devices.

Are you sure that MLS don't have unconfined(initrc_t) ?

I see:

config/appconfig-mls/unconfined_u_default_contexts:2:system_r:initrc_t:s0 unconfined_r:unconfined_t:s0
config/appconfig-mls/xguest_u_default_contexts:2:system_r:initrc_su_t:s0 xguest_r:xguest_t:s0

Well unconfined_u being in the mls appconfig is a bug.

initrc_t does exist, but it is not wrapped in the unconfined_domain() attribute.

seinfo -xunconfined_domain_type

On an MLS policy should return no domains.

How can I modify refpolicy to add to MLS support unconfined_domain_type ?
Could you help me please?

Contact me via email or on irc #selinux on freenode. This is a little difficult to do on a blog.

What is your nickname on irc #selinux ?

IRC: dwalsh
Email: dwalsh@redhat.com
Titter: #rhatdan

You are viewing danwalsh