danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Add to Memories Share Next Entry
SELinux Application - Config files
danwalsh
If you cd into /etc/selinux/targeted, you will see the following files.

On RHEL4:

ls -l /etc/selinux/targeted
  • booleans
    • This file contains the list of distribution specific boolean settings.  You should not edit this file, since rpm will replace it on the next upgrade.
    • booleans.local
      • This file may not exist.  It contains your local customizations to the booleans.  Load_policy and init read booleans and booleans.local when the load policy into the kernel.  booleans.local is created and updated by the "setsebool -P"  command.  You can hand edit it and it will be read on the next reboot or call to load_policy.
  • contexts
    • This directory contains all of the "default" contexts on the system.  Several apps use libselinux to read these files and configure the system. We will look at the contents of this directory below.
  • policy
    • This directory contains the actual policy file.  You will see the policy file with a version number like 18.  This is the version of the policy language,  You can see what the maximum version of the policy the kernel supports by executing "cat /selinux/policyvers".  In FC5 the init program and SELinux have gotten a little smarter about handling this, so if you are running a kernel that supports policy.20 and you have policy.21 installed, the library will automatically translate the policy.21 into a policy.20 format.  Unfortunately in RHEL4, the policy version must match the kernel or be one less.  So currently the RHEL4 kernel will work with a policy.18 or policy.17 file.
  • src
    • This contains the policy sources if you installed selinux-policy-POLICYTYPE-sources rpm.  If you want to customize policy in RHEL4 you need to install this rpm and use it to rebuild the environment.  This directory and the sources RPM no longer exists in FC5, and have been replaces with modular policy.    In a FC5, if you want to see the original src policy you need to install the selinux-policy-VERSION.src.rpm.
In FC5 and Eventually RHEL5:
  • booleans and booleans.local no longer exist.  These are handled in modules subdirectory explained below.
  • src dir no longer exists.  You will find interface files installed in /usr/share/selinux/devel/include.  These will be explained in a later journal.
  • policy directory is the same
  • context is pretty much the same, again explained below.
  • modules
    • In FC5 the policy is totally rebuilt any time you want to change the environment so if you want to change the booleans settings, add a local file context or install a new modular policy.
    • This directory is used as the sandbox directory by the semodule and semanage tools.
    • When you update policy or load a module.  The tools build a policy.VERSION file from this directory tree.
    • There are a couple of lock files and a couple of directories named:
    • active
      • This contains the active sandbox used to build the current running policy
      • If you look in this directory you will see the files used to build the policy.  including some of the files that were on the RHEL4 system such as booleans.local.  You should not edit these files.  You should use the semanage and semodule commands to manipulate the policy
    • Previous
      • Contains the previously running policy
  • seusers
    • seusers is a file that maps "Linux Users" to "SELinux Users" and the range of security levels that they can reach.
    • If no matching "Linux User" exists then __default__ is used.
    • This file is used by the login program to setup the initial security context for a user logging into the system, as was explained last week.
    • This file should be manipulated by semanage.
    • The range of security levels differs between policies.  In an MCS environment like targeted and strict, you could have a range of s0-c0.c255.  Which is sometimes called SystemLow-SystemHigh.  In the MCS world s0 translates to "",  s0:c0, s0:c1, s0:c2 ... can get translated via setrans.conf file, explained below.  This range is contiguous, so s0-s0:c3 means that the user can create files with the following categories s0,s0:c0, s0:c1,so:c2,so:c3.  Also combinations are ok, so a file could be labeled s0:c1,c5.   A range of s0 implies s0-s0.
    • In MLS you have additional sensitivities so you have s0-s15.  So SystemLow-SystemHigh in an MLS environment indicates s0-s15:c0.c255
    • You can use the newrole command to change your current processes securitylevel.  This is not recommended for MCS Machines and could cause some confusion.  On a MLS machine this is common.
    • You can use chcon and chcat to change a files security level.
  • setrans.conf
    • setrans.conf is the translation library used by libselinux to translate the sensitivity levels to human readable form.
    • It looks something like the following
      • s0:c0=CompanyConfidential
      • s0:c1=PatientRecord
      • s0:c2=Unclassified
      • s0-s0:c0.c255=SystemLow-SystemHigh
      • s0:c0.c255=SystemHigh
    • You can use semanage to manage this file.
Ok lets look at the contexts directory
ls /etc/selinux/targeted/contexts
  • customizable_types       
    • These are a list of file types that restorecon will ignore.  So if you want to relabel your entire system using restorecon, and a file is labeled with a context in this file, the context will not be changed.  This can be overridden with the -F flag.  This allows you to specify special directories on your system as being readable by apache.  So if you chcon -R -t httpd_sys_content_t  /var/myhtml, a relabel will not change this directory tree back to var_t.
  • default_type    
    • This shows the default_type for a particular role.  So if you use the newrole command in strict or MLS policy this file is used to determine which type to start as .  So if you execute "newrole -r sysadm_r" you will end up with a sysadm_t type.
  • removable_context
    • This file is used to tell the system what to label removable devices on the system
  • dbus_contexts
    • I do not know what this file is for.  It is used by dbus to configure it self...  :^)  Hey I don't know everything.
  • failsafe_context
    • If the system can not figure what context to attempt to log a user in as, it will attempt to use this context.
  • userhelper_context
    • This is the default context used by userhelper when trying to run apps as root.
  •  default_contexts        
    • This file is used by the login programs to determine which context to log in a user as.  You can specify per domain what the default context is.
    • If you want to specify this per "SELinux User" you can create a similarly formatted file in the users subdirectory.
  • files           
    •  file_context
      • This is a file containing hundreds of file_path regular expressions and security contexts.  It is used by the labeling tools in selinux to setup the default labeling of the system.  This file should not be modified since it will be replaced on the next policy upgrade.
    • file_context.local
      • This file lists local customizations.  So if you want to change the default location of the bind directories, you would grab them out of the file_context file and make changes to the path and then update this file with the new file_context.  Then relabeling tools would follow your modified file context.  In FC5 you can also do this with semanage.
    • file_context.homedirs
      • Homedirs can be scattered all over a Linux system so we need a way of setting the file context on the homedir.  So we invented the genhomedircon command.  This command attempts to figure out where all of the  homedirs are and then uses the homedir_template file to generate the file_context.homedirs file.  Tools that setfile context, (restorecon, rpm, setfiles, install ...) then use this file to label the homedirs.
    • homedir_template
      • This is used by genhomedircon as a template for how to label files in the homedir.
    • media
      • Used by udev to map particular removable media to a file context.
  • users
    • Same as the default_contexts file but per "SELinux User"
  • initrc_context
    • The default context to run initrc scripts with.

That is enough for today.   Tomorrow I will discuss the managing file_context and the tools available for doing this.

You are viewing danwalsh