Fedora 22 SELinux User's and Administrator's Guide Basic and advanced configuration of Security-Enhanced Linux (SELinux) Barbora Ančincová Murray McAllister Scott Radvan Daniel Walsh Dominick Grift Eric Paris James Morris SELinux User's and Administrator's Guide Fedora 22 SELinux User's and Administrator's Guide Basic and advanced configuration of Security-Enhanced Linux (SELinux) Edition 1 Author Barbora Ančincová [email protected] Author Murray McAllister [email protected] Author Scott Radvan [email protected] Author Daniel Walsh [email protected] Author Dominick Grift [email protected] Author Eric Paris [email protected] Author James Morris [email protected] Copyright © 2014 Red Hat, Inc. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. The original authors of this document, and Red Hat, designate the Fedora Project as the "Attribution Party" for purposes of CC-BY-SA. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version. Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries. For guidelines on the permitted uses of the Fedora trademarks, refer to https://fedoraproject.org/wiki/ Legal:Trademark_guidelines. Linux® is the registered trademark of Linus Torvalds in the United States and other countries. Java® is a registered trademark of Oracle and/or its affiliates. XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries. MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries. All other trademarks are the property of their respective owners. This books consists of two parts: SELinux and Managing Confined Services. The former describes the basics and principles upon which SELinux functions, the latter is more focused on practical tasks to set up and configure various services. Preface vii 1. Document Conventions .................................................................................................. vii 1.1. Typographic Conventions .................................................................................... vii 1.2. Pull-quote Conventions ....................................................................................... viii 1.3. Notes and Warnings ............................................................................................ ix 2. We Need Feedback! ....................................................................................................... ix I. SELinux 1 1. Introduction 3 1.1. Benefits of running SELinux .................................................................................. 4 1.2. Examples ............................................................................................................. 5 1.3. SELinux Architecture ............................................................................................ 5 1.4. SELinux Modes .................................................................................................... 6 2. SELinux Contexts 7 2.1. Domain Transitions ............................................................................................... 8 2.2. SELinux Contexts for Processes ........................................................................... 9 2.3. SELinux Contexts for Users ................................................................................ 10 3. Targeted Policy 11 3.1. Confined Processes ............................................................................................ 11 3.2. Unconfined Processes ........................................................................................ 13 3.3. Confined and Unconfined Users .......................................................................... 16 3.3.1. The sudo Transition and SELinux Roles .................................................... 18 4. Working with SELinux 21 4.1. SELinux Packages ............................................................................................. 21 4.2. Which Log File is Used ...................................................................................... 22 4.3. Main Configuration File ....................................................................................... 23 4.4. Enabling and Disabling SELinux .......................................................................... 24 4.4.1. Enabling SELinux .................................................................................... 24 4.4.2. Disabling SELinux .................................................................................... 28 4.5. Booleans ............................................................................................................ 28 4.5.1. Listing Booleans ...................................................................................... 28 4.5.2. Configuring Booleans ............................................................................... 29 4.5.3. Shell Auto-Completion .............................................................................. 30 4.6. SELinux Contexts – Labeling Files ...................................................................... 30 4.6.1. Temporary Changes: chcon ...................................................................... 31 4.6.2. Persistent Changes: semanage fcontext .................................................... 33 4.7. The file_t and default_t Types ............................................................................. 37 4.8. Mounting File Systems ....................................................................................... 37 4.8.1. Context Mounts ....................................................................................... 37 4.8.2. Changing the Default Context ................................................................... 38 4.8.3. Mounting an NFS Volume ........................................................................ 39 4.8.4. Multiple NFS Mounts ............................................................................... 39 4.8.5. Making Context Mounts Persistent ............................................................ 40 4.9. Maintaining SELinux Labels ................................................................................ 40 4.9.1. Copying Files and Directories ................................................................... 40 4.9.2. Moving Files and Directories .................................................................... 43 4.9.3. Checking the Default SELinux Context ...................................................... 44 4.9.4. Archiving Files with tar ........................................................................... 45 4.9.5. Archiving Files with star ......................................................................... 47 4.10. Information Gathering Tools .............................................................................. 48 4.11. Multi-Level Security (MLS) ................................................................................ 50 iii SELinux User's and Administrator's Guide 4.11.1. MLS and System Privileges .................................................................... 52 4.11.2. Enabling MLS in SELinux ....................................................................... 52 4.11.3. Creating a User With a Specific MLS Range ............................................ 54 4.11.4. Setting Up Polyinstantiated Directories .................................................... 55 4.12. File Name Transition ......................................................................................... 55 4.13. Disable ptrace() ................................................................................................ 56 4.14. Thumbnail Protection ........................................................................................ 57 5. The sepolicy Suite 59 5.1. The sepolicy Python Bindings ......................................................................... 59 5.2. Generating SELinux Policy Modules: sepolicy generate ................................. 59 5.3. Understanding Domain Transitions: sepolicy transition ............................... 60 5.4. Generating Manual Pages: sepolicy manpage ................................................. 61 6. Confining Users 63 6.1. Linux and SELinux User Mappings ...................................................................... 63 6.2. Confining New Linux Users: useradd ................................................................... 63 6.3. Confining Existing Linux Users: semanage login ................................................... 65 6.4. Changing the Default Mapping ............................................................................ 66 6.5. xguest: Kiosk Mode ............................................................................................ 67 6.6. Booleans for Users Executing Applications .......................................................... 67 7. sVirt 69 7.1. Security and Virtualization ..................................................................................