Fedora SELinux Quick Reference
![/!\](/moin_static1911/monobook/img/alert.png "/!\"){kind=small}
Much of the information here is jottings I've made from emails, which I've not personally tested and may not be current best practice.
Links
Making local context changes to policy
File Contexts
Conventional wisdom is to add local file context settings using semanage and restorecon, e.g.:
Have /srv/backup and /srv/softlib and everything underneath them have a context type of public_content_rw_t:
# semanage fcontext -a -t public_content_rw_t '/srv/backup(/.*)?'
# semanage fcontext -a -t public_content_rw_t '/srv/softlib(/.*)?'
# restorecon -r /srv/{backup,softlib}Using semanage and restorecon rather than just chcon means that context settings will survive a relabel.
Some disadvantages of this approach are that each semanage call results in a policy rebuild, which may take some time on a slow machine, and there's no obvious record of what local changes have been made on top of the standard policy (though currently such changes can be found in /etc/selinux/targeted/contexts/files/file_contexts.local for the targeted policy).
My preferred approach is to incorporate file contexts into a local policy module (see BuildSeLinuxPolicyModules). The equivalent changes for /srv/{backup,softlib} above could be represented in a localmisc module as follows:
localmisc.fc:
/srv/backup(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0) /srv/softlib(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0)
File contexts within user home directories can also be set this way (the homedir_template file mentioned in the genhomedircon manual page is no longer used).
For instance, to make users' ~/bin directories and their contents have context type bin_t (useful for running custom scripts from confined domains such as procmail), add to localmisc.fc:
HOME_DIR/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
Port Contexts
These still need to be set up using semanage, e.g.:
Allow Apache to listen on port 81:
$ semanage port -a -t http_port_t -p tcp 81
Allow shared libraries to execute modified memory
This can be turned on for all programs by setting the allow_execmod boolean, but a better way is to enable it only for the specific library:
# chcon -t textrel_shlib_t /usr/lib/xorg/modules/extensions/nvidia/libglx.so.1.0.8178
Turning AVC auditing on and off
This turns on AVCs that have been dontaudit-ed - useful for debugging.
To collect AVC messages:
# semodule -b /usr/share/selinux/targeted/enableaudit.pp
To turn auditing back off:
# semodule -b /usr/share/selinux/targeted/base.pp
From Fedora 8, this has changed:
# semodule -DB
will rebuild and reload policy without any dontaudit rules.
# semodule -B
will then rebuild and reload policy with them.
This is an improvement over enableaudit.pp because it covers all modules, not just base.
Getting Path Details for AVC Denials
Sometimes it's hard to figure out what exactly is being denied. If you turn on audit logging for accesses to at least one file, you'll get full pathnames logged for each AVC denial. To avoid massive growth of the audit log, you could choose to audit something that very rarely happens, such as writes to /etc/shadow:
# auditctl -w /etc/shadow -p w
This results in a PATH record being included in the audit log for subsequent AVCs, which may be quite helpful, e.g.:
type=AVC msg=audit(1316699607.377:150425): avc: denied { read } for pid=4151 comm="systemd-tty-ask" name="136:0" dev=tmpfs ino=209876 scontext=unconfined_u:system_r:systemd_passwd_agent_t:s0 tcontext=unconfined_u:object_r:init_var_run_t:s0 tclass=fifo_file
type=AVC msg=audit(1316699607.377:150425): avc: denied { open } for pid=4151 comm="systemd-tty-ask" name="136:0" dev=tmpfs ino=209876 scontext=unconfined_u:system_r:systemd_passwd_agent_t:s0 tcontext=unconfined_u:object_r:init_var_run_t:s0 tclass=fifo_file
type=SYSCALL msg=audit(1316699607.377:150425): arch=c000003e syscall=2 success=yes exit=3 a0=14c60a0 a1=80900 a2=fffffffffffffed0 a3=7ffffdee5c80 items=1 ppid=4150 pid=4151 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=9220 comm="systemd-tty-ask" exe="/bin/systemd-tty-ask-password-agent" subj=unconfined_u:system_r:systemd_passwd_agent_t:s0 key=(null)
type=CWD msg=audit(1316699607.377:150425): cwd="/"
type=PATH msg=audit(1316699607.377:150425): item=0 name="/run/systemd/ask-password-block/136:0" inode=209876 dev=00:12 mode=010600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:init_var_run_t:s0The watch rule can be turned off using auditctl's -W option:
# auditctl -l LIST_RULES: exit,always watch=/etc/shadow perm=w # auditctl -W /etc/shadow -p w # auditctl -l No rules
File Contexts Sort Ordering
The sorting algorithm is based on the following heuristics, applied in this order:
When comparing two file contexts A and B...
- if A is a regular expression and B is not, A is less specific than B
- if A's stem length (the number of characters before the first regular expression metacharacter) is shorter than B's stem length, A is less specific than B
- if A's string length (the entire length of the file context string) is shorter than B's string length, A is less specific than B
- if A does not have a specified type and B does, A is less specific than B
- else, they are considered equally specific.
These are the same heuristics applied to file contexts when building reference policy.
The sort is implemented as a stable iterative mergesort.
The possible metacharacters are: . ^ $ ? * + | [ ( {
This sort ordering is why the following file contexts (present in selinux-policy-2.2.40-1.fc5) result in /usr/lib/jvm/java-1.5.0-sun-1.5.0.06/jre/bin/java having type bin_t rather than the intended java_exec_t.
/usr/lib(.*/)?bin/java([^/]*)? regular file system_u:object_r:java_exec_t:s0 /usr/lib/jvm/java.*/bin/.* all files system_u:object_r:bin_t:s0