= Fedora SELinux Quick Reference = /!\ Much of the information here is jottings I've made from emails, which I've not personally tested and may not be current best practice. == Links == * [[http://sradvan.fedorapeople.org/SELinux_FAQ/|Fedora SELinux FAQ]] * FedoraProject:SELinux * FedoraProject:SELinux/FAQ * FedoraProject:SELinux/LoadableModules/Audit2allow * FedoraProject:Packaging/SELinux * [[http://fedora.redhat.com/docs/selinux-faq-fc5|FC5 SELinux FAQ]] * [[http://people.redhat.com/drepper/selinux-mem.html|FC5 SELinux Memory Protection]] * BuildSeLinuxPolicyModules * [[http://equivocation.org/node/13|Notes on SELinux: policies and modules (equivocation.org)]] * [[http://www.engardelinux.org/modules/index/selinux/howtos.cgi|SELinux HOWTO's directory]] == Making local context changes to policy == === File Contexts === Conventional wisdom is to add local file context settings using `semanage` and `restorecon`, e.g.: Have `/srv/backup` and `/srv/softlib` and everything underneath them have a context type of `public_content_rw_t`: {{{ # semanage fcontext -a -t public_content_rw_t '/srv/backup(/.*)?' # semanage fcontext -a -t public_content_rw_t '/srv/softlib(/.*)?' # restorecon -r /srv/{backup,softlib} }}} Using `semanage` and `restorecon` rather than just `chcon` means that context settings will survive a relabel. Some disadvantages of this approach are that each `semanage` call results in a policy rebuild, which may take some time on a slow machine, and there's no obvious record of what local changes have been made on top of the standard policy (though currently such changes can be found in `/etc/selinux/targeted/contexts/files/file_contexts.local` for the ''targeted'' policy). My preferred approach is to incorporate file contexts into a local policy module (see BuildSeLinuxPolicyModules). The equivalent changes for `/srv/{backup,softlib}` above could be represented in a `localmisc` module as follows: `localmisc.fc`: {{{ /srv/backup(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0) /srv/softlib(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0) }}} File contexts within user home directories can also be set this way (the `homedir_template` file mentioned in the `genhomedircon` manual page is no longer used). For instance, to make users' `~/bin` directories and their contents have context type `bin_t` (useful for running custom scripts from confined domains such as `procmail`), add to `localmisc.fc`: {{{ HOME_DIR/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) }}} === Port Contexts === These still need to be set up using `semanage`, e.g.: Allow Apache to listen on port 81: {{{ $ semanage port -a -t http_port_t -p tcp 81 }}} == Allow shared libraries to execute modified memory == This can be turned on for all programs by setting the `allow_execmod` boolean, but a better way is to enable it only for the specific library: {{{ # chcon -t textrel_shlib_t /usr/lib/xorg/modules/extensions/nvidia/libglx.so.1.0.8178 }}} == Turning AVC auditing on and off == This turns on AVCs that have been dontaudit-ed - useful for debugging. To collect AVC messages: {{{ # semodule -b /usr/share/selinux/targeted/enableaudit.pp }}} To turn auditing back off: {{{ # semodule -b /usr/share/selinux/targeted/base.pp }}} From Fedora 8, this has changed: {{{ # semodule -DB }}} will rebuild and reload policy without any `dontaudit` rules. {{{ # semodule -B }}} will then rebuild and reload policy with them. This is an improvement over `enableaudit.pp` because it covers all modules, not just `base`. == Getting Path Details for AVC Denials == Sometimes it's hard to figure out what exactly is being denied. If you turn on audit logging for accesses to at least one file, you'll get full pathnames logged for each AVC denial. To avoid massive growth of the audit log, you could choose to audit something that very rarely happens, such as writes to `/etc/shadow`: {{{ # auditctl -w /etc/shadow -p w }}} This results in a `PATH` record being included in the audit log for subsequent AVCs, which may be quite helpful, e.g.: {{{ type=AVC msg=audit(1316699607.377:150425): avc: denied { read } for pid=4151 comm="systemd-tty-ask" name="136:0" dev=tmpfs ino=209876 scontext=unconfined_u:system_r:systemd_passwd_agent_t:s0 tcontext=unconfined_u:object_r:init_var_run_t:s0 tclass=fifo_file type=AVC msg=audit(1316699607.377:150425): avc: denied { open } for pid=4151 comm="systemd-tty-ask" name="136:0" dev=tmpfs ino=209876 scontext=unconfined_u:system_r:systemd_passwd_agent_t:s0 tcontext=unconfined_u:object_r:init_var_run_t:s0 tclass=fifo_file type=SYSCALL msg=audit(1316699607.377:150425): arch=c000003e syscall=2 success=yes exit=3 a0=14c60a0 a1=80900 a2=fffffffffffffed0 a3=7ffffdee5c80 items=1 ppid=4150 pid=4151 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=9220 comm="systemd-tty-ask" exe="/bin/systemd-tty-ask-password-agent" subj=unconfined_u:system_r:systemd_passwd_agent_t:s0 key=(null) type=CWD msg=audit(1316699607.377:150425): cwd="/" type=PATH msg=audit(1316699607.377:150425): item=0 name="/run/systemd/ask-password-block/136:0" inode=209876 dev=00:12 mode=010600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:init_var_run_t:s0 }}} The watch rule can be turned off using `auditctl`'s `-W` option: {{{ # auditctl -l LIST_RULES: exit,always watch=/etc/shadow perm=w # auditctl -W /etc/shadow -p w # auditctl -l No rules }}} == File Contexts Sort Ordering == The sorting algorithm is based on the following heuristics, applied in this order: When comparing two file contexts A and B... * if A is a regular expression and B is not, A is less specific than B * if A's stem length (the number of characters before the first regular expression metacharacter) is shorter than B's stem length, A is less specific than B * if A's string length (the entire length of the file context string) is shorter than B's string length, A is less specific than B * if A does not have a specified type and B does, A is less specific than B * else, they are considered equally specific. These are the same heuristics applied to file contexts when building reference policy. The sort is implemented as a [[WikiPedia:Merge_sort|stable iterative mergesort]]. The possible metacharacters are: `. ^ $ ? * + | [ ( {` This sort ordering is why the following file contexts (present in `selinux-policy-2.2.40-1.fc5`) result in `/usr/lib/jvm/java-1.5.0-sun-1.5.0.06/jre/bin/java` having type `bin_t` rather than the intended `java_exec_t`. {{{ /usr/lib(.*/)?bin/java([^/]*)? regular file system_u:object_r:java_exec_t:s0 /usr/lib/jvm/java.*/bin/.* all files system_u:object_r:bin_t:s0}}} ----