Académique Documents
Professionnel Documents
Culture Documents
Introduction to SELinux
Security-Enhanced Linux (SELinux) is a security architecture integrated into the 2.6.x kernel
using the Linux Security Modules (LSM). It is a project of the United States National Security
Agency (NSA) and the SELinux community. SELinux integration into Red Hat Enterprise Linux
was a joint effort between the NSA and Red Hat.
SELinux provides a flexible Mandatory Access Control (MAC) system built into the Linux
kernel. Under standard Linux Discretionary Access Control (DAC), an application or process
running as a user (UID or SUID) has the user's permissions to objects such as files, sockets, and
other processes. Running a MAC kernel protects the system from malicious or flawed
applications that can damage or destroy the system.
SELinux defines the access and transition rights of every user, application, process, and file on the
system. SELinux then governs the interactions of these entities using a security policy that specifies how
strict or lenient a given Red Hat Enterprise Linux installation should be.
On a day-to-day basis, system users will be largely unaware of SELinux. Only system administrators need
to consider how strict a policy to implement for their server environment. The policy can be as strict or
as lenient as needed, and is very finely detailed. This detail gives the SELinux kernel complete, granular
control over the entire system.
When a subject, (for example, an application), attempts to access an object (for example, a file),
the policy enforcement server in the kernel checks an access vector cache (AVC), where subject
and object permissions are cached. If a decision cannot be made based on data in the AVC, the
request continues to the security server, which looks up the security context of the application
and the file in a matrix. Permission is then granted or denied, with an avc: denied message
detailed in /var/log/messages if permission is denied. The security context of subjects and
objects is applied from the installed policy, which also provides the information to populate the
security server's matrix.
Instead of running in enforcing mode, SELinux can run in permissive mode, where the AVC is
checked and denials are logged, but SELinux does not enforce the policy. This can be useful for
troubleshooting and for developing or fine-tuning SELinux policy.
The /etc/sysconfig/selinux file is the primary configuration file for enabling or disabling SELinux,
as well as for setting which policy to enforce on the system and how to enforce it.
The following explains the full subset of options available for configuration:
This is useful for debugging and troubleshooting purposes. In permissive mode, more denials
are logged because subjects can continue with actions that would otherwise be denied in
enforcing mode. For example, traversing a directory tree in permissive mode produces avc:
denied messages for every directory level read. In enforcing mode, SELinux would have
stopped the initial traversal and kept further denial messages from occurring.
disabled SELinux is fully disabled. SELinux hooks are disengaged from the kernel and
the pseudo-file system is unregistered.
Policy enforcement for these daemons can be turned on or off, using Boolean values
controlled by the SELinux Administration Tool (system-config-selinux).
Setting a Boolean value for a targeted daemon to 1 disables SELinux protection for the
daemon. For example, you can set dhcpd_disable_trans to 1 to prevent init, which
executes apps labeled dhcpd_exec_t, from transitioning to the dhcpd_t domain.
Use the getsebool -a command to list all SELinux booleans. The following is an
example of using the setsebool command to set an SELinux boolean. The -P option
makes the change permanent. Without this option, the boolean would be reset to 1 at
reboot.
setsebool -P dhcpd_disable_trans=0
strict Full SELinux protection, for all daemons. Security contexts are defined for all
subjects and objects, and every action is processed by the policy enforcement server.
SETLOCALDEFS=0|1 Controls how local definitions (users and booleans) are set. Set this
value to 1 to have these definitions controlled by load_policy from files in
/etc/selinux/<policyname>. or set it to 0 to have them controlled by semanage.
Enforcing: SELinux policy is enforced. SELinux denies access based on SELinux policy
rules.
Permissive: SELinux policy is not enforced. SELinux does not deny access, but denials
are logged for actions that would have been denied if running in enforcing mode.
Disabled: SELinux is disabled. Only DAC rules are used.
Use the /usr/sbin/setenforce command to change between enforcing and permissive mode.
Changes made with /usr/sbin/setenforce do not persist across reboots. To change to
enforcing mode, as the Linux root user, run the /usr/sbin/setenforce 1 command. To change
to permissive mode, run the /usr/sbin/setenforce 0 command. Use the
/usr/sbin/getenforce command to view the current SELinux mode.
5.6. Booleans
Booleans allow parts of SELinux policy to be changed at runtime, without any knowledge of
SELinux policy writing. This allows changes, such as allowing services access to NFS file
systems, without reloading or recompiling SELinux policy.
For a list of Booleans, an explanation of what each one is, and whether they are on or off, run the
semanage boolean -l command as the Linux root user. The following example does not list all
Booleans:
# /usr/sbin/semanage boolean -l
SELinux boolean Description
This allows Apache HTTP Server scripts and modules to connect to database servers.
8. This change is not persistent across reboots. To make changes persistent across reboots,
run the setsebool -P boolean-name on command as the Linux root user:
9. # /usr/sbin/setsebool -P httpd_can_network_connect_db on
10. To temporarily revert to the default behavior, as the Linux root user, run the setsebool
httpd_can_network_connect_db off command. For changes that persist across
reboots, run the setsebool -P httpd_can_network_connect_db off command.
50.1. End User Control of SELinux
In general, end users have little interaction with SELinux when Red Hat Enterprise Linux is
running the targeted policy. This is because users are running in the domain of unconfined_t
along with the rest of the system except the targeted daemons.
In most situations, standard DAC controls prevent you from performing tasks for which you do
not have the required access or permissions before SELinux is consulted. Consequently, it is
likely that you will never generate an avc: denied message.
The following sections cover the general tasks and practices that an end user might need to
perform on a Red Hat Enterprise Linux system. These tasks apply to users of all privilege levels,
not only to end users.
In file system operations, security context must now be considered in terms of the label of the
file, the process accessing it, and the directories where the operation is happening. Because of
this, moving and copying files with mv and cp may have unexpected results.
Copying Files: SELinux Options for cp
Unless you specify otherwise, cp follows the default behavior of creating a new file based on the
domain of the creating process and the type of the target directory. Unless there is a specific rule
to set the label, the file inherits the type from the target directory.
Use the -Z user:role:type option to specify the required label for the new file.
cp bar /tmp
ls -Z /tmp/bar
-rw-rw-r-- auser auser user_u:object_r:tmp_t /tmp/bar
Use the -Z option to specify the label for the new file:
Command Behavior
The file retains its original label. This may cause problems, confusion, or
mv
minor insecurity. For example, the tmpwatch program running in the
sbin_t domain might not be allowed to delete an aged file in the /tmp
directory because of the file's type.
Makes a copy of the file using the default behavior based on the domain of
cp
the creating process (cp) and the type of the target directory.
Makes a copy of the file, preserving the specified attributes and security
cp -p contexts, if possible. The default attributes are mode, ownership, and
timestamps. Additional attributes are links and all.
Command Behavior
cp -Z Makes a copy of the file with the specified labels. The -Z option is
<user:role:type> synonymous with --context.
Checking a Process ID
In Red Hat Enterprise Linux, the -Z option is equivalent to --context, and can be used with the
ps, id, ls, and cp commands. The behavior of the cp command with respect to SELinux is
explained in Table 50.1, Behavior of mv and cp Commands.
The following example shows a small sample of the output of the ps command. Most of the processes
are running in the unconfined_t domain, with a few exceptions.
Checking a User ID
You can use the -Z option with the id command to determine a user's security context. Note that
with this command you cannot combine -Z with other options.
[root@localhost ~]# id -Z
user_u:system_r:unconfined_t
Note that you cannot use the -Z option with the id command to inspect the security context of a
different user. That is, you can only display the security context of the currently logged-in user:
[user@localhost ~]$ id
uid=501(user) gid=501(user) groups=501(user)
context=user_u:system_r:unconfined_t
[user@localhost ~]$ id root
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[user@localhost ~]$ id -Z root
id: cannot display context when selinux not enabled or when displaying the id
of a different user
Check a File ID
You can use the -Z option with the ls command to group common long-format information. You
can display mode, user, group, security context, and filename information.
cd /etc
ls -Z h* -d
drwxr-xr-x root root system_u:object_r:etc_t hal
-rw-r--r-- root root system_u:object_r:etc_t host.conf
-rw-r--r-- root root user_u:object_r:etc_t hosts
-rw-r--r-- root root system_u:object_r:etc_t hosts.allow
-rw-r--r-- root root system_u:object_r:etc_t hosts.canna
-rw-r--r-- root root system_u:object_r:etc_t hosts.deny
drwxr-xr-x root root system_u:object_r:hotplug_etc_t hotplug
drwxr-xr-x root root system_u:object_r:etc_t hotplug.d
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t htdig
drwxr-xr-x root root system_u:object_r:httpd_config_t httpd
You may need to relabel a file when moving or copying into special directories related to the
targeted daemons, such as ~/public_html directories, or when writing scripts that work in
directories outside of /home.
There are two general types of relabeling operations:
Use the chcon command to change a file to the correct type. You need to know the correct type that
you want to apply to use this command. The directories and files in the following example are labeled
with the default type defined for file system objects created in /home:
cd ~
ls -Zd public_html/
drwxrwxr-x auser auser user_u:object_r:user_home_t public_html/
ls -Z web_files/
-rw-rw-r-- auser auser user_u:object_r:user_home_t 1.html
-rw-rw-r-- auser auser user_u:object_r:user_home_t 2.html
-rw-rw-r-- auser auser user_u:object_r:user_home_t 3.html
-rw-rw-r-- auser auser user_u:object_r:user_home_t 4.html
-rw-rw-r-- auser auser user_u:object_r:user_home_t 5.html
-rw-rw-r-- auser auser user_u:object_r:user_home_t index.html
If you move these files into the public_html directory, they retain the original type:
mv web_files/* public_html/
ls -Z public_html/
-rw-rw-r-- auser auser user_u:object_r:user_home_t 1.html
-rw-rw-r-- auser auser user_u:object_r:user_home_t 2.html
-rw-rw-r-- auser auser user_u:object_r:user_home_t 3.html
-rw-rw-r-- auser auser user_u:object_r:user_home_t 4.html
-rw-rw-r-- auser auser user_u:object_r:user_home_t 5.html
-rw-rw-r-- auser auser user_u:object_r:user_home_t index.html
To make these files viewable from a special user public HTML folder, they need to have a type that
httpd has permissions to read, presuming the Apache HTTP Server is configured for UserDir and the
Boolean value httpd_enable_homedirs is enabled.
ls -Z public_html/ -d
drwxrwxr-x auser auser user_u:object_r:httpd_user_content_t public_html
Use the restorecon command to restore files to the default values according to the policy. There are
two other methods for performing this operation that work on the entire file system: fixfiles or a
policy relabeling operation. Each of these methods requires superuser privileges. Cautions against both
of these methods appear in Section 50.2.2, Relabeling a File System.
The following example demonstrates restoring the default user home directory context to a set of files
that have different types. The first two sets of files have different types, and are being moved into a
directory for archiving. Their contexts are different from each other, and are incorrect for a standard
user's home directory:
ls -Z /tmp/
-rw-rw-r-- auser auser user_u:object_r:tmp_t /tmp/file1
-rw-rw-r-- auser auser user_u:object_r:tmp_t /tmp/file2
-rw-rw-r-- auser auser user_u:object_r:tmp_t /tmp/file3
mv /tmp/{1,2,3} archives/
mv public_html/* archives/
ls -Z archives/
-rw-rw-r-- auser auser user_u:object_r:tmp_t file1
-rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t file1.html
-rw-rw-r-- auser auser user_u:object_r:tmp_t file2
-rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t file2.html
-rw-rw-r-- auser auser user_u:object_r:tmp_t file3
-rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t file3.html
-rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t file4.html
-rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t file5.html
-rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t index.html
The archives/ directory already has the default type because it was created in the user's home
directory:
ls -Zd archives/
drwxrwxr-x auser auser user_u:object_r:user_home_t archives/
Using the restorecon command to relabel the files uses the default file contexts set by the policy, so
these files are labeled with the default label for their current directory.
/sbin/restorecon -R archives/
ls -Z archives/
-rw-rw-r-- auser auser system_u:object_r:user_home_t file1
-rw-rw-r-- auser auser system_u:object_r:user_home_t file1.html
-rw-rw-r-- auser auser system_u:object_r:user_home_t file2
-rw-rw-r-- auser auser system_u:object_r:user_home_t file2.html
-rw-rw-r-- auser auser system_u:object_r:user_home_t file3
-rw-rw-r-- auser auser system_u:object_r:user_home_t file3.html
-rw-rw-r-- auser auser system_u:object_r:user_home_t file4.html
-rw-rw-r-- auser auser system_u:object_r:user_home_t file5.html
-rw-rw-r-- auser auser system_u:object_r:user_home_t index.html
You can use either the tar or star utilities to create archives that retain SELinux security
contexts. The following example uses star to demonstrate how to create such an archive. You
need to use the appropriate -xattr and -H=exustar options to ensure that the extra attributes are
captured and that the header for the *.star file is of a type that fully supports xattrs. Refer to the
man page for more information about these and other options.
The following example illustrates the creation and extraction of a set of html files and directories. Note
that the two directories have different labels. Unimportant parts of the file context have been omitted
for printing purposes (indicated by ellipses '...'):
ls -Z public_html/ web_files/
public_html/:
-rw-rw-r-- auser auser ...httpd_user_content_t 1.html
-rw-rw-r-- auser auser ...httpd_user_content_t 2.html
-rw-rw-r-- auser auser ...httpd_user_content_t 3.html
-rw-rw-r-- auser auser ...httpd_user_content_t 4.html
-rw-rw-r-- auser auser ...httpd_user_content_t 5.html
-rw-rw-r-- auser auser ...httpd_user_content_t index.html
web_files/:
-rw-rw-r-- auser auser user_u:object_r:user_home_t 1.html
-rw-rw-r-- auser auser user_u:object_r:user_home_t 2.html
-rw-rw-r-- auser auser user_u:object_r:user_home_t 3.html
-rw-rw-r-- auser auser user_u:object_r:user_home_t 4.html
-rw-rw-r-- auser auser user_u:object_r:user_home_t 5.html
-rw-rw-r-- auser auser user_u:object_r:user_home_t index.html
The following command creates the archive, retaining all of the SELinux security contexts:
ls -Z all_web.star
-rw-rw-r-- auser auser user_u:object_r:user_home_t \ all_web.star
You can now copy the archive to a different directory. In this example, the archive is copied to /tmp. If
there is no specific policy to make a derivative temporary type, the default behavior is to acquire the
tmp_t type
ls -Z all_web.star
-rw-rw-r-- auser auser user_u:object_r:tmp_t all_web.star
Now you can expand the archives using star and it restores the extended attributes:
ls -Z /tmp/public_html/ /tmp/web_files/
/tmp/public_html/:
-rw-rw-r-- auser auser ...httpd_sys_content_t 1.html
-rw-rw-r-- auser auser ...httpd_sys_content_t 2.html
-rw-rw-r-- auser auser ...httpd_sys_content_t 3.html
-rw-rw-r-- auser auser ...httpd_sys_content_t 4.html
-rw-rw-r-- auser auser ...httpd_sys_content_t 5.html
-rw-rw-r-- auser auser ...httpd_sys_content_t index.html
/tmp/web_files/:
-rw-rw-r-- auser auser user_u:object_r:user_home_t 1.html
-rw-rw-r-- auser auser user_u:object_r:user_home_t 2.html
-rw-rw-r-- auser auser user_u:object_r:user_home_t 3.html
-rw-rw-r-- auser auser user_u:object_r:user_home_t 4.html
-rw-rw-r-- auser auser user_u:object_r:user_home_t 5.html
-rw-rw-r-- auser auser user_u:object_r:user_home_t \ index.html
50.2. Administrator Control of SELinux
In addition to the tasks often performed by users in Section 50.1, End User Control of
SELinux, SELinux administrators could be expected to perform a number of additional tasks.
These tasks typically require root access to the system. Such tasks are significantly easier under
the targeted policy. For example, there is no need to consider adding, editing, or deleting Linux
users from the SELinux users, nor do you need to consider roles.
This section covers the types of tasks required of an administrator who maintains Red Hat Enterprise
Linux running SELinux.
The sestatus command provides a configurable view into the status of SELinux. The simplest
form of this command shows the following information:
]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
The -v option includes information about the security contexts of a series of files that are specified in
/etc/sestatus.conf:
~]# sestatus -v
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
Process contexts:
Current context: user_u:system_r:unconfined_t
Init context: system_u:system_r:init_t
/sbin/mingetty system_u:system_r:getty_t
/usr/sbin/sshd system_u:system_r:unconfined_t:s0-s0:c0.c1023
File contexts:
Controlling term: user_u:object_r:devpts_t
/etc/passwd system_u:object_r:etc_t
/etc/shadow system_u:object_r:shadow_t
/bin/bash system_u:object_r:shell_exec_t
/bin/login system_u:object_r:login_exec_t
/bin/sh system_u:object_r:bin_t ->
system_u:object_r:shell_exec_t
/sbin/agetty system_u:object_r:getty_exec_t
/sbin/init system_u:object_r:init_exec_t
/sbin/mingetty system_u:object_r:getty_exec_t
/usr/sbin/sshd system_u:object_r:sshd_exec_t
/lib/libc.so.6 system_u:object_r:lib_t ->
system_u:object_r:lib_t
/lib/ld-linux.so.2 system_u:object_r:lib_t ->
system_u:object_r:ld_so_t
The -b displays the current state of booleans. You can use this in combination with grep or other tools
to determine the status of particular booleans:
You may never need to relabel an entire file system. This usually occurs only when labeling a
file system for SELinux for the first time, or when switching between different types of policy,
such as changing from the targeted to the strict policy.
Relabeling a File System Using init
The recommended method for relabeling a file system is to reboot the machine. This allows the
init process to perform the relabeling, ensuring that applications have the correct labels when
they are started and that they are started in the right order. If you relabel a file system without
rebooting, some processes may continue running with an incorrect context. Manually ensuring
that all the daemons are restarted and running in the correct context can be difficult.
Use the following procedure to relabel a file system using this method.
touch /.autorelabel
reboot
At boot time, init.rc checks for the existence of /.autorelabel. If this file exists, SELinux performs
a complete file system relabel (using the /sbin/fixfiles -f -F relabel command), and then
deletes /.autorelabel.
Use the following command to relabel a file system only using the fixfiles command:
fixfiles relabel
Use the following command to relabel a file system based on the RPM database
In Red Hat Enterprise Linux 5, most targeted daemons do not interact with user data and are not
affected by NFS-mounted home directories. One exception is the Apache HTTP Server. For
example, CGI scripts that are on the mounted file system have the nfs_t type, which is not a
type that httpd_t is allowed to execute.
If you are having problems with the default type of nfs_t, try mounting the home directories with a
different context:
Similar to standard Linux DAC permissions, a targeted daemon must have SELinux permissions
to be able to descend the directory tree. This does not mean that a directory and its contents need
to have the same type. There are many types, such as root_t, tmp_t, and usr_t that grant read
access for a directory. These types are suitable for directories that do not contain any confidential
information, and that you want to be widely readable. They could also be used for a parent
directory of more secured directories with different contexts.
If you are working with an avc: denied message, there are some common problems that arise with
directory traversal. For example, many programs run a command equivalent to ls -l / that is not
necessary to their operation but generates a denial message in the logs. For this you need to create a
dontaudit rule in your local.te file.
When trying to interpret AVC denial messages, do not be misled by the path=/ component. This path is
not related to the label for the root file system, /. It is actually relative to the root of the file system on
the device node. For example, if your /var/ directory is located on an LVM (Logical Volume
Management [22] ) device, /dev/dm-0, the device node is identified in the message as dev=dm-0. When
you see path=/ in this example, that is the top level of the LVM device dm-0, not necessarily the same
as the root file system designation /.
You can enable and disable SELinux enforcement at runtime or configure it to start in the correct
mode at boot time, using the command line or GUI. SELinux can operate in one of three modes:
disabled , meaning not enabled in the kernel; permissive , meaning SELinux is running and
logging but not controlling permissions; or enforcing , meaning SELinux is running and
enforcing policy.
Use the setenforce command to change between permissive and enforcing modes at runtime. Use
setenforce 0 to enter permissive mode; use setenforce 1 to enter enforcing mode.
The sestatus command displays the current mode and the mode from the configuration file
referenced during boot:
Note that changing the runtime enforcement does not affect the boot time configuration:
~]# setenforce 1
~]# sestatus | grep -i mode
Current mode: enforcing
Mode from config file: permissive
You can also disable enforcing mode for a single daemon. For example, if you are trying to troubleshoot
the named daemon and SELinux, you can turn off enforcing for just that daemon.
Use the getsebool command to get the current status of the boolean:
Use the following command to disable enforcing mode for this daemon:
Use the following command to find which of these booleans are set:
You can set any number of boolean values using the setsebool command:
You can also use togglesebool <boolean_name> to change the value of a specific boolean:
~]# getsebool httpd_disable_trans
httpd_disable_trans --> off
~]# togglesebool httpd_disable_trans
httpd_disable_trans: active
You can configure all of these settings using system-config-selinux. The same configuration
files are used, so changes appear bidirectionally.
Changing a Runtime Boolean
Use the following procedure to change a runtime boolean using the GUI.
1. On the System menu, point to Administration and then click Security Level and
Firewall to display the Security Level Configuration dialog box.
2. Click the SELinux tab, and then click Modify SELinux Policy.
3. In the selection list, click the arrow next to the Name Service entry, and select the
Disable SELinux protection for named daemon check box.
4. Click OK to apply the change. Note that it may take a short time for the policy to be
reloaded.
Figure 50.1. Using the Security Level Configuration dialog box to change a runtime
boolean.
If you want to control these settings with scripts, you can use the setenforce(1),
getenforce(1), and selinuxenabled(1) commands.
From the command line, you can edit the /etc/sysconfig/selinux file. This file is a symlink to
/etc/selinux/config. The configuration file is self-explanatory. Changing the value of SELINUX or
SELINUXTYPE changes the state of SELinux and the name of the policy to be used the next time the
system boots.
1. On the System menu, point to Administration and then click Security Level and
Firewall to display the Security Level Configuration dialog box.
2. Click the SELinux tab.
3. In the SELinux Setting select either Disabled, Enforcing or Permissive, and then
click OK.
4. If you changed from Enabled to Disabled or vice versa, you need to restart the machine
for the change to take effect.
Changes made using this dialog box are immediately reflected in /etc/sysconfig/selinux.
This section provides a brief introduction to using customized policies on your system. A full
discussion of this topic is beyond the scope of this document.
To load a different policy on your system, change the following line in /etc/sysconfig/selinux:
SELINUXTYPE=<policyname>
where <policyname> is the policy name directory under /etc/selinux/. This assumes that you have
the custom policy installed. After changing the SELINUXTYPE parameter, run the following commands:
touch /.autorelabel
reboot
Use the following procedure to load a different policy using the system-config-selinux utility:
1. Ensure that the complete directory structure for the required policy exists under
/etc/selinux.
2. On the System menu, point to Administration and then click Security Level and
Firewall to display the Security Level Configuration dialog box.
3. Click the SELinux tab.
4. In the Policy Type list, select the policy that you want to load, and then click OK. This
list is only visible if more than one policy is installed.
5. Restart the machine for the change to take effect.
Figure 50.2. Using the Security Level Configuration dialog box to load a custom policy.
You can use the mount -o context= command to set a single context for an entire file system.
This might be a file system that is already mounted and that supports xattrs, or a network file
system that obtains a genfs label such as cifs_t or nfs_t.
For example, if you need the Apache HTTP Server to read from a mounted directory or loopback file
system, you need to set the type to httpd_sys_content_t:
Now that the required categories have been added to the system, you can start assigning them to
SELinux users and files. To further develop the example above, assume that James is in the
Marketing department, Daniel is in the Finance and Payroll departments, and Olga is in the
Personnel department. Each of these users has already been assigned an SELinux login.
You can also use the chcat command with additional command-line arguments to list the categories
that are assigned to users:
You can add further Linux users, assign them to SELinux user identities and then assign categories to
them as required. For example, if the company director also requires a user account with access to all
categories, follow the same procedure as above:
Use the chcat command to verify the addition of the new user:
At this point we have a system that has several user accounts, each of which is mapped to an
SELinux user identity. We have also established a number of categories that are suitable for the
particular deployment, and assigned those categories to different users.
All of the files on the system, however, still fall under the same category, and are therefore accessible by
everyone (but still according to the standard Linux DAC and TE constraints). We now need to assign
categories to the various files on the system so that only the appropriate users can access them.
Use the ls -Z command to check the initial security context of the file:
Notice that at this stage the file has the default context for a file created in the user's home directory
(user_home_t) and has no categories assigned to it. We can add the required category using the
chcat command. Now when you check the security context of the file, you can see the category has
been applied.
In many cases, you need to assign more than one category to a file. For example, some files may need to
be accessible to users from both the Finance and Payroll departments.
Each of the categories that have been assigned to the file are displayed in the security context. You can
add and delete categories to files as required. Only users assigned to those categories can access that
file, assuming that Linux DAC and TE permissions would already allow the access.
If a user who is assigned to a different category tries to access the file, they receive an error message:
For example, you could use the following command to run a script to test for mislabeled content. The
arguments that appear after the command are considered to be part of the command. (In this example,
~/bin/contexttest is a user-defined script.)
The following is a list of useful commands introduced with SELinux, and which you may find
useful when writing scripts to help administer your system:
getenforce
This command controls the enforcing mode of SELinux. The option 1 or Enforcing tells SELinux
to enter enforcing mode. The option 0 or Permissive tells SELinux to enter passive mode.
Access violations are still logged, but not prevented.
selinuxenabled
This command exits with a status of 0 if SELinux is enabled, and 1 if SELinux is
disabled.
~]# selinuxenabled
~]# echo $?
0
This command shows the status of all booleans (-a) or a specific boolean (<boolean_name>).
This command sets one or more boolean values. The -P option makes the changes
persistent across reboots.
This command toggles the setting of one or more booleans. This effects boolean settings
in memory only; changes are not persistent across reboots.
You use the newrole command to run a new shell with the specified type and/or role. Changing
roles is typically only meaningful in the strict policy; the targeted policy is generally restricted to
a single role. Changing types may be useful for testing, validation, and development purposes.
The ARGS are passed directly to the shell specified in the user's entry in the /etc/passwd file.
The primary reason for rebooting the system from an SELinux perspective is to completely
relabel the file system. On occasion you might need to reboot the system to enable or disable
SELinux.