Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

<< Previous Preface
 Table of Contents
 SELinux Overview Next >>

1. Introduction

This document was put together in response to people asking if an intro level HOWTO was available for getting started with SE Linux. It covers the more basic aspects of SE Linux such as terminology, installation and adding users in addition to a few other areas. A more advanced HOWTO-type of document will follow, including areas such as how to edit policy files (which causes a little too much information overload with users new to SE Linux and is not included here).

1.1. Feedback

Comments on this document are welcome. Please email [email protected]

1.2. Disclaimer

This document is a guide only. I strongly recommend you install SE Linux on a test machine before deploying on a production server.

1.3. New features of the new SE Linux

The new SE Linux has a number of new features, listed below.

/selinux filesystem
A /selinux filesystem is now included. Part of the installation process requires you to edit /etc/fstab accordingly. The /selinux filesystem is similar to /proc in that it is also a pseudo filesystem. Doing a ls -l /selinux shows 

total 0
-rw-rw-rw-    1 root     root            0 Nov 25 11:27 access
-rw-rw-rw-    1 root     root            0 Nov 25 11:27 context
-rw-rw-rw-    1 root     root            0 Nov 25 11:27 create
-rw-------    1 root     root            0 Nov 25 14:19 enforce
-rw-------    1 root     root            0 Nov 25 11:27 load
-r--r--r--    1 root     root            0 Nov 25 11:27 policyvers
-rw-rw-rw-    1 root     root            0 Nov 25 11:27 relabel
-rw-rw-rw-    1 root     root            0 Nov 25 11:27 user
Running the cat command on the file "enforce" will show either a 1 for enforcing mode, or 0 for permissive mode.

Use of extended attributes
The new SE Linux uses extended attributes to store security contexts. You must build your kernel with extended attribute support. Extended attributes are a name-data tuple-- for example, security.selinux is the name of an attribute and the security context is the data. You can see the security context of a file with the command ls --context filename (further explained in this document) if SE Linux is running, but if you want to see the extended attributes when SE Linux isn't (or is) running, use the getfattr command. Note that you must first install the package attr and from there read the man page for getfattr. Running the command as follows gives 

faye@kaos:~$ getfattr -m . -d /etc/passwd
getfattr: Removing leading '/' from absolute path names
# file: etc/passwd
security.selinux="system_u:object_r:etc_t\000"
The attribute security.selinux has the context which matches the file you are querying, so in the above case the context is system_u:object_r:etc_t All files on ext2 and ext3 filesystems on the new SE Linux have the attribute security.selinux (a key new feature). If you were to boot to a non SE Linux kernel, the extended attributes would still be there and you could still see them. The extended attribute is set when you run setfiles which sets the file security contexts during a make relabel operation.

Loading SE Linux policy from init
init is now responsible for mounting the /selinux filesystem, and then loads the policy after that.

SIDs and PSIDs no longer used
SIDs (Security Identifiers) were used in the old SE Linux in the interface to the kernel (from userspace). PSIDs (Persistent SIDs) were used in the kernel code for mapping files to contexts for files and directories on disk. See the NSA's document Configuring the SELinux Policy" document for more information. In the new SE Linux, the extended attributes contain the context so SIDs and PSIDs are no longer necessary.

-Z shortcut option
-Z can be used instead of typing --context after a command such as ls or ps.

No chsid command: uses chcon instead
The chsid command was used in the old SE Linux to change the context of a file. The new SE Linux uses the chcon command which changes the context of a file. chcon was available in the old SE Linux but has been improved for the new SE Linux, with options for setting the user or type. See the manpage for more details.

1.4. policy source directory for Fedora users

On Debian, the policy source directory is /etc/selinux. On Fedora it is /etc/security/selinux/src/policy. In this document I refer to the Debian policy source directory, so if you're a Fedora user, substitute /etc/selinux with /etc/security/selinux/src/policy.

 
 
  Published with kind permission of Faye Coker Design by Interspire