Red_Hat_Enterprise_Linux-6-Security-Enhanced_Linux-en-US.pdf

Red Hat Enterprise Linux 6

Security-Enhanced Linux

User Guide

Security-Enhanced Linux

Red Hat Enterprise Linux 6 Security-Enhanced Linux

User Guide

Edition 2

Author

The text of and illustrations in this document are licensed by Red Hat under a Creative Commons

Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available

at http://creativecommons.org/licenses/by-sa/3.0/ . In accordance with CC-BY-SA, if you distribute this

document or an adaptation of it, you must provide the URL for the original version.

Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert,

Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity

Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.

Linux ® is the registered trademark of Linus Torvalds in the United States and other countries.

Java ® is a registered trademark of Oracle and/or its affiliates.

XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States

and/or other countries.

MySQL ® is a registered trademark of MySQL AB in the United States, the European Union and other

countries.

All other trademarks are the property of their respective owners.

1801 Varsity Drive

Raleigh, NC 27606-2072 USA

Phone: +1 919 754 3700

Phone: 888 733 4281

Fax: +1 919 754 3701

This guide assists users and administrators in managing and using Security-Enhanced Linux ® .

Preface v

1. Document Conventions ................................................................................................... v

1.1. Typographic Conventions ...................................................................................... v

1.2. Pull-quote Conventions ........................................................................................ vi

1.3. Notes and Warnings ............................................................................................ vii

2. We Need Feedback! ...................................................................................................... vii

1. Trademark Information 1

2. Introduction 3

2.1. Benefits of running SELinux .......................................................................................... 4

2.2. Examples ..................................................................................................................... 5

2.3. SELinux Architecture .................................................................................................... 5

2.4. SELinux on Other Operating Systems ........................................................................... 6

3. SELinux Contexts 7

3.1. Domain Transitions ....................................................................................................... 8

3.2. SELinux Contexts for Processes ................................................................................... 9

3.3. SELinux Contexts for Users ........................................................................................ 10

4. Targeted Policy 11

4.1. Confined Processes ................................................................................................... 11

4.2. Unconfined Processes ................................................................................................ 13

4.3. Confined and Unconfined Users .................................................................................. 16

5. Working with SELinux 19

5.1. SELinux Packages ..................................................................................................... 19

5.2. Which Log File is Used .............................................................................................. 20

5.3. Main Configuration File ............................................................................................... 20

5.4. Enabling and Disabling SELinux .................................................................................. 21

5.4.1. Enabling SELinux ............................................................................................ 22

5.4.2. Disabling SELinux ............................................................................................ 24

5.5. SELinux Modes .......................................................................................................... 24

5.6. Booleans .................................................................................................................... 24

5.6.1. Listing Booleans .............................................................................................. 25

5.6.2. Configuring Booleans ....................................................................................... 25

5.6.3. Booleans for NFS and CIFS ............................................................................. 26

5.7. SELinux Contexts - Labeling Files ............................................................................... 27

5.7.1. Temporary Changes: chcon .............................................................................. 27

5.7.2. Persistent Changes: semanage fcontext ............................................................ 29

5.8. The file_t and default_t Types ..................................................................................... 33

5.9. Mounting File Systems ............................................................................................... 33

5.9.1. Context Mounts ............................................................................................... 34

5.9.2. Changing the Default Context ........................................................................... 34

5.9.3. Mounting an NFS File System .......................................................................... 35

5.9.4. Multiple NFS Mounts ....................................................................................... 35

5.9.5. Making Context Mounts Persistent .................................................................... 36

5.10. Maintaining SELinux Labels ..................................................................................... 36

5.10.1. Copying Files and Directories ......................................................................... 36

5.10.2. Moving Files and Directories .......................................................................... 38

5.10.3. Checking the Default SELinux Context ............................................................ 39

5.10.4. Archiving Files with tar ................................................................................... 40

5.10.5. Archiving Files with star ................................................................................. 41

5.11. Information Gathering Tools ....................................................................................... 42

6. Confining Users 45

6.1. Linux and SELinux User Mappings .............................................................................. 45

iii

Security-Enhanced Linux

6.2. Confining New Linux Users: useradd ........................................................................... 45

6.3. Confining Existing Linux Users: semanage login ........................................................... 46

6.4. Changing the Default Mapping .................................................................................... 48

6.5. xguest: Kiosk Mode .................................................................................................... 48

6.6. Booleans for Users Executing Applications .................................................................. 49

7. sVirt 51

7.1. Security and Virtualization ........................................................................................... 52

7.2. sVirt Labelling ............................................................................................................ 52

8. Troubleshooting 55

8.1. What Happens when Access is Denied ....................................................................... 55

8.2. Top Three Causes of Problems ................................................................................... 55

8.2.1. Labeling Problems ........................................................................................... 56

8.2.2. How are Confined Services Running? ............................................................... 57

8.2.3. Evolving Rules and Broken Applications ............................................................ 58

8.3. Fixing Problems ......................................................................................................... 58

8.3.1. Linux Permissions ............................................................................................ 59

8.3.2. Possible Causes of Silent Denials .................................................................... 59

8.3.3. Manual Pages for Services .............................................................................. 60

8.3.4. Permissive Domains ........................................................................................ 60

8.3.5. Searching For and Viewing Denials .................................................................. 62

8.3.6. Raw Audit Messages ....................................................................................... 64

8.3.7. sealert Messages ............................................................................................ 65

8.3.8. Allowing Access: audit2allow ............................................................................ 67

9. Further Information 71

9.1. Contributors ............................................................................................................... 71

9.2. Other Resources ........................................................................................................ 71

A. Revision History 73

Preface

The Red Hat Enterprise Linux 6 SELinux User Guide is for people with minimal or no experience

with SELinux. Although system administration experience is not necessary, content in this guide is

written for system administration tasks. This guide provides an introduction to fundamental concepts

and practical applications of SELinux. After reading this guide you should have an intermediate

understanding of SELinux.

Thank you to everyone who offered encouragement, help, and testing - it is most appreciated. Very

special thanks to:

•

Dominick Grift, Stephen Smalley, and Russell Coker for their contributions, help, and patience.

1. Document Conventions

This manual uses several conventions to highlight certain words and phrases and draw attention to

specific pieces of information.

In PDF and paper editions, this manual uses typefaces drawn from the Liberation Fonts 1 set. The

Liberation Fonts set is also used in HTML editions if the set is installed on your system. If not,

alternative but equivalent typefaces are displayed. Note: Red Hat Enterprise Linux 5 and later includes

the Liberation Fonts set by default.

1.1. Typographic Conventions

Four typographic conventions are used to call attention to specific words and phrases. These

conventions, and the circumstances they apply to, are as follows.

Mono-spaced Bold

Used to highlight system input, including shell commands, file names and paths. Also used to highlight

keycaps and key combinations. For example:

To see the contents of the file my_next_bestselling_novel in your current

working directory, enter the cat my_next_bestselling_novel command at the

shell prompt and press Enter to execute the command.

The above includes a file name, a shell command and a keycap, all presented in mono-spaced bold

and all distinguishable thanks to context.

Key combinations can be distinguished from keycaps by the hyphen connecting each part of a key

combination. For example:

Press Enter to execute the command.

Press Ctrl + Alt + F2 to switch to the first virtual terminal. Press Ctrl + Alt + F1 to

return to your X-Windows session.

The first paragraph highlights the particular keycap to press. The second highlights two key

combinations (each a set of three keycaps with each set pressed simultaneously).

If source code is discussed, class names, methods, functions, variable names and returned values

mentioned within a paragraph will be presented as above, in mono-spaced bold . For example:

1 https://fedorahosted.org/liberation-fonts/

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: