SELinux on Fedora Core workstations

SELinux - an introduction for desktop users Introduction This post is really just an introduction to SELinux on a desktop Linux machine. It is not intended for people running servers. It is also not an in depth look at SELinux, for that try here :- http://www.nsa.gov/selinux/ and http://www.nsa.gov/selinux/faq.html or try the FAQs at http://www.crypt.gen.nz/selinux/faq.html. I have based this piece on my experiences with my home PC running, first Redhat 9, then Fedora Core 1 then 2 and now 3. What is SELinux SELinux is additional security that runs behind the normal Linux security. Note that I say behind normal Linux security. This means that SELinux only gets referred to if your request passes the normal Linux security. SELinux comes with Fedora Core 2 and Fedora Core 3. Do I need SELinux The honest answer to that is, as a desktop user, no. Normal, non-SELinux, is probably secure enough for you, but as you get it as standard with fc2 and fc3, why not use it. Strict and Targeted The SELinux developers quickly realised that strict SELinux was going to cause some real problems to users and would require a fair degree of expertise in the end users, so they created a second flavour called targeted. Targeted is the flavour (policy) that you get by default with fc2 and fc3. Targeted SELinux targets a number of daemons on your Linux machine that could be vulnerable to attack or be devastating to your machine. These daemons are - dhcpd, httpd, named, nscd, ntpd, portmapd, snmpd, squid and syslogd. The rest of the system runs as if SELinux was not switched on (they run in something called the unconfined_t domain). Targeted policy This is the default flavour of SELinux that you get with fc2 and fc3. From the list of daemons above, you can see that as a desktop user you will probably only ever be running two or three of them (syslogd, portmapd, and maybe dhcpd). It is the targeted policy that I run on my home PC. Strict Policy I tried switching from targeted to strict on my home PC, but I couldn't even get it to boot (the init task ran foul of SELinux and I just got screens and screens of avc : denied messages. I suspect that this was due to me not running a relabel on my filesystem, and I couldn't use the autorelabel (more of that later) after reboot facility, as I could get it to boot (more on how I go out of that problem later). So I won't be going into the strict policy of SELinux in this piece. What you notice with SELinux (targeted policy) running The first thing you'll see is more messages at boot up. You get the following (or something similar) before you get the Init message (and then all of the various system process start okay messages).   Code: security: 3 users, 4 roles, 320 types, 23 bools security: 53 classes, 10921 rules SELinux: Completing initialization. SELinux: Setting up existing superblocks. SELinux: initialized (dev hda2, type ext3), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts SELinux: initialized (dev mqueue, type mqueue), not configured for labeling SELinux: initialized (dev hugetlbfs, type hugetlbfs), not configured for labeling SELinux: initialized (dev devpts, type devpts), uses transition SIDs SELinux: initialized (dev eventpollfs, type eventpollfs), uses genfs_contexts SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts SELinux: initialized (dev pipefs, type pipefs), uses task SIDs SELinux: initialized (dev sockfs, type sockfs), uses task SIDs SELinux: initialized (dev proc, type proc), uses genfs_contexts SELinux: initialized (dev bdev, type bdev), uses genfs_contexts SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts SELinux: initialized (dev hda1, type ext2), uses xattr SELinux: initialized (dev hda6, type ext3), uses xattr SELinux: initialized (dev hdc1, type vfat), uses genfs_contexts SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts Apart from these messages, you should see nothing else out of the ordinary. If you find that certain of the processes that normally start at boot up fail, then see later for the solution. You also get some new commands to play with (more later). New commands --setatus-- The /usr/sbin/setatus command tells you the status of SELinux on your PC.   Code: [root@localhost ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 18 Policy from config file:targeted Policy booleans: allow_ypbind active dhcpd_disable_trans inactive httpd_disable_trans inactive httpd_enable_cgi active httpd_enable_homedirs active httpd_ssi_exec active httpd_tty_comm inactive httpd_unified active mysqld_disable_trans inactive named_disable_trans inactive named_write_master_zonesinactive nscd_disable_trans inactive ntpd_disable_trans inactive portmap_disable_trans inactive postgresql_disable_transinactive snmpd_disable_trans inactive squid_disable_trans inactive syslogd_disable_trans inactive use_nfs_home_dirs inactive use_samba_home_dirs inactive use_syslogng inactive winbind_disable_trans inactive ypbind_disable_trans inactive [root@localhost ~]# As you can see from the display above, not only is SELinux enabled, but it is also enforcing (you can set SELinux to simply tell you of any breaches, but still allow them), and is using the targeted policy (as opposed to the experimental strict policy). The above display also shows if certain of the targeted policy checks have been turned off (disabled), more of this later. --id-- The id command has extra information as well as a new switch - "-Z".   Code: [nerderello@localhost ~]$ id uid=502(nerderello) gid=503(nerderello) groups=503(nerderello) context=user_u:system_r:unconfined_t [nerderello@localhost ~]$ id -Z user_u:system_r:unconfined_t As you can see, the "id" command by itself shows the usual stuff, plus the new SELinux stuff (context). While the "id" command with the "-Z" switch only shows the new SELinux stuff. The context shown is made up of three parts - the identity , the role , and the domain or type . This encompasses who you are and what you can do/have access to. The settings, in the SELinux that Fedora ships, for these three things are fairly generic. As far as identity is concerned, you're either a "user-u" (ie. a normal user) or "root" (ie. the root / superuser). Your identity will change when you do a "su -" in a terminal. This is because the targetted policy that Fedora ships does both a su and a SELinux newrole at the same time. --ls -Z-- The new switch to the file list command - ls -Z - allows you to see the contexts of your files.   Code: [nerderello@localhost ~]$ ls -alZ drwx------ nerderel nerderel root:object_r:user_home_dir_t . drwxr-xr-x root root system_u:object_r:home_root_t .. -rw------- nerderel nerderel user_u:object_r:user_home_t .bash_history -rw-r--r-- nerderel nerderel root:object_r:user_home_t .bash_logout -rw-r--r-- nerderel nerderel root:object_r:user_home_t .bash_profile -rw-r--r-- nerderel nerderel root:object_r:user_home_t .bashrc -rw-r--r-- nerderel nerderel root:object_r:user_home_t .emacs -rw-r--r-- nerderel nerderel root:object_r:user_home_t .gtkrc drwxr-xr-x nerderel nerderel root:object_r:user_home_t .kde -rw-rw-r-- nerderel nerderel user_u:object_r:user_home_t test.txt -rw------- nerderel nerderel user_u:object_r:user_home_t .viminfo -rw-r--r-- nerderel nerderel root:object_r:user_home_t .zshrc [nerderello@localhost ~]$ As you can see from the above display I have used the -Z switch along with -al switches to get the hidden files as well. You can see from this display (above) that all apart from the test.txt and the .viminfo files have been created by root (when the user id of nerderello was setup). --ps -Z-- The extra switch (-Z) for the process display command (ps), shows you the context of your processes.   Code: [nerderello@localhost ~]$ ps -Z LABEL PID TTY TIME CMD user_u:system_r:unconfined_t 4652 pts/1 00:00:00 bash user_u:system_r:unconfined_t 4674 pts/1 00:00:00 ps [nerderello@localhost ~]$ Yet again you can combine the -Z switch with others that you may use (like the obsolete -x switch, which is why you get the warning message, the -e switch would have been better).   Code: [nerderello@localhost ~]$ ps -xZ Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.3/FAQ LABEL PID TTY STAT TIME COMMAND user_u:system_r:unconfined_t 4001 ? Ss 0:00 /bin/sh /etc/xdg/xfce user_u:system_r:unconfined_t 4029 ? Ss 0:00 /usr/bin/ssh-agent -s user_u:system_r:unconfined_t 4056 ? S 0:00 /usr/bin/dbus-launch user_u:system_r:unconfined_t 4057 ? Ss 0:00 dbus-daemon-1 --fork user_u:system_r:unconfined_t 4061 ? S 0:00 /bin/sh /etc/xdg/xfce user_u:system_r:unconfined_t 4063 ? S 0:00 xscreensaver -no-spla user_u:system_r:unconfined_t 4068 ? Ss 0:00 xfce-mcs-manager user_u:system_r:unconfined_t 4070 ? Ss 0:01 xfwm4 --daemon user_u:system_r:unconfined_t 4071 ? S 0:01 xftaskbar4 user_u:system_r:unconfined_t 4072 ? S 0:05 xfdesktop user_u:system_r:unconfined_t 4075 ? S 0:06 /usr/bin/xfce4-panel user_u:system_r:unconfined_t 4266 ? S 0:00 /usr/libexec/gconfd-2 user_u:system_r:unconfined_t 4461 ? S 0:16 gedit user_u:system_r:unconfined_t 4463 ? Ss 0:00 /usr/libexec/bonobo-a user_u:system_r:unconfined_t 4465 ? S 0:00 /usr/libexec/gam_serv user_u:system_r:unconfined_t 4467 ? Ss 0:00 /usr/bin/esd -termina user_u:system_r:unconfined_t 4469 ? S 0:00 xterm -title Terminal user_u:system_r:unconfined_t 4471 pts/0 Ss 0:00 bash user_u:system_r:unconfined_t 4650 ? R 0:00 xterm -title Terminal user_u:system_r:unconfined_t 4652 pts/1 Ss 0:00 bash user_u:system_r:unconfined_t 4673 pts/1 R+ 0:00 ps -xZ [nerderello@localhost ~]$ Problems The first problem I came across, when I upgraded to Fedora Core 2, was that the portmap daemon failed to start at boot, and I no longer had a syslog! --daemons failing to start, no syslog-- There are a number of ways around this. You can sort out the filesystem so that it all works properly. Or (the first I used) simply turn SELinux off, a bit drastic, but it worked. Or you can disable the bit of SELinux that is causing the problems. Sorting out the file system to allow proper SELinux operations Get yourself to a command line prompt, as root or su -. Enter touch /.autorelabel . Reboot. When your PC comes back up, you will get a warning message that the file system is being relabeled and that it make take some time. I found on my PC that it too about the same time a my regular "updatedb", about 5 or 6 minutes. Once the relabel has completed, your PC will continue to boot in the normal way. The relabeling is a one off, you won't get this delay every time you boot up. Now, when you use the "ls -Z" you'll see that all of your files have a context, rather than just some. Turning SELinux off As you'd expect with Linux, there are a number of ways to turn off SELinux. You can :- 1) Add selinux=0 to the kernel line within your /boot/grub/grub.conf file. Then, when you next boot, SELinux will not be started. 2) Add SELINUX=disabled to your /etc/sysconfig/selinux file (which may be a link to "/etc/selinux/config"). Disable parts of SELinux Within Gnome or KDE you can use the System menu option Security Level, which runs the gui based program system-config-securtylevel. This has a tab marked SELinux, which shows you what you can turn on and off. From the SELinux service protection option within (at the bottom) the list of options you can turn off (disable) SELinux protection for particular daemons, such as portmap and syslogd. You can also, from the SELinux tab, stop/start the enforce option (SELinux can be run either to enforce its policy, or simply to report on any breaches - you'll get loads of avc: denied messages if you do). --Not all of my files have a SELinux context-- After an upgrade of Fedora you may need to relabel your file system. This allows SELinux to give all files the correct context. Get yourself to a command line prompt, as root or su -. Enter touch /.autorelabel . Reboot. When your PC comes back up, you will get a warning message that the file system is being relabeled and that it make take some time. I found on my PC that it too about the same time a my regular "updatedb", about 5 or 6 minutes.