SELinux on Fedora Core workstations

[Nerderello]

SELinux - an introduction for desktop users

Introduction

This post is really just an introduction to SELinux on a desktop Linux machine. It is not intended for people running servers. It is also not an in depth look at SELinux, for that try here :- http://www.nsa.gov/selinux/ and http://www.nsa.gov/selinux/faq.html or try the FAQs at http://www.crypt.gen.nz/selinux/faq.html.

I have based this piece on my experiences with my home PC running, first Redhat 9, then Fedora Core 1 then 2 and now 3.

What is SELinux

SELinux is additional security that runs behind the normal Linux security. Note that I say behind normal Linux security. This means that SELinux only gets referred to if your request passes the normal Linux security.

SELinux comes with Fedora Core 2 and Fedora Core 3.

Do I need SELinux

The honest answer to that is, as a desktop user, no. Normal, non-SELinux, is probably secure enough for you, but as you get it as standard with fc2 and fc3, why not use it.

Strict and Targeted

The SELinux developers quickly realised that strict SELinux was going to cause some real problems to users and would require a fair degree of expertise in the end users, so they created a second flavour called targeted. Targeted is the flavour (policy) that you get by default with fc2 and fc3.

Targeted SELinux targets a number of daemons on your Linux machine that could be vulnerable to attack or be devastating to your machine. These daemons are - dhcpd, httpd, named, nscd, ntpd, portmapd, snmpd, squid and syslogd. The rest of the system runs as if SELinux was not switched on (they run in something called the unconfined_t domain).

Targeted policy

This is the default flavour of SELinux that you get with fc2 and fc3. From the list of daemons above, you can see that as a desktop user you will probably only ever be running two or three of them (syslogd, portmapd, and maybe dhcpd).

It is the targeted policy that I run on my home PC.

Strict Policy

I tried switching from targeted to strict on my home PC, but I couldn't even get it to boot (the init task ran foul of SELinux and I just got screens and screens of avc : denied messages. I suspect that this was due to me not running a relabel on my filesystem, and I couldn't use the autorelabel (more of that later) after reboot facility, as I could get it to boot (more on how I go out of that problem later). So I won't be going into the strict policy of SELinux in this piece.

What you notice with SELinux (targeted policy) running

The first thing you'll see is more messages at boot up. You get the following (or something similar) before you get the Init message (and then all of the various system process start okay messages).

Code:

security:  3 users, 4 roles, 320 types, 23 bools
security:  53 classes, 10921 rules
SELinux:  Completing initialization.
SELinux:  Setting up existing superblocks.
SELinux: initialized (dev hda2, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
SELinux: initialized (dev mqueue, type mqueue), not configured for labeling
SELinux: initialized (dev hugetlbfs, type hugetlbfs), not configured for labeling
SELinux: initialized (dev devpts, type devpts), uses transition SIDs
SELinux: initialized (dev eventpollfs, type eventpollfs), uses genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
SELinux: initialized (dev proc, type proc), uses genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
SELinux: initialized (dev hda1, type ext2), uses xattr
SELinux: initialized (dev hda6, type ext3), uses xattr
SELinux: initialized (dev hdc1, type vfat), uses genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts

Apart from these messages, you should see nothing else out of the ordinary. If you find that certain of the processes that normally start at boot up fail, then see later for the solution.

You also get some new commands to play with (more later).

New commands


--setatus--

The /usr/sbin/setatus command tells you the status of SELinux on your PC.

Code:

[root@localhost ~]# sestatus
SELinux status:         enabled
SELinuxfs mount:        /selinux
Current mode:           enforcing
Mode from config file:  enforcing
Policy version:         18
Policy from config file:targeted

Policy booleans:
allow_ypbind            active
dhcpd_disable_trans     inactive
httpd_disable_trans     inactive
httpd_enable_cgi        active
httpd_enable_homedirs   active
httpd_ssi_exec          active
httpd_tty_comm          inactive
httpd_unified           active
mysqld_disable_trans    inactive
named_disable_trans     inactive
named_write_master_zonesinactive
nscd_disable_trans      inactive
ntpd_disable_trans      inactive
portmap_disable_trans   inactive
postgresql_disable_transinactive
snmpd_disable_trans     inactive
squid_disable_trans     inactive
syslogd_disable_trans   inactive
use_nfs_home_dirs       inactive
use_samba_home_dirs     inactive
use_syslogng            inactive
winbind_disable_trans   inactive
ypbind_disable_trans    inactive
[root@localhost ~]#

As you can see from the display above, not only is SELinux enabled, but it is also enforcing (you can set SELinux to simply tell you of any breaches, but still allow them), and is using the targeted policy (as opposed to the experimental strict policy).

The above display also shows if certain of the targeted policy checks have been turned off (disabled), more of this later.


--id--

The id command has extra information as well as a new switch - "-Z".

Code:

[nerderello@localhost ~]$ id
uid=502(nerderello) gid=503(nerderello) groups=503(nerderello) context=user_u:system_r:unconfined_t

[nerderello@localhost ~]$ id -Z
user_u:system_r:unconfined_t

As you can see, the "id" command by itself shows the usual stuff, plus the new SELinux stuff (context). While the "id" command with the "-Z" switch only shows the new SELinux stuff.

The context shown is made up of three parts - the identity , the role , and the domain or type . This encompasses who you are and what you can do/have access to.

The settings, in the SELinux that Fedora ships, for these three things are fairly generic. As far as identity is concerned, you're either a "user-u" (ie. a normal user) or "root" (ie. the root / superuser).

Your identity will change when you do a "su -" in a terminal. This is because the targetted policy that Fedora ships does both a su and a SELinux newrole at the same time.

--ls -Z--

The new switch to the file list command - ls -Z - allows you to see the contexts of your files.

Code:

[nerderello@localhost ~]$ ls -alZ
drwx------  nerderel nerderel root:object_r:user_home_dir_t    .
drwxr-xr-x  root     root     system_u:object_r:home_root_t    ..
-rw-------  nerderel nerderel user_u:object_r:user_home_t      .bash_history
-rw-r--r--  nerderel nerderel root:object_r:user_home_t        .bash_logout
-rw-r--r--  nerderel nerderel root:object_r:user_home_t        .bash_profile
-rw-r--r--  nerderel nerderel root:object_r:user_home_t        .bashrc
-rw-r--r--  nerderel nerderel root:object_r:user_home_t        .emacs
-rw-r--r--  nerderel nerderel root:object_r:user_home_t        .gtkrc
drwxr-xr-x  nerderel nerderel root:object_r:user_home_t        .kde
-rw-rw-r--  nerderel nerderel user_u:object_r:user_home_t      test.txt
-rw-------  nerderel nerderel user_u:object_r:user_home_t      .viminfo
-rw-r--r--  nerderel nerderel root:object_r:user_home_t        .zshrc
[nerderello@localhost ~]$

As you can see from the above display I have used the -Z switch along with -al switches to get the hidden files as well.

You can see from this display (above) that all apart from the test.txt and the .viminfo files have been created by root (when the user id of nerderello was setup).

--ps -Z--

The extra switch (-Z) for the process display command (ps), shows you the context of your processes.

Code:

[nerderello@localhost ~]$ ps -Z
LABEL                             PID TTY          TIME CMD
user_u:system_r:unconfined_t     4652 pts/1    00:00:00 bash
user_u:system_r:unconfined_t     4674 pts/1    00:00:00 ps
[nerderello@localhost ~]$

Yet again you can combine the -Z switch with others that you may use (like the obsolete -x switch, which is why you get the warning message, the -e switch would have been better).

Code:

[nerderello@localhost ~]$ ps -xZ
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.3/FAQ
LABEL                             PID TTY      STAT   TIME COMMAND
user_u:system_r:unconfined_t     4001 ?        Ss     0:00 /bin/sh /etc/xdg/xfce
user_u:system_r:unconfined_t     4029 ?        Ss     0:00 /usr/bin/ssh-agent -s
user_u:system_r:unconfined_t     4056 ?        S      0:00 /usr/bin/dbus-launch 
user_u:system_r:unconfined_t     4057 ?        Ss     0:00 dbus-daemon-1 --fork 
user_u:system_r:unconfined_t     4061 ?        S      0:00 /bin/sh /etc/xdg/xfce
user_u:system_r:unconfined_t     4063 ?        S      0:00 xscreensaver -no-spla
user_u:system_r:unconfined_t     4068 ?        Ss     0:00 xfce-mcs-manager
user_u:system_r:unconfined_t     4070 ?        Ss     0:01 xfwm4 --daemon
user_u:system_r:unconfined_t     4071 ?        S      0:01 xftaskbar4
user_u:system_r:unconfined_t     4072 ?        S      0:05 xfdesktop
user_u:system_r:unconfined_t     4075 ?        S      0:06 /usr/bin/xfce4-panel
user_u:system_r:unconfined_t     4266 ?        S      0:00 /usr/libexec/gconfd-2
user_u:system_r:unconfined_t     4461 ?        S      0:16 gedit
user_u:system_r:unconfined_t     4463 ?        Ss     0:00 /usr/libexec/bonobo-a
user_u:system_r:unconfined_t     4465 ?        S      0:00 /usr/libexec/gam_serv
user_u:system_r:unconfined_t     4467 ?        Ss     0:00 /usr/bin/esd -termina
user_u:system_r:unconfined_t     4469 ?        S      0:00 xterm -title Terminal
user_u:system_r:unconfined_t     4471 pts/0    Ss     0:00 bash
user_u:system_r:unconfined_t     4650 ?        R      0:00 xterm -title Terminal
user_u:system_r:unconfined_t     4652 pts/1    Ss     0:00 bash
user_u:system_r:unconfined_t     4673 pts/1    R+     0:00 ps -xZ
[nerderello@localhost ~]$

Problems

The first problem I came across, when I upgraded to Fedora Core 2, was that the portmap daemon failed to start at boot, and I no longer had a syslog!

--daemons failing to start, no syslog--

There are a number of ways around this. You can sort out the filesystem so that it all works properly. Or (the first I used) simply turn SELinux off, a bit drastic, but it worked. Or you can disable the bit of SELinux that is causing the problems.

Sorting out the file system to allow proper SELinux operations

Get yourself to a command line prompt, as root or su -. Enter touch /.autorelabel . Reboot.

When your PC comes back up, you will get a warning message that the file system is being relabeled and that it make take some time. I found on my PC that it too about the same time a my regular "updatedb", about 5 or 6 minutes.

Once the relabel has completed, your PC will continue to boot in the normal way. The relabeling is a one off, you won't get this delay every time you boot up.

Now, when you use the "ls -Z" you'll see that all of your files have a context, rather than just some.

Turning SELinux off

As you'd expect with Linux, there are a number of ways to turn off SELinux. You can :-

1) Add selinux=0 to the kernel line within your /boot/grub/grub.conf file. Then, when you next boot, SELinux will not be started.


2) Add SELINUX=disabled to your /etc/sysconfig/selinux file (which may be a link to "/etc/selinux/config").

Disable parts of SELinux

Within Gnome or KDE you can use the System menu option Security Level, which runs the gui based program system-config-securtylevel.

This has a tab marked SELinux, which shows you what you can turn on and off.

From the SELinux service protection option within (at the bottom) the list of options you can turn off (disable) SELinux protection for particular daemons, such as portmap and syslogd.

You can also, from the SELinux tab, stop/start the enforce option (SELinux can be run either to enforce its policy, or simply to report on any breaches - you'll get loads of avc: denied messages if you do).


--Not all of my files have a SELinux context--

After an upgrade of Fedora you may need to relabel your file system. This allows SELinux to give all files the correct context.

Get yourself to a command line prompt, as root or su -. Enter touch /.autorelabel . Reboot.

When your PC comes back up, you will get a warning message that the file system is being relabeled and that it make take some time. I found on my PC that it too about the same time a my regular "updatedb", about 5 or 6 minutes.


Written by Nerderello