building a policy http://selinuxproject.org/page/Building_a_Basic_Policy selinux label goes like this : #types apply to objects while domains apply to processes. user:role:type:level(optional) User field The first component of the security context is the "SELinux User" component. This component can be thought of as a way of grouping roles. Role field The second component of the security context is the Role field. This field is only really relevant on processes or domains. The role field on a file is always object_r, and really has no meaning other than as a place holder. On a process you would usually see a role like system_r or sysadm_r. Roles are used to group security types. So you can specify in policy which roles are able to execute which types. Type field The 3rd component of the security context is the Type component, for example /usr/sbin/httpd is labeled with a type of “httpd_exec_t". In my opinion this is the most important field in the SELinux security context. This is the heart of SELinux Type Enforcement. Most of the policy rules in SELinux revolve around what subject types have what access to which object types. By convention this component always ends in a "_t". Level field The 4th component is the MLS, or Multilevel security, field which is not supported in RHEL4 or Fedora Core 4. It is first showing up with Fedora Core 5, although it has been in SELinux in the previous versions, it was never turned on. This component is used in all policies shipped with Fedora Core 5. On strict and targeted policies we refer to this as the MCS (Multi Category System) Field. Unfortunately this field can contain a ":". The syntax of this field can look something like s0-s15:c1,c2. But I will put off talking about this syntax until a later date. Most files by default are labeled s0, sometimes referred to as SystemLow. Fortunately SELinux provides a translation library (libsetrans) that replaces the codes in this field with a more human readable form. So something like s0:c1,c2 might be show up to the user as PatientRecord,CompanyConfidential. On a targeted or strict policy machine s0 translates to "", so almost all files will not even show the fourth field. ls -laZ ps auxZ id -z (when loggin as user) chcon -t [type] FOLDER/FILE chcon -u [user] FILE chcon -r [role] FILE chcon -l [RANGE] FILE chcon --reference=RFILE #use RFILE’s security context rather than specifying a CONTEXT value chcon -v verbose #set permissive,disabled,enforce #set targeted or MLS vi /etc/selinux/config #see why it is failing verbose audit2allow -w -a #see possible solutions in /var/log/messages #list policies seinfo [options] /etc/selinux/targeted/policy/policy.xx #list types seinfo -adomain -x | less #list users seinfo -adomain -u #list roles seinfo -adomain -r getenforce This command returns the enforcing status of SELinux. setenforce [ Enforcing | Permissive | 1 | 0 ] This command controls the enforcing mode of SELinux. The option 1 or Enforcing tells SELinux to enter enforcing mode. The option 0 or Permissive tells SELinux to enter passive mode. Access violations are still logged, but not prevented. selinuxenabled This command exits with a status of 0 if SELinux is enabled, and 1 if SELinux is disabled. selinuxenabled echo $? 0 getsebool [-a] [boolean_name] This command shows the status of all booleans (-a) or a specific boolean (). setsebool [-P] value | bool1=val1 bool2=val2 ... This command sets one or more boolean values. The -P option makes the changes persistent across reboots. togglesebool boolean ... #stop enforcing a daemon setsebool named_disable_trans 1 #mount a filesystem with context mount -o context=system_u:object_r:httpd_sys_content_t #log file /var/log/audit/audit.log #list policy booleans sestatus -b #info on security context of files in /etc/sestatus.conf sestatus -v #allow httpd to use a nfs directory semanage boolean -m --on httpd_use_nfs #or mount nfs with context mount -t nfs -o context=user_u:object_r:user_home_dir_t \ fileserver.example.com:/shared/homes/ /home #squirrelmail is web content! chcon -R -v --type=httpd_sys_content_t /usr/local/squirrelmail #list users semanage user -l #Use the semanage login -a command to assign Linux users to SELinux user identities semanage login -a james #file a edit pour les documents "sensibles" #vi /etc/selinux/targeted/setrans.conf #s0:c0=Marketing #s0:c1=Finance #s0:c2=Payroll #s0:c3=Personnel # Unclassified level s1=Unclassified # Secret level with compartments s2=Secret s2:c0=A s2:c1=B # ranges for Unclassified s0-s1=SystemLow-Unclassified s1-s2=Unclassified-Secret s1-s15:c0.c1023=Unclassified-SystemHigh # ranges for Secret with compartments s0-s2=SystemLow-Secret s2:c1-s15:c0.c1023=Secret:B-SystemHigh s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh #lister les catégories [root@serv]:/>>chcat -L s0 SystemLow s0-s0:c0.c1023 SystemLow-SystemHigh s0:c0.c1023 SystemHigh #assign a categories to a user chcat -l -- +Marketing james #assign multiple categories to a file chcat -- +Payroll financeRecords.txt chcat -- +Finance financeRecords.txt #Security Levels (SLs), which are composed of two types of entities: #Sensitivity: — A hierarchical attribute such as "Secret" or "Top Secret". #Categories: — A set of non-hierarchical attributes such as "US Only" or "UFO". #MLS meets a very narrow (yet critical) set of security requirements based around the way information and personnel are managed in rigidly #controlled environments such as the military. MLS is typically difficult to work with and does not map well to general-case scenarios. #Type Enforcement (TE) under SELinux is a more flexible and expressive security scheme, which is in many cases more suitable than MLS. #The SELinux Policy is the set of rules that guide the SELinux security engine. It defines types for file objects and domains for processes #types apply to objects while domains apply to processes. #programs that run in the unconfined_t domain have an executable file with a type such as sbin_t. #For example, the binary executable file object at /usr/bin/postgres has the type postgresql_exec_t. All of the targeted daemons have #their own *_exec_t type /etc/selinux/targeted/ — this is the root directory for the targeted policy, and contains the binary tree. /etc/selinux/targeted/policy/ — this is the location of the the binary policy file policy.. In this guide, the variable SELINUX_POLICY is used for this directory. /etc/selinux/targeted/contexts/ — this is the location of the security context information and configuration files, which are used during runtime by various applications. /etc/selinux/targeted/contexts/files/ — contains the default contexts for the entire file system. This is referenced by restorecon when perfoming relabeling operations. /etc/selinux/targeted/contexts/users/ — in the targeted policy, only the root file is in this directory. These files are used for determining context when a user logs in. For example, for the root user, the context is user_u:system_r:unconfined_t. /etc/selinux/targeted/modules/active/booleans* — this is where the runtime Booleans are configured. #Objects that are in the unconfined_t domain have no restrictions and fall back to using standard Linux security, that is, DAC. # Network related classes include tcp_socket for TCP sockets, netif for network interfaces, and node for network nodes. system_r This role is for all system processes except user processes: system_r (28 types) dhcpd_t httpd_helper_t httpd_php_t httpd_suexec_t httpd_sys_script_t httpd_t httpd_unconfined_script_t initrc_t ldconfig_t mailman_cgi_t mailman_mail_t mailman_queue_t mysqld_t named_t ndc_t nscd_t ntpd_t pegasus_t portmap_t postgresql_t snmpd_t squid_t syslogd_t system_mail_t unconfined_t winbind_helper_t winbind_t ypbind_t user_r This is the default user role for regular Linux users. In a strict policy, individual users might be used, allowing for the users to have special roles to perform privileged operations. In the targeted policy, all users run in the unconfined_t domain. object_r In SELinux, roles are not utilized for objects when RBAC is being used. Roles are strictly for subjects. This is because roles are task-oriented and they group together entities which perform actions (for example, processes). All such entities are collectively referred to as subjects. For this reason, all objects have the role object_r, and the role is only used as a placeholder in the label. sysadm_r This is the system administrator role in a strict policy. If you log in directly as the root user, the default role may actually be staff_r. If this is true, use the newrole -r sysadm_r command to change to the SELinux system administrator role to perform system administration tasks. In the targeted policy, the following retain sysadm_r for compatibility: sysadm_r (6 types) httpd_helper_t httpd_sys_script_t initrc_t ldconfig_t ndc_t unconfined_t There is effectively only one user identity in the targeted policy. The user_u identity was chosen because libselinux falls back to user_u as the default SELinux user identity. This occurs when there is no matching SELinux user for the Linux user who is logging in. Using user_u as the single user in the targeted policy makes it easier to change to the strict policy. The remaining users exist for compatibility with the strict policy.[22] The one exception is the SELinux user root. You may notice root as the user identity in a process's context. This occurs when the SELinux user root starts daemons from the command line, or restarts a daemon originally started by init. # commande "mv" keep label # commande "cp" pête labe (use -p) or (-Z user:role:type) #Use the following procedure to relabel a file system using this method. touch /.autorelabel reboot #At boot time, init.rc checks for the existence of /.autorelabel. If this file exists, SELinux performs a complete file system relabel #(using the /sbin/fixfiles -f -F relabel command), and then deletes /.autorelabel. #share a folder content with multiple domains (samba here) semanage fcontext -a -t public_content_rw_t ’/var/eng(/.*)?’ restorecon -R -v /var/eng setsebool -P allow_smbd_anon_write 1 #list available booleans getsebool -a