SELINUX INTRODUCTION
Features:
1. Restricts access by subjects (users and/or processes) to objects (files)
2. Provides Mandatory Access Controls (MACs)
3. MACs extend Discretionary Access Controls (DACs(Standard Linux Permissions))
4. Stores MAC permissions in extended attributes of file systems
5. SELinux provides a way to separate: users, processes (subjects), and objects,
via labeling, and monitors/controls their interaction
6. SELinux is integrated into the Linux kernel
7. Implements sandboxes for subjects and objects
8. Default RH5 implementation creates sandboxes (domains) for 'targeted' daemons
and one sandbox (unconfined_t) for everything else
9. SELinux is implemented/enabled by RH5, by default
10. Operates in the following modes:
•Permissive - permission is always granted, but denials are logged in:
/var/log/messages
•Enforcing - strictly enforces 'targeted' policy rules
•Disabled - Only DACs are applied
11. Operating modes can be applied upon startup or while the system is running
SELinux Config files & Tools:
1. sestatus - displays current SELinux status, including:
•policy name 'targeted'
•policy version '21'
•Operating mode: 'enforcing|permissive|disabled'
2. /etc/sysconfig/selinux - primary startup|config file for SELinux
3. /etc/selinux/targeted - top-level container for the 'targeted' policy
4. setenforce = 0(permissive) 1(enforcing)
5. '-Z' can be applied to the following tools to obtain SELinux context info:
mv, cp, ls, ps, id
6. chcon -R -t type file - applies SELinux label to file/directory
Tasks:
1. Disable SELinux upon boot-up on LINUXCBTSERV4
•nano /etc/grub.conf
• Update 'kernel' line to reflect: selinux=0
Note:
If files(objects) lose their SELinux context, there are multiple ways to relabel them:
1. 'touch /.autorelabel && reboot' - init will relable the system according to the 'targeted' policy
2. 'fixfiles' - use to relabel objects (files) while the system is running
Note:
List of daemons protected by the 'targeted' SELinux policy:
1. apache(httpd)
2. dchpd
3. ntpd
4. named
5. syslogd
6. squid
7. snmpd
8. portmap
9. nscd
10. winbind
Note:
•The 'targeted' policy assigns ALL other subjects and objects to the 'unconfined_t' domain
•The default SELinux 'targeted' policy, using MACs, binds subject domains: i.e. 'httpd_t' to object types: i.e. 'httpd_config_t'
•SELinux MACs compound Linux DACs
No comments:
Post a Comment