Thursday, December 31, 2009

SELINUX INTRODUCTION IN REDHAT LINUX

SELINUX INTRODUCTION

Features:

1. Restricts access by subjects (users and/or processes) to objects (files)

2. Provides Mandatory Access Controls (MACs)

3. MACs extend Discretionary Access Controls (DACs(Standard Linux Permissions))

4. Stores MAC permissions in extended attributes of file systems

5. SELinux provides a way to separate: users, processes (subjects), and objects,
via labeling, and monitors/controls their interaction

6. SELinux is integrated into the Linux kernel

7. Implements sandboxes for subjects and objects

8. Default RH5 implementation creates sandboxes (domains) for 'targeted' daemons
and one sandbox (unconfined_t) for everything else

9. SELinux is implemented/enabled by RH5, by default

10. Operates in the following modes:

•Permissive - permission is always granted, but denials are logged in:
/var/log/messages
•Enforcing - strictly enforces 'targeted' policy rules
•Disabled - Only DACs are applied

11. Operating modes can be applied upon startup or while the system is running

SELinux Config files & Tools:

1. sestatus - displays current SELinux status, including:
•policy name 'targeted'
•policy version '21'
•Operating mode: 'enforcing|permissive|disabled'

2. /etc/sysconfig/selinux - primary startup|config file for SELinux

3. /etc/selinux/targeted - top-level container for the 'targeted' policy

4. setenforce = 0(permissive) 1(enforcing)

5. '-Z' can be applied to the following tools to obtain SELinux context info:
mv, cp, ls, ps, id

6. chcon -R -t type file - applies SELinux label to file/directory

Tasks:

1. Disable SELinux upon boot-up on LINUXCBTSERV4

•nano /etc/grub.conf
• Update 'kernel' line to reflect: selinux=0

Note:
If files(objects) lose their SELinux context, there are multiple ways to relabel them:
1. 'touch /.autorelabel && reboot' - init will relable the system according to the 'targeted' policy
2. 'fixfiles' - use to relabel objects (files) while the system is running

Note:
List of daemons protected by the 'targeted' SELinux policy:

1. apache(httpd)

2. dchpd

3. ntpd

4. named

5. syslogd

6. squid

7. snmpd

8. portmap

9. nscd

10. winbind

Note:

•The 'targeted' policy assigns ALL other subjects and objects to the 'unconfined_t' domain
•The default SELinux 'targeted' policy, using MACs, binds subject domains: i.e. 'httpd_t' to object types: i.e. 'httpd_config_t'
•SELinux MACs compound Linux DACs

No comments:

Post a Comment