path: root/html/selinux/hb-selinux-howto.html

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<link title="new" rel="stylesheet" href="css/main.css" type="text/css">
<link REL="shortcut icon" HREF="favicon.ico" TYPE="image/x-icon">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
<title>Gentoo Linux Handbook Page
--
  </title>
</head>
<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
<td width="99%" class="content" valign="top" align="left">
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
            </span>Load policy into a running SELinux kernel</p>
<p>
  This requires you to be in the <span class="code" dir="ltr">sysadm_r</span> role.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Semodule command</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">semodule -B</span>
</pre></td></tr>
</table>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
            </span>Change roles</p>
<p>
  This requires your user have access to the target role.  This example
  is for changing to the <span class="code" dir="ltr">sysadm_r</span> role.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Newrole</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">newrole -r sysadm_r</span>
</pre></td></tr>
</table>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
            </span>Specify available roles for a user</p>
<p>
  There is a mapping of linux users to SELinux identities.  The policy has
  generic SELinux users for relevant configurations of roles.  For example, to
  map the user <span class="code" dir="ltr">pebenito</span> to the SELinux identity <span class="code" dir="ltr">staff_u</span>, run:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Map pebenito to staff_u</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">semanage login -a -s staff_u pebenito</span>
</pre></td></tr>
</table>
<p>
  The policy does not need to be reloaded.  If the user is logged in, it
  must log out and log in again to take effect.
</p>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
            </span>Relabel filesystems</p>
<p>
  This requires you to be in the <span class="code" dir="ltr">sysadm_r</span> role.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabel</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">rlpkg -a</span>
</pre></td></tr>
</table>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
            </span>Relabel an individual package</p>
<p>
   In addition to relabeling entire filesystems, individual portage packages
   can be relabeled.  This requires you to be in the <span class="code" dir="ltr">sysadm_r</span> role.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: rlpkg example</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">rlpkg shadow sash</span>
</pre></td></tr>
</table>
<p>
   The script rlpkg is used, and any number of packages can be specified
   on the command line.
</p>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
            </span>Scan for libraries with text relocations</p>
<p>
  SELinux has improved memory protections.  One feature supported is
  the permission for ELF text relocations.  The libraries with text relocations
  have a special label, and the <span class="code" dir="ltr">rlpkg</span> tool has an option to scan for
  these libraries.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: TEXTREL Scan</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">rlpkg -t</span>
</pre></td></tr>
</table>
<p>
  This will also be done by automatically after a full relabel.
</p>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
            </span>Start daemons in the correct domain</p>
<p>
  Controlling daemons that have init scripts in /etc/init.d is slightly
  different in SELinux.  The <span class="code" dir="ltr">run_init</span> command must be used to run
  the scripts, to ensure they are ran in the correct domain.  The command
  can be ran normally, except the command is prefixed with <span class="code" dir="ltr">run_init</span>.
  This requires you to be in the <span class="code" dir="ltr">sysadm_r</span> role.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: run_init examples</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">run_init /etc/init.d/ntpd start</span>
# <span class="code-input">run_init /etc/init.d/apache2 restart</span>
# <span class="code-input">run_init /etc/init.d/named stop</span>
</pre></td></tr>
</table>
<p class="secthead"><a name="doc_chap1_sect1">Gentoo run_init integration</a></p>
<p>
  <span class="code" dir="ltr">run_init</span> has been integrated into Gentoo's init script system.  With
  SELinux installed, services can be started and stopped as usual, but will
  now authenticate the user.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Integrated run_init example</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">/etc/init.d/sshd restart</span>
Authenticating root.
Password:
 * Stopping sshd...                       [ ok ]
 * Starting sshd...                       [ ok ]
</pre></td></tr>
</table>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
            </span>Switch between enforcing and permissive modes</p>
<p>
  Switching between modes in SELinux is very simple.  Write a 1 for
  enforcing, or 0 for permissive to /selinux/enforce to set the mode.
  The current mode can be queried by reading /selinux/enforce; 0 means
  permissive mode, and 1 means enforcing mode.  If the kernel option
  "NSA SELinux Development Support" is turned off, the system will always
  be in enforcing mode, and cannot be switched to permissive mode.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
<span class="code-comment">Query current mode</span>
# <span class="code-input">cat /selinux/enforce</span>
<span class="code-comment">Switch to enforcing mode</span>
# <span class="code-input">echo 1 &gt; /selinux/enforce</span>
<span class="code-comment">Switch to permissive mode</span>
# <span class="code-input">echo 0 &gt; /selinux/enforce</span>
</pre></td></tr>
</table>
<p>
  A machine with development support turned on can be started in enforcing
  mode by adding <span class="code" dir="ltr">enforcing=1</span> to the kernel command line, in the
  bootloader (GRUB, lilo, etc).
</p>
<p class="secthead"><a name="doc_chap1_sect1">Managed policy</a></p>
<p>
  In addition to the above kernel options, the mode at boot can be
  set by the <span class="code" dir="ltr">/etc/selinux/config</span> file.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: /etc/selinux/config</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# SELINUX can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=<span class="code-comment">permissive</span>
</pre></td></tr>
</table>
<p>
  The setting in this file will be overridden by the kernel command line
  options described above.
</p>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
            </span>Understand sestatus output</p>
<p>
  The <span class="code" dir="ltr">sestatus</span> tool can be used to determine detailed SELinux-specific
  status information about the system.  The <span class="code" dir="ltr">-v</span> option provides extra
  detail about the context of processes and files.  The output will be
  divided into four sections.  Sestatus only provides complete information
  for a user logged in as root (or su/sudo), in the <span class="code" dir="ltr">sysadm_r</span> role.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Status example</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
SELinux status:         enabled
SELinuxfs mount:        /selinux
Current mode:           enforcing
Policy version:         18
</pre></td></tr>
</table>
<p>
  The main status information is provided in the first section.  The first
  line shows if SELinux kernel functions exists and are enabled.  If the
  status is disabled, either the kernel does not have SELinux support, or
  the policy is not loaded.  The second line shows the mount point for
  the SELinux filesystem.  During the normal use, the filesystem should be
  mounted at the default location of <span class="code" dir="ltr">/selinux</span>.  The third line
  shows the current SELinux mode, either enforcing or permissive.  The fourth
  line shows the policy database version supported by the currently running
  kernel.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Booleans example</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
Policy booleans:
secure_mode             inactive
ssh_sysadm_login        inactive
user_ping               inactive
</pre></td></tr>
</table>
<p>
  The second section displays the status of the conditional policy booleans.  The
  left column is the name of boolean.  The right column is the status of the
  boolean, either active, or inactive.  This section will not be shown on
  policy version 15 kernels, as they do not support conditional policy.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Process context example</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
Process contexts:
Current context:        pebenito:sysadm_r:sysadm_t
Init context:           system_u:system_r:init_t
/sbin/agetty            system_u:system_r:getty_t
/usr/sbin/sshd          system_u:system_r:sshd_t
</pre></td></tr>
</table>
<p>
  The third section displays the context of the current process, and of several
  key processes.  If a process is running in the incorrect context, it will not
  function correctly.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: File context example</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
File contexts:
Controlling term:       pebenito:object_r:sysadm_devpts_t
/sbin/init              system_u:object_r:init_exec_t
/sbin/agetty            system_u:object_r:getty_exec_t
/bin/login              system_u:object_r:login_exec_t
/sbin/rc                system_u:object_r:initrc_exec_t
/sbin/runscript.sh      system_u:object_r:initrc_exec_t
/usr/sbin/sshd          system_u:object_r:sshd_exec_t
/sbin/unix_chkpwd       system_u:object_r:chkpwd_exec_t
/etc/passwd             system_u:object_r:etc_t
/etc/shadow             system_u:object_r:shadow_t
/bin/sh                 system_u:object_r:bin_t -&gt; system_u:object_r:shell_exec_t
/bin/bash               system_u:object_r:shell_exec_t
/bin/sash               system_u:object_r:shell_exec_t
/usr/bin/newrole        system_u:object_r:newrole_exec_t
/lib/libc.so.6          system_u:object_r:lib_t -&gt; system_u:object_r:shlib_t
/lib/ld-linux.so.2      system_u:object_r:lib_t -&gt; system_u:object_r:shlib_t
</pre></td></tr>
</table>
<p>
  The fourth section displays the context of the current process's controlling
  terminal, and of several key files.  For symbolic links, the context of
  the link and then the context of the link target is displayed.  If a file has
  an incorrect context, the file may be inaccessable or have incorrect
  permissions for a particular process.
</p>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="alttext">Updated October 14, 2006</p></td></tr>
<tr lang="en"><td align="center" class="topsep">
<p class="alttext"><b>Donate</b> to support our development efforts.
        </p>
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
</form>
</td></tr>
<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
</table></td>
</tr></table></td></tr>
<tr><td colspan="2" align="right" class="infohead">
Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
</td></tr>
</table></body>
</html>