Red Hat Enterprise Linux 7

SELinux User's and Administrator's Guide

Basic and advanced configuration of Security-Enhanced Linux (SELinux)

Mirek Jahoda

Red Hat Customer Content Services

Ioanna Gkioka

Red Hat Customer Content Services

Barbora Ančincová

Red Hat Customer Content Services

Tomáš Čapek

Red Hat Customer Content Services

Abstract

This book consists of two parts: SELinux and Managing Confined Services. The former describes the basics and principles upon which SELinux functions, the latter is more focused on practical tasks to set up and configure various services.
I. SELinux
1. Introduction
1.1. Benefits of running SELinux
1.2. Examples
1.3. SELinux Architecture
1.4. SELinux States and Modes
1.5. Additional Resources
2. SELinux Contexts
2.1. Domain Transitions
2.2. SELinux Contexts for Processes
2.3. SELinux Contexts for Users
3. Targeted Policy
3.1. Confined Processes
3.2. Unconfined Processes
3.3. Confined and Unconfined Users
3.3.1. The sudo Transition and SELinux Roles
4. Working with SELinux
4.1. SELinux Packages
4.2. Which Log File is Used
4.3. Main Configuration File
4.4. Permanent Changes in SELinux States and Modes
4.4.1. Enabling SELinux
4.4.2. Disabling SELinux
4.5. Booleans
4.5.1. Listing Booleans
4.5.2. Configuring Booleans
4.5.3. Shell Auto-Completion
4.6. SELinux Contexts – Labeling Files
4.6.1. Temporary Changes: chcon
4.6.2. Persistent Changes: semanage fcontext
4.7. The file_t and default_t Types
4.8. Mounting File Systems
4.8.1. Context Mounts
4.8.2. Changing the Default Context
4.8.3. Mounting an NFS Volume
4.8.4. Multiple NFS Mounts
4.8.5. Making Context Mounts Persistent
4.9. Maintaining SELinux Labels
4.9.1. Copying Files and Directories
4.9.2. Moving Files and Directories
4.9.3. Checking the Default SELinux Context
4.9.4. Archiving Files with tar
4.9.5. Archiving Files with star
4.10. Information Gathering Tools
4.11. Prioritizing and Disabling SELinux Policy Modules
4.12. Multi-Level Security (MLS)
4.12.1. MLS and System Privileges
4.12.2. Enabling MLS in SELinux
4.12.3. Creating a User With a Specific MLS Range
4.12.4. Setting Up Polyinstantiated Directories
4.13. File Name Transition
4.14. Disabling ptrace()
4.15. Thumbnail Protection
5. The sepolicy Suite
5.1. The sepolicy Python Bindings
5.2. Generating SELinux Policy Modules: sepolicy generate
5.3. Understanding Domain Transitions: sepolicy transition
5.4. Generating Manual Pages: sepolicy manpage
6. Confining Users
6.1. Linux and SELinux User Mappings
6.2. Confining New Linux Users: useradd
6.3. Confining Existing Linux Users: semanage login
6.4. Changing the Default Mapping
6.5. xguest: Kiosk Mode
6.6. Booleans for Users Executing Applications
7. sVirt
7.1. Security and Virtualization
7.2. sVirt Labeling
8. Secure Linux Containers
9. SELinux systemd Access Control
9.1. SELinux Access Permissions for Services
9.2. SELinux and journald
10. Troubleshooting
10.1. What Happens when Access is Denied
10.2. Top Three Causes of Problems
10.2.1. Labeling Problems
10.2.2. How are Confined Services Running?
10.2.3. Evolving Rules and Broken Applications
10.3. Fixing Problems
10.3.1. Linux Permissions
10.3.2. Possible Causes of Silent Denials
10.3.3. Manual Pages for Services
10.3.4. Permissive Domains
10.3.5. Searching For and Viewing Denials
10.3.6. Raw Audit Messages
10.3.7. sealert Messages
10.3.8. Allowing Access: audit2allow
11. Further Information
11.1. Contributors
11.2. Other Resources
II. Managing Confined Services
12. Introduction
13. The Apache HTTP Server
13.1. The Apache HTTP Server and SELinux
13.2. Types
13.3. Booleans
13.4. Configuration examples
13.4.1. Running a static site
13.4.2. Sharing NFS and CIFS volumes
13.4.3. Sharing files between services
13.4.4. Changing port numbers
14. Samba
14.1. Samba and SELinux
14.2. Types
14.3. Booleans
14.4. Configuration examples
14.4.1. Sharing directories you create
14.4.2. Sharing a website
15. File Transfer Protocol
15.1. Types
15.2. Booleans
16. Network File System
16.1. NFS and SELinux
16.2. Types
16.3. Booleans
16.4. Configuration Examples
16.4.1. Enabling SELinux Labeled NFS Support
17. Berkeley Internet Name Domain
17.1. BIND and SELinux
17.2. Types
17.3. Booleans
17.4. Configuration Examples
17.4.1. Dynamic DNS
18. Concurrent Versioning System
18.1. CVS and SELinux
18.2. Types
18.3. Booleans
18.4. Configuration Examples
18.4.1. Setting up CVS
19. Squid Caching Proxy
19.1. Squid Caching Proxy and SELinux
19.2. Types
19.3. Booleans
19.4. Configuration Examples
19.4.1. Squid Connecting to Non-Standard Ports
20. MariaDB (a replacement for MySQL)
20.1. MariaDB and SELinux
20.2. Types
20.3. Booleans
20.4. Configuration Examples
20.4.1. MariaDB Changing Database Location
21. PostgreSQL
21.1. PostgreSQL and SELinux
21.2. Types
21.3. Booleans
21.4. Configuration Examples
21.4.1. PostgreSQL Changing Database Location
22. rsync
22.1. rsync and SELinux
22.2. Types
22.3. Booleans
22.4. Configuration Examples
22.4.1. Rsync as a daemon
23. Postfix
23.1. Postfix and SELinux
23.2. Types
23.3. Booleans
23.4. Configuration Examples
23.4.1. SpamAssassin and Postfix
24. DHCP
24.1. DHCP and SELinux
24.2. Types
25. OpenShift by Red Hat
25.1. OpenShift and SELinux
25.2. Types
25.3. Booleans
25.4. Configuration Examples
25.4.1. Changing the Default OpenShift Directory
26. Identity Management
26.1. Identity Management and SELinux
26.1.1. Trust to Active Directory Domains
26.2. Configuration Examples
26.2.1. Mapping SELinux users to IdM users
27. Red Hat Gluster Storage
27.1. Red Hat Gluster Storage and SELinux
27.2. Types
27.3. Booleans
27.4. Configuration Examples
27.4.1. Labeling Gluster Bricks
28. References
A. Revision History