How do I get the equivalent of strict policy in Red Hat Enterprise Linux 6?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL) 6

The following information has been provided by Red Hat, but is outside the scope of our posted Service Level Agreements and support procedures. The intent of this article is to provide you with information to accomplish your system needs. Use the information in this article at your own risk.

Issue

  • How do I get the equivalent of strict policy in Red Hat Enterprise Linux 6?

Resolution

Strict merged into Targeted

  • In RHEL6 there is no longer a "strict" policy as it was merged into the targeted policy.
  • There exists two SELinux policy modules - unconfined.pp and unconfineduser.pp policy modules. These two modules are optional, and removing it gives the equivalent of strict policy.
  • Firstly, the unconfined.pp policy module can simply be removed. This moves closer to the former strict policy but leaves only user domains unconfined, along with some domains that do not make sense to confine (anaconda, firstboot, kernel,rpm) and also unconfined_t user will be exist.
# semodule -d unconfined
# seinfo -aunconfined_domain_type -x | tail -n +2 | wc -l
  • Next all unconfined domains can be disabled by disabling unconfineduser module which is equal strict policy. In this case, all users must be setup as confined users, before removing the unconfineduser module using semanage tool
# semanage login -m -s staff_u root
# semanage login -m -s staff_u __default__
# semanage user -d unconfined_u
# semanage user -m -R "staff_r system_r sysadm_r" staff_u
# semodule -d unconfineduser
  • Note: One of the RHEL6 features are Confined Users. This means, unconfined.pp and unconfineduser.pp policy modules can be used and an user can be confined even so. All this magic lies in adding login mappings between linux users and SELinux confined users.
# semanage login -a -s user_u -r s0-s0:c0.c1023 USERNAME1
# semanage login -a -s staff_u -r s0-s0:c0.c1023 USERNAME2

Multi-Level Security (MLS) policy

  • Additionally, the MLS policy is available providing levels of security which enforces sensitivity and category labelling, and requires site-specific configuration of these labels in order to be useful. Levels include "Unclassified", "Confidential", "Secret", and "Top Secret". To use this policy, install the appropriate policy module:
# yum install selinux-policy-mls
  • Then edit /etc/selinux/config and correct the line:
SELINUXTYPE=mls
  • Configure the system to boot into run level 3 by default:
sed -i "s/^id:5:initdefault:/id:3:initdefault:/g" /etc/inittab
  • Note: Switching between policies typically requires the entire disk to be relabelled, so that files get the appropriate SELinux contexts under the new policy. Add autorelabel flag
touch /.autorelabel; reboot

and boot with the additional grub command-line options

enforcing=0

to relabel the disk, then reboot normally.

Root Cause

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments