Monday, February 20, 2012

Security Enhanced Linux (SELinux) General Notes

CentOS 4.3 was based off of Fedora Core (FC) 3 with Fedora Core 4 Auditing.

Config File Location = /etc/sysconfig/selinux
Policy File Location = /etc/selinux/"name-of-policy"/src/policy

Because audit support is not part of FC3, login is trying to audit it.  There for you receive an error.  To fix it add this code to the local.te in /etc/selinux/"name-of-policy"/domains/misc/ 

allow auth_chkpwd self:netlink_audit_socket *;
allow auth_chkpwd self:capability { audit_write audit_control };

Users need to be added tot he users file located in /etc/selinux/"name-of-policy"/src/policy/users
Ex: user roadzy roles { user_r };

Roles must be created in the user.te file located in /etc/selinux/"name-of-policy"/domains/user.te
Ex: full_user_role (user) <- notice there is no _r
Ex: role_tty_type_change (user, admin)  <- This allows the user role to transfer to admin role

id -z will show the current user you are logged in as and include the SELinux Security Contexts

If you want to enforce SELinux at boot, add enforcing = 1 to /boot/grub/grub/conf

If you want to switch policies, for example say from the targeted policy to strict, you have to run touch /.autorelabel to enable the new policy.  This relabels the whole file system.

/etc/selinux/"name-of-policy"/src/policy/assert.te contains never allow statements that force the policy not to allow those instances

local.te allows you to add random allow statements in this file to be built into the policy.  The file is located in /etc/selinux/"name-of-policy"/src/policy/domains/misc/local.te

Each new domain needs an fc & te file
fc's are located in /etc/selinux/"name-of-policy"/src/policy/file_context/program
te's are located in /etc/selinux/"name-of-policy"/src/policy/domains/program

To relabel a file file run the command " restorecon "filename"
If you want to relabel a whole directory run the command: restorecon -R "foldername"

To transition into a new role run:  newrole "somerole"_r
*You'll be prompted to enter the root password

To allow a domain to transfer to another domain, you need to write an allow statement.  It needs to be added to local.te or another.te file
Ex: role "name-of-role"_r types "name-of-domain"_t

Domain auto transfers are written in the .te files.
Ex:  domain_auto_trans("some-role"_t, "the-program"_exec_t, "program"_t)

To create your own policy, cd in to /etc/selinux/"name-of-policy"/src/policy.
Next run make clean -> make install -> make load - > make enable audit
*If you want to chain them together run -> make clean; make install; make load; make enable audit

Macros are located in /etc/selinux/"name-of-policy"/src/policy/macros

Examples of macros:
sudo_domain (role) -> used for sudo
r_dir_file (domain, reading domain) -> reads files of that domain
rw_dir_file (domain, reading & writing domain ) -> reads & writes to files of that domain
base_file_read_access (domain)
can-exec (domain, bin_t) -> allows executing of the bin_t domain

To audit a domain transfer add teh following tot he te file or local.te:
Ex:  audit allow "domain"_t "domain2"_t; process transition;

A possible fix when no AVC messages show up add the following to a te or local.te file:
Ex:  allow "domain1"_t self:netlink_audit_socket *;
Ex:  allow "domain1"_t self:capabity audit_write *;

If you want to receive more information about an error run the following command:
Ex: auditctl -e 1

One big important thing... this is from pre-RHEL 5 which SELinux changed a great deal.

Two great books that helped me with a lot of this are below: