SELinux on Fedora

Leave a reply

SELinux User’s and Administrator’s Guide (PDF)

Wikipedia: SELinux
CentOS Wiki: SELinux
Introduction to SELinux: Don’t let complexity scare you off
Practical SELinux for the beginner: Contexts and labels

Security-Enhanced Linux – User Guide
2.1. Benefits of running SELinux
5.4.2. Disabling SELinux

TFTP

Problem

$ tftp 10.20.30.40 -c get /app-nand.bin
Error code 0: Permission denied

Solution

$ cd /var/lib/tftpboot
$ ls -alZ 
drwxrwxrwx. root root system_u:object_r:tftpdir_rw_t:s0 .
drwxr-xr-x. root root system_u:object_r:var_lib_t:s0   ..
-rwxrwxrwx. root root system_u:object_r:user_home_t:s0 app-nand.bin

$ cd ..
$ restorecon -Rv tftpboot
restorecon reset /var/lib/tftpboot/app-nand.bin context system_u:object_r:user_home_t:s0->system_u:object_r:tftpdir_rw_t:s0
restorecon set context /var/lib/tftpboot/app-nand.bin->system_u:object_r:tftpdir_rw_t:s0 failed:'Operation not permitted'

$ sudo restorecon -Rv tftpboot
restorecon reset /var/lib/tftpboot/app-nand.bin context system_u:object_r:user_home_t:s0->system_u:object_r:tftpdir_rw_t:s0

$ cd tftpboot
$ ls -alZ 
drwxrwxrwx. root root system_u:object_r:tftpdir_rw_t:s0 .
drwxr-xr-x. root root system_u:object_r:var_lib_t:s0   ..
-rwxrwxrwx. root root system_u:object_r:tftpdir_rw_t:s0 app-nand.bin

$ tftp 172.21.6.53 -c get /app-nand.bin
$

Configuration examples
SELinux Contexts – Labeling Files

Discretionary Access Control (DAC), bei allen Linux Systemen für Files/Directories
Role Based Access Control (RBAC), bei SELinux für Prozesse

$ ls -Z file1
-rw-rw-r--  user1  group1  unconfined_u:object_r:user_home_t:s0  file1
       DAC: <user> <group> <user>       <role>   <type>    <level>


$ cat /etc/selinux/targeted/contexts/files/file_contexts.homedirs
# User-specific file contexts, generated via libsemanage
# use semanage command to manage system users to change the file_context

# Home Context for user unconfined_u
/home/[^/]*/.+ unconfined_u:object_r:user_home_t:s0
/home/[^/]*/.maildir(/.*)? unconfined_u:object_r:mail_home_rw_t:s0
/home/[^/]* -d unconfined_u:object_r:user_home_dir_t:s0
/home/[^/]* -l unconfined_u:object_r:user_home_dir_t:s0
/home/[^/]*/abc -- unconfined_u:object_r:mozilla_home_t:s0
/home/[^/]*/tmp -d unconfined_u:object_r:user_tmp_t:s0

$ system-config-selinux

$ yum install policycoreutils-devel
$ yum install policycoreutils-gui
$ sepolicy gui

Leave a Reply

Your email address will not be published. Required fields are marked *