SELinux User’s and Administrator’s Guide (PDF)
Wikipedia: SELinux
CentOS Wiki: SELinux
Introduction to SELinux: Don’t let complexity scare you off
Practical SELinux for the beginner: Contexts and labels
Security-Enhanced Linux – User Guide
2.1. Benefits of running SELinux
5.4.2. Disabling SELinux
TFTP
Problem
$ tftp 10.20.30.40 -c get /app-nand.bin
Error code 0: Permission denied
Solution
$ cd /var/lib/tftpboot
$ ls -alZ
drwxrwxrwx. root root system_u:object_r:tftpdir_rw_t:s0 .
drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 ..
-rwxrwxrwx. root root system_u:object_r:user_home_t:s0 app-nand.bin
$ cd ..
$ restorecon -Rv tftpboot
restorecon reset /var/lib/tftpboot/app-nand.bin context system_u:object_r:user_home_t:s0->system_u:object_r:tftpdir_rw_t:s0
restorecon set context /var/lib/tftpboot/app-nand.bin->system_u:object_r:tftpdir_rw_t:s0 failed:'Operation not permitted'
$ sudo restorecon -Rv tftpboot
restorecon reset /var/lib/tftpboot/app-nand.bin context system_u:object_r:user_home_t:s0->system_u:object_r:tftpdir_rw_t:s0
$ cd tftpboot
$ ls -alZ
drwxrwxrwx. root root system_u:object_r:tftpdir_rw_t:s0 .
drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 ..
-rwxrwxrwx. root root system_u:object_r:tftpdir_rw_t:s0 app-nand.bin
$ tftp 172.21.6.53 -c get /app-nand.bin
$
Configuration examples
SELinux Contexts – Labeling Files
Discretionary Access Control (DAC), bei allen Linux Systemen für Files/Directories
Role Based Access Control (RBAC), bei SELinux für Prozesse
$ ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
DAC: <user> <group> <user> <role> <type> <level>
[code]
$ cat /etc/selinux/targeted/contexts/files/file_contexts.homedirs
# User-specific file contexts, generated via libsemanage
# use semanage command to manage system users to change the file_context
# Home Context for user unconfined_u
/home/[^/]*/.+ unconfined_u:object_r:user_home_t:s0
/home/[^/]*/.maildir(/.*)? unconfined_u:object_r:mail_home_rw_t:s0
/home/[^/]* -d unconfined_u:object_r:user_home_dir_t:s0
/home/[^/]* -l unconfined_u:object_r:user_home_dir_t:s0
/home/[^/]*/abc — unconfined_u:object_r:mozilla_home_t:s0
/home/[^/]*/tmp -d unconfined_u:object_r:user_tmp_t:s0
$ system-config-selinux
$ yum install policycoreutils-devel
$ yum install policycoreutils-gui
$ sepolicy gui