SELinux User’s and Administrator’s Guide (PDF)
Wikipedia: SELinux
CentOS Wiki: SELinux
Introduction to SELinux: Don’t let complexity scare you off
Practical SELinux for the beginner: Contexts and labels
Security-Enhanced Linux – User Guide
2.1. Benefits of running SELinux
5.4.2. Disabling SELinux
TFTP
Problem
$ tftp 10.20.30.40 -c get /app-nand.bin Error code 0: Permission denied
Solution
$ cd /var/lib/tftpboot $ ls -alZ drwxrwxrwx. root root system_u:object_r:tftpdir_rw_t:s0 . drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 .. -rwxrwxrwx. root root system_u:object_r:user_home_t:s0 app-nand.bin $ cd .. $ restorecon -Rv tftpboot restorecon reset /var/lib/tftpboot/app-nand.bin context system_u:object_r:user_home_t:s0->system_u:object_r:tftpdir_rw_t:s0 restorecon set context /var/lib/tftpboot/app-nand.bin->system_u:object_r:tftpdir_rw_t:s0 failed:'Operation not permitted' $ sudo restorecon -Rv tftpboot restorecon reset /var/lib/tftpboot/app-nand.bin context system_u:object_r:user_home_t:s0->system_u:object_r:tftpdir_rw_t:s0 $ cd tftpboot $ ls -alZ drwxrwxrwx. root root system_u:object_r:tftpdir_rw_t:s0 . drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 .. -rwxrwxrwx. root root system_u:object_r:tftpdir_rw_t:s0 app-nand.bin $ tftp 172.21.6.53 -c get /app-nand.bin $
Configuration examples
SELinux Contexts – Labeling Files
Discretionary Access Control (DAC), bei allen Linux Systemen für Files/Directories
Role Based Access Control (RBAC), bei SELinux für Prozesse
$ ls -Z file1 -rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1 DAC: <user> <group> <user> <role> <type> <level>
[code]
$ cat /etc/selinux/targeted/contexts/files/file_contexts.homedirs
# User-specific file contexts, generated via libsemanage
# use semanage command to manage system users to change the file_context
# Home Context for user unconfined_u
/home/[^/]*/.+ unconfined_u:object_r:user_home_t:s0
/home/[^/]*/.maildir(/.*)? unconfined_u:object_r:mail_home_rw_t:s0
/home/[^/]* -d unconfined_u:object_r:user_home_dir_t:s0
/home/[^/]* -l unconfined_u:object_r:user_home_dir_t:s0
/home/[^/]*/abc — unconfined_u:object_r:mozilla_home_t:s0
/home/[^/]*/tmp -d unconfined_u:object_r:user_tmp_t:s0
$ system-config-selinux $ yum install policycoreutils-devel $ yum install policycoreutils-gui $ sepolicy gui