4.5 KiB
SELinux
Depending on the Puppet role and Hiera settings, SELinux can be enabled by default. This is recommended especially for systems which are accessible from outside PSI.
This section provides basic information on SELinux in general, common problems and how to solve them.
SELinux
Information on SELinux can be found here:
- Mandatory Access Control
SELinux coloring book </_static/selinux-coloring-book_A4-Stapled.pdf>(original)
SELinux modes
SELinux can be in one of three modes:
enforcingThe SELinux policy is enforced, violations are logged.
permissiveThe SELinux policy is not enforced, but violations are still logged.
disabledSELinux is not loaded at all.
Going from enforcing or permissive to/from
disabled requires a reboot.
SELinux contexts
On an SELinux system every file has a context, and the SELinux policy controls whether a confined service can access files of a given context.
The context of files can be listed with the stat(1) command or by
passing the -Z option to ls(1):
$ ls -Z /etc/fstab
-rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/fstab
$ stat /etc/fstab
File: ‘/etc/fstab’
Size: 619 Blocks: 8 IO Block: 4096 regular file
Device: fd01h/64769d Inode: 134320258 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Context: system_u:object_r:etc_t:s0
Access: 2017-05-13 21:50:43.533927373 +0200
Modify: 2016-04-03 04:19:02.289004083 +0200
Change: 2016-04-03 04:29:29.955011505 +0200
Birth: -When files are created they are assigned a default context based on their path according to the system policy.
The default contexts configured for various filesystem locations can
be listed by running semanage(8):
$ semanage fcontext -l
...
/usr/.* all files system_u:object_r:usr_t:s0
/var/.* all files system_u:object_r:var_t:s0
/run/.* all files system_u:object_r:var_run_t:s0
/srv/.* all files system_u:object_r:var_t:s0
...It is possible to add/list local customizations to the default contexts of the system:
$ semanage fcontext -a -t httpd_sys_content_t '/srv/web/data(/.*)?'
$ semanage fcontext -a -t etc_t /srv/web/httpd.conf
$ semanage fcontext -l -C
/srv/web/httpd.conf all files system_u:object_r:etc_t:s0
/srv/web/data(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 Use the restorecon(8) command to restore the context of a
file or directory tree according to the system policy:
$ restorecon -v /etc/fstab
$ restorecon -vR /etc/puppetlabs/It is also possible to trigger a relabeling of all files with default contexts by:
touch /.autorelabel
rebootFor debugging or during development the chcon(1) command can be
used:
chcon -t etc_t /srv/web/httpd.confImportant
This is not enough! The next restorecon(8), relabeling,
or system redeployment will not honor the changes made with chcon(1). Use semanage(8) as described
above or change the location of the files in question so that they are
classified correctly by the system policy.
SELinux Booleans
SELinux booleans are variables which control certain restrictions
enforced by the SELinux policy. An example would be
httpd_can_network_connect, which controls whether Apache
can open network connections.
The state of SELinux booleans is either on or
off and can be queried using getsebool(8):
# List all SELinux booleans and their states
getsebool -a
# Show the state of a given variable
getsebool httpd_can_network_connectThe setsebool(8)
command changes the state of a boolean:
setsebool httpd_can_network_connect onPuppet development
All Puppet modules should support SELinux. Modules which do, eg.
profile::aaa, must be tested with SELinux systems in
enforcing mode.
SELinux configuration is done through role::base and the
selinux component.