forked from Controls/gitea-pages
merge selinux docu
This commit is contained in:
@@ -61,7 +61,6 @@ chapters:
|
||||
- file: admin-guide/configuration/citrix_vda
|
||||
- file: admin-guide/configuration/configuration_email
|
||||
- file: admin-guide/configuration/selinux_configuration
|
||||
- file: admin-guide/container
|
||||
- file: admin-guide/deployment
|
||||
sections:
|
||||
- file: admin-guide/deployment/sample
|
||||
@@ -72,27 +71,6 @@ chapters:
|
||||
- file: admin-guide/deployment/sysdb_env
|
||||
- file: admin-guide/deployment/ipxe
|
||||
- file: admin-guide/deployment/kickstart
|
||||
- file: admin-guide/puppet
|
||||
sections:
|
||||
- file: admin-guide/puppet/general
|
||||
- file: admin-guide/puppet/client
|
||||
- file: admin-guide/puppet/puppet-master
|
||||
- file: admin-guide/puppet/hiera
|
||||
- file: admin-guide/puppet/modules
|
||||
sections:
|
||||
- glob: admin-guide/puppet/roles/*
|
||||
- glob: admin-guide/puppet/roles/*/*
|
||||
- glob: admin-guide/puppet/profiles/*
|
||||
- glob: admin-guide/puppet/profiles/*/*
|
||||
- glob: admin-guide/puppet/profiles/*/*/*
|
||||
- glob: admin-guide/puppet/profiles/*/*/*/*
|
||||
- glob: admin-guide/puppet/components/*
|
||||
- file: admin-guide/puppet/development
|
||||
- file: admin-guide/certificates
|
||||
- file: admin-guide/accounts-and-groups
|
||||
- file: admin-guide/active-directory
|
||||
- file: admin-guide/selinux
|
||||
- file: admin-guide/updates
|
||||
- file: admin-guide/troubleshooting
|
||||
sections:
|
||||
- file: admin-guide/troubleshooting/deployment
|
||||
@@ -110,7 +88,28 @@ chapters:
|
||||
- file: admin-guide/troubleshooting/filesystem
|
||||
- file: admin-guide/troubleshooting/processes
|
||||
- file: admin-guide/troubleshooting/pcie_bus_error
|
||||
- file: admin-guide/container
|
||||
- file: admin-guide/certificates
|
||||
- file: admin-guide/accounts-and-groups
|
||||
- file: admin-guide/active-directory
|
||||
- file: admin-guide/updates
|
||||
- file: admin-guide/order-vm
|
||||
- file: admin-guide/puppet
|
||||
sections:
|
||||
- file: admin-guide/puppet/general
|
||||
- file: admin-guide/puppet/client
|
||||
- file: admin-guide/puppet/puppet-master
|
||||
- file: admin-guide/puppet/hiera
|
||||
- file: admin-guide/puppet/modules
|
||||
sections:
|
||||
- glob: admin-guide/puppet/roles/*
|
||||
- glob: admin-guide/puppet/roles/*/*
|
||||
- glob: admin-guide/puppet/profiles/*
|
||||
- glob: admin-guide/puppet/profiles/*/*
|
||||
- glob: admin-guide/puppet/profiles/*/*/*
|
||||
- glob: admin-guide/puppet/profiles/*/*/*/*
|
||||
- glob: admin-guide/puppet/components/*
|
||||
- file: admin-guide/puppet/development
|
||||
|
||||
- file: infrastructure-guide/index
|
||||
sections:
|
||||
|
||||
@@ -1,150 +0,0 @@
|
||||
SELinux
|
||||
=======
|
||||
|
||||
Depending on the Puppet role and Hiera settings, SELinux can be enabled by
|
||||
default. This is recommended especially for systems which are accessible from
|
||||
outside PSI.
|
||||
|
||||
This section provides basic information on SELinux in general, common problems
|
||||
and how to solve them.
|
||||
|
||||
|
||||
SELinux
|
||||
-------
|
||||
|
||||
Information on SELinux can be found here:
|
||||
|
||||
- `Mandatory Access Control <https://en.wikipedia.org/wiki/Mandatory_access_control>`_
|
||||
- :download:`SELinux coloring book
|
||||
<_static/selinux-coloring-book_A4-Stapled.pdf>` (`original
|
||||
<https://people.redhat.com/duffy/selinux/selinux-coloring-book_A4-Stapled.pdf>`_)
|
||||
|
||||
|
||||
SELinux modes
|
||||
-------------
|
||||
|
||||
SELinux can be in one of three modes:
|
||||
|
||||
- ``enforcing``
|
||||
|
||||
The SELinux policy is enforced, violations are logged.
|
||||
|
||||
- ``permissive``
|
||||
|
||||
The SELinux policy is **not** enforced, but violations are still logged.
|
||||
|
||||
- ``disabled``
|
||||
|
||||
SELinux is not loaded at all.
|
||||
|
||||
|
||||
Going from ``enforcing`` or ``permissive`` to/from ``disabled`` requires a
|
||||
reboot.
|
||||
|
||||
|
||||
SELinux contexts
|
||||
----------------
|
||||
|
||||
On an SELinux system every file has a context, and the SELinux policy controls
|
||||
whether a confined service can access files of a given context.
|
||||
|
||||
The context of files can be listed with the :manpage:`stat(1)` command or by passing
|
||||
the ``-Z`` option to ``ls(1)``::
|
||||
|
||||
$ ls -Z /etc/fstab
|
||||
-rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/fstab
|
||||
|
||||
$ stat /etc/fstab
|
||||
File: ‘/etc/fstab’
|
||||
Size: 619 Blocks: 8 IO Block: 4096 regular file
|
||||
Device: fd01h/64769d Inode: 134320258 Links: 1
|
||||
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
|
||||
Context: system_u:object_r:etc_t:s0
|
||||
Access: 2017-05-13 21:50:43.533927373 +0200
|
||||
Modify: 2016-04-03 04:19:02.289004083 +0200
|
||||
Change: 2016-04-03 04:29:29.955011505 +0200
|
||||
Birth: -
|
||||
|
||||
|
||||
|
||||
When files are created they are assigned a default context based on their path
|
||||
according to the system policy.
|
||||
|
||||
The default contexts configured for various filesystem locations can be listed
|
||||
by running :manpage:`semanage(8)`::
|
||||
|
||||
$ semanage fcontext -l
|
||||
...
|
||||
/usr/.* all files system_u:object_r:usr_t:s0
|
||||
/var/.* all files system_u:object_r:var_t:s0
|
||||
/run/.* all files system_u:object_r:var_run_t:s0
|
||||
/srv/.* all files system_u:object_r:var_t:s0
|
||||
...
|
||||
|
||||
|
||||
It is possible to add/list local customizations to the default contexts of the
|
||||
system::
|
||||
|
||||
|
||||
$ semanage fcontext -a -t httpd_sys_content_t '/srv/web/data(/.*)?'
|
||||
$ semanage fcontext -a -t etc_t /srv/web/httpd.conf
|
||||
|
||||
$ semanage fcontext -l -C
|
||||
/srv/web/httpd.conf all files system_u:object_r:etc_t:s0
|
||||
/srv/web/data(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
|
||||
|
||||
|
||||
Use the :manpage:`restorecon(8)` command to restore the context of a file or
|
||||
directory tree according to the system policy::
|
||||
|
||||
$ restorecon -v /etc/fstab
|
||||
$ restorecon -vR /etc/puppetlabs/
|
||||
|
||||
|
||||
It is also possible to trigger a relabeling of all files with default contexts
|
||||
by::
|
||||
|
||||
touch /.autorelabel
|
||||
reboot
|
||||
|
||||
|
||||
For debugging or during development the :manpage:`chcon(1)` command can be used::
|
||||
|
||||
chcon -t etc_t /srv/web/httpd.conf
|
||||
|
||||
.. important:: This is not enough! The next ``restorecon(8)``, relabeling, or system
|
||||
redeployment will not honor the changes made with :manpage:`chcon(1)`. Use
|
||||
:manpage:`semanage(8)` as described above or change the location of the files
|
||||
in question so that they are classified correctly by the system policy.
|
||||
|
||||
|
||||
SELinux Booleans
|
||||
----------------
|
||||
|
||||
SELinux booleans are variables which control certain restrictions enforced by
|
||||
the SELinux policy. An example would be ``httpd_can_network_connect``, which
|
||||
controls whether Apache can open network connections.
|
||||
|
||||
The state of SELinux booleans is either ``on`` or ``off`` and can be queried
|
||||
using :manpage:`getsebool(8)`::
|
||||
|
||||
# List all SELinux booleans and their states
|
||||
getsebool -a
|
||||
|
||||
# Show the state of a given variable
|
||||
getsebool httpd_can_network_connect
|
||||
|
||||
|
||||
The :manpage:`setsebool(8)` command changes the state of a boolean::
|
||||
|
||||
setsebool httpd_can_network_connect on
|
||||
|
||||
|
||||
Puppet development
|
||||
------------------
|
||||
|
||||
All Puppet modules should support SELinux. Modules which do, eg.
|
||||
``profile::aaa``, must be tested with SELinux systems in enforcing mode.
|
||||
|
||||
SELinux configuration is done through ``role::base`` and the ``selinux``
|
||||
component.
|
||||
@@ -1,5 +1,103 @@
|
||||
# SELinux
|
||||
|
||||
General information on SELinux can be found here:
|
||||
- [SELinux coloring book](_static/selinux-coloring-book_A4-Stapled.pdf) - Original: https://people.redhat.com/duffy/selinux/selinux-coloring-book_A4-Stapled.pdf
|
||||
|
||||
## Modes
|
||||
|
||||
SELinux can be in one of three modes:
|
||||
- `enforcing` - The SELinux policy is enforced, violations are logged.
|
||||
- `permissive` - The SELinux policy is **not** enforced, but violations are still logged.
|
||||
- `disabled` - SELinux is not loaded at all.
|
||||
|
||||
Going from ``enforcing`` or ``permissive`` to/from ``disabled`` requires a reboot.
|
||||
|
||||
|
||||
## Contexts
|
||||
|
||||
On an SELinux system every file has a context, and the SELinux policy controls whether a confined service can access files of a given context.
|
||||
|
||||
The context of files can be listed with the `stat` command or by passing the `-Z` option to `ls`::
|
||||
```bash
|
||||
$ ls -Z /etc/fstab
|
||||
-rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/fstab
|
||||
|
||||
$ stat /etc/fstab
|
||||
File: ‘/etc/fstab’
|
||||
Size: 619 Blocks: 8 IO Block: 4096 regular file
|
||||
Device: fd01h/64769d Inode: 134320258 Links: 1
|
||||
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
|
||||
Context: system_u:object_r:etc_t:s0
|
||||
Access: 2017-05-13 21:50:43.533927373 +0200
|
||||
Modify: 2016-04-03 04:19:02.289004083 +0200
|
||||
Change: 2016-04-03 04:29:29.955011505 +0200
|
||||
Birth: -
|
||||
```
|
||||
|
||||
When files are created they are assigned a default context based on their path according to the system policy.
|
||||
|
||||
The default contexts configured for various filesystem locations can be listed by running :manpage:`semanage`:
|
||||
```bash
|
||||
$ semanage fcontext -l
|
||||
...
|
||||
/usr/.* all files system_u:object_r:usr_t:s0
|
||||
/var/.* all files system_u:object_r:var_t:s0
|
||||
/run/.* all files system_u:object_r:var_run_t:s0
|
||||
/srv/.* all files system_u:object_r:var_t:s0
|
||||
...
|
||||
```
|
||||
|
||||
It is possible to add/list local customizations to the default contexts of the system:
|
||||
|
||||
```bash
|
||||
$ semanage fcontext -a -t httpd_sys_content_t '/srv/web/data(/.*)?'
|
||||
$ semanage fcontext -a -t etc_t /srv/web/httpd.conf
|
||||
|
||||
$ semanage fcontext -l -C
|
||||
/srv/web/httpd.conf all files system_u:object_r:etc_t:s0
|
||||
/srv/web/data(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
|
||||
```
|
||||
|
||||
Use the `restorecon` command to restore the context of a file or directory tree according to the system policy::
|
||||
```bash
|
||||
$ restorecon -v /etc/fstab
|
||||
$ restorecon -vR /etc/puppetlabs/
|
||||
```
|
||||
|
||||
It is also possible to trigger a relabeling of all files with default contexts by::
|
||||
```bash
|
||||
touch /.autorelabel
|
||||
reboot
|
||||
```
|
||||
|
||||
For debugging or during development the `chcon` command can be used:
|
||||
```bash
|
||||
chcon -t etc_t /srv/web/httpd.conf
|
||||
|
||||
.. important:: This is not enough! The next ``restorecon(8)``, relabeling, or system
|
||||
redeployment will not honor the changes made with :manpage:`chcon(1)`. Use
|
||||
:manpage:`semanage(8)` as described above or change the location of the files
|
||||
in question so that they are classified correctly by the system policy.
|
||||
```
|
||||
|
||||
## Booleans
|
||||
|
||||
SELinux booleans are variables which control certain restrictions enforced by the SELinux policy. An example would be `httpd_can_network_connect`, which controls whether Apache can open network connections.
|
||||
|
||||
The state of SELinux booleans is either `on` or `off` and can be queried using `getsebool`:
|
||||
```bash
|
||||
# List all SELinux booleans and their states
|
||||
getsebool -a
|
||||
|
||||
# Show the state of a given variable
|
||||
getsebool httpd_can_network_connect
|
||||
```
|
||||
|
||||
The `setsebool` command changes the state of a boolean:
|
||||
```bash
|
||||
setsebool httpd_can_network_connect on
|
||||
```
|
||||
|
||||
|
||||
## Basic Checks and Actions
|
||||
|
||||
|
||||
Reference in New Issue
Block a user