diff --git a/_toc.yml b/_toc.yml index 83b239c4..2a12842e 100644 --- a/_toc.yml +++ b/_toc.yml @@ -61,7 +61,6 @@ chapters: - file: admin-guide/configuration/citrix_vda - file: admin-guide/configuration/configuration_email - file: admin-guide/configuration/selinux_configuration - - file: admin-guide/container - file: admin-guide/deployment sections: - file: admin-guide/deployment/sample @@ -72,27 +71,6 @@ chapters: - file: admin-guide/deployment/sysdb_env - file: admin-guide/deployment/ipxe - file: admin-guide/deployment/kickstart - - file: admin-guide/puppet - sections: - - file: admin-guide/puppet/general - - file: admin-guide/puppet/client - - file: admin-guide/puppet/puppet-master - - file: admin-guide/puppet/hiera - - file: admin-guide/puppet/modules - sections: - - glob: admin-guide/puppet/roles/* - - glob: admin-guide/puppet/roles/*/* - - glob: admin-guide/puppet/profiles/* - - glob: admin-guide/puppet/profiles/*/* - - glob: admin-guide/puppet/profiles/*/*/* - - glob: admin-guide/puppet/profiles/*/*/*/* - - glob: admin-guide/puppet/components/* - - file: admin-guide/puppet/development - - file: admin-guide/certificates - - file: admin-guide/accounts-and-groups - - file: admin-guide/active-directory - - file: admin-guide/selinux - - file: admin-guide/updates - file: admin-guide/troubleshooting sections: - file: admin-guide/troubleshooting/deployment @@ -110,7 +88,28 @@ chapters: - file: admin-guide/troubleshooting/filesystem - file: admin-guide/troubleshooting/processes - file: admin-guide/troubleshooting/pcie_bus_error + - file: admin-guide/container + - file: admin-guide/certificates + - file: admin-guide/accounts-and-groups + - file: admin-guide/active-directory + - file: admin-guide/updates - file: admin-guide/order-vm + - file: admin-guide/puppet + sections: + - file: admin-guide/puppet/general + - file: admin-guide/puppet/client + - file: admin-guide/puppet/puppet-master + - file: admin-guide/puppet/hiera + - file: admin-guide/puppet/modules + sections: + - glob: admin-guide/puppet/roles/* + - glob: admin-guide/puppet/roles/*/* + - glob: admin-guide/puppet/profiles/* + - glob: admin-guide/puppet/profiles/*/* + - glob: admin-guide/puppet/profiles/*/*/* + - glob: admin-guide/puppet/profiles/*/*/*/* + - glob: admin-guide/puppet/components/* + - file: admin-guide/puppet/development - file: infrastructure-guide/index sections: diff --git a/admin-guide/selinux.rst b/admin-guide/selinux.rst deleted file mode 100644 index 1475c911..00000000 --- a/admin-guide/selinux.rst +++ /dev/null @@ -1,150 +0,0 @@ -SELinux -======= - -Depending on the Puppet role and Hiera settings, SELinux can be enabled by -default. This is recommended especially for systems which are accessible from -outside PSI. - -This section provides basic information on SELinux in general, common problems -and how to solve them. - - -SELinux -------- - -Information on SELinux can be found here: - -- `Mandatory Access Control `_ -- :download:`SELinux coloring book - <_static/selinux-coloring-book_A4-Stapled.pdf>` (`original - `_) - - -SELinux modes -------------- - -SELinux can be in one of three modes: - -- ``enforcing`` - - The SELinux policy is enforced, violations are logged. - -- ``permissive`` - - The SELinux policy is **not** enforced, but violations are still logged. - -- ``disabled`` - - SELinux is not loaded at all. - - -Going from ``enforcing`` or ``permissive`` to/from ``disabled`` requires a -reboot. - - -SELinux contexts ----------------- - -On an SELinux system every file has a context, and the SELinux policy controls -whether a confined service can access files of a given context. - -The context of files can be listed with the :manpage:`stat(1)` command or by passing -the ``-Z`` option to ``ls(1)``:: - - $ ls -Z /etc/fstab - -rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/fstab - - $ stat /etc/fstab - File: ‘/etc/fstab’ - Size: 619 Blocks: 8 IO Block: 4096 regular file - Device: fd01h/64769d Inode: 134320258 Links: 1 - Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) - Context: system_u:object_r:etc_t:s0 - Access: 2017-05-13 21:50:43.533927373 +0200 - Modify: 2016-04-03 04:19:02.289004083 +0200 - Change: 2016-04-03 04:29:29.955011505 +0200 - Birth: - - - - -When files are created they are assigned a default context based on their path -according to the system policy. - -The default contexts configured for various filesystem locations can be listed -by running :manpage:`semanage(8)`:: - - $ semanage fcontext -l - ... - /usr/.* all files system_u:object_r:usr_t:s0 - /var/.* all files system_u:object_r:var_t:s0 - /run/.* all files system_u:object_r:var_run_t:s0 - /srv/.* all files system_u:object_r:var_t:s0 - ... - - -It is possible to add/list local customizations to the default contexts of the -system:: - - - $ semanage fcontext -a -t httpd_sys_content_t '/srv/web/data(/.*)?' - $ semanage fcontext -a -t etc_t /srv/web/httpd.conf - - $ semanage fcontext -l -C - /srv/web/httpd.conf all files system_u:object_r:etc_t:s0 - /srv/web/data(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 - - -Use the :manpage:`restorecon(8)` command to restore the context of a file or -directory tree according to the system policy:: - - $ restorecon -v /etc/fstab - $ restorecon -vR /etc/puppetlabs/ - - -It is also possible to trigger a relabeling of all files with default contexts -by:: - - touch /.autorelabel - reboot - - -For debugging or during development the :manpage:`chcon(1)` command can be used:: - - chcon -t etc_t /srv/web/httpd.conf - -.. important:: This is not enough! The next ``restorecon(8)``, relabeling, or system - redeployment will not honor the changes made with :manpage:`chcon(1)`. Use - :manpage:`semanage(8)` as described above or change the location of the files - in question so that they are classified correctly by the system policy. - - -SELinux Booleans ----------------- - -SELinux booleans are variables which control certain restrictions enforced by -the SELinux policy. An example would be ``httpd_can_network_connect``, which -controls whether Apache can open network connections. - -The state of SELinux booleans is either ``on`` or ``off`` and can be queried -using :manpage:`getsebool(8)`:: - - # List all SELinux booleans and their states - getsebool -a - - # Show the state of a given variable - getsebool httpd_can_network_connect - - -The :manpage:`setsebool(8)` command changes the state of a boolean:: - - setsebool httpd_can_network_connect on - - -Puppet development ------------------- - -All Puppet modules should support SELinux. Modules which do, eg. -``profile::aaa``, must be tested with SELinux systems in enforcing mode. - -SELinux configuration is done through ``role::base`` and the ``selinux`` -component. diff --git a/admin-guide/troubleshooting/selinux.md b/admin-guide/troubleshooting/selinux.md index cd5476d9..56d55903 100644 --- a/admin-guide/troubleshooting/selinux.md +++ b/admin-guide/troubleshooting/selinux.md @@ -1,5 +1,103 @@ # SELinux +General information on SELinux can be found here: +- [SELinux coloring book](_static/selinux-coloring-book_A4-Stapled.pdf) - Original: https://people.redhat.com/duffy/selinux/selinux-coloring-book_A4-Stapled.pdf + +## Modes + +SELinux can be in one of three modes: +- `enforcing` - The SELinux policy is enforced, violations are logged. +- `permissive` - The SELinux policy is **not** enforced, but violations are still logged. +- `disabled` - SELinux is not loaded at all. + +Going from ``enforcing`` or ``permissive`` to/from ``disabled`` requires a reboot. + + +## Contexts + +On an SELinux system every file has a context, and the SELinux policy controls whether a confined service can access files of a given context. + +The context of files can be listed with the `stat` command or by passing the `-Z` option to `ls`:: +```bash +$ ls -Z /etc/fstab +-rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/fstab + +$ stat /etc/fstab +File: ‘/etc/fstab’ +Size: 619 Blocks: 8 IO Block: 4096 regular file +Device: fd01h/64769d Inode: 134320258 Links: 1 +Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) +Context: system_u:object_r:etc_t:s0 +Access: 2017-05-13 21:50:43.533927373 +0200 +Modify: 2016-04-03 04:19:02.289004083 +0200 +Change: 2016-04-03 04:29:29.955011505 +0200 +Birth: - +``` + +When files are created they are assigned a default context based on their path according to the system policy. + +The default contexts configured for various filesystem locations can be listed by running :manpage:`semanage`: +```bash +$ semanage fcontext -l +... +/usr/.* all files system_u:object_r:usr_t:s0 +/var/.* all files system_u:object_r:var_t:s0 +/run/.* all files system_u:object_r:var_run_t:s0 +/srv/.* all files system_u:object_r:var_t:s0 +... +``` + +It is possible to add/list local customizations to the default contexts of the system: + +```bash +$ semanage fcontext -a -t httpd_sys_content_t '/srv/web/data(/.*)?' +$ semanage fcontext -a -t etc_t /srv/web/httpd.conf + +$ semanage fcontext -l -C +/srv/web/httpd.conf all files system_u:object_r:etc_t:s0 +/srv/web/data(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 +``` + +Use the `restorecon` command to restore the context of a file or directory tree according to the system policy:: +```bash +$ restorecon -v /etc/fstab +$ restorecon -vR /etc/puppetlabs/ +``` + +It is also possible to trigger a relabeling of all files with default contexts by:: +```bash +touch /.autorelabel +reboot +``` + +For debugging or during development the `chcon` command can be used: +```bash +chcon -t etc_t /srv/web/httpd.conf + +.. important:: This is not enough! The next ``restorecon(8)``, relabeling, or system + redeployment will not honor the changes made with :manpage:`chcon(1)`. Use + :manpage:`semanage(8)` as described above or change the location of the files + in question so that they are classified correctly by the system policy. +``` + +## Booleans + +SELinux booleans are variables which control certain restrictions enforced by the SELinux policy. An example would be `httpd_can_network_connect`, which controls whether Apache can open network connections. + +The state of SELinux booleans is either `on` or `off` and can be queried using `getsebool`: +```bash +# List all SELinux booleans and their states +getsebool -a + +# Show the state of a given variable +getsebool httpd_can_network_connect +``` + +The `setsebool` command changes the state of a boolean: +```bash +setsebool httpd_can_network_connect on +``` + ## Basic Checks and Actions