From 84f0a067cdb11a48851bf29fdcf9ed720bb13196 Mon Sep 17 00:00:00 2001 From: Mirek Jahoda Date: Fri, 22 Jun 2018 18:10:52 +0200 Subject: [PATCH] SELinux states and modes added --- en-US/changing-selinux-states-and-modes.adoc | 19 +++++++ ...t-changes-in-selinux-states-and-modes.adoc | 32 ++++++++++++ .../proc_changing-to-enforcing-mode.adoc | 52 +++++++++++++++++++ .../proc_changing-to-permissive-mode.adoc | 31 +++++++++++ en-US/modules/proc_disabling-selinux.adoc | 38 ++++++++++++++ en-US/modules/proc_enabling-selinux.adoc | 28 ++++++++++ ...f_changing-selinux-modes-at-boot-time.adoc | 31 +++++++++++ 7 files changed, 231 insertions(+) create mode 100644 en-US/changing-selinux-states-and-modes.adoc create mode 100644 en-US/modules/con_permanent-changes-in-selinux-states-and-modes.adoc create mode 100644 en-US/modules/proc_changing-to-enforcing-mode.adoc create mode 100644 en-US/modules/proc_changing-to-permissive-mode.adoc create mode 100644 en-US/modules/proc_disabling-selinux.adoc create mode 100644 en-US/modules/proc_enabling-selinux.adoc create mode 100644 en-US/modules/ref_changing-selinux-modes-at-boot-time.adoc diff --git a/en-US/changing-selinux-states-and-modes.adoc b/en-US/changing-selinux-states-and-modes.adoc new file mode 100644 index 0000000..f854ac7 --- /dev/null +++ b/en-US/changing-selinux-states-and-modes.adoc @@ -0,0 +1,19 @@ +:experimental: +:parent-context: {context} + +// NOTE (TODO): several links (URLs) in the included modules could be replaced with URLs when the appropriate docs become available on fp.org + +[id='changing-selinux-states-and-modes-{context}'] += Changing SELinux states and modes +:context: selinux + +:md: ./modules + +include::{md}/con_permanent-changes-in-selinux-states-and-modes.adoc[leveloffset=+1] +include::{md}/proc_enabling-selinux.adoc[leveloffset=+1] +include::{md}/proc_changing-to-permissive-mode.adoc[leveloffset=+2] +include::{md}/proc_changing-to-enforcing-mode.adoc[leveloffset=+2] +include::{md}/proc_disabling-selinux.adoc[leveloffset=+1] +include::{md}/ref_changing-selinux-modes-at-boot-time.adoc[leveloffset=+1] + +:context: {parent-context} diff --git a/en-US/modules/con_permanent-changes-in-selinux-states-and-modes.adoc b/en-US/modules/con_permanent-changes-in-selinux-states-and-modes.adoc new file mode 100644 index 0000000..c9e0e79 --- /dev/null +++ b/en-US/modules/con_permanent-changes-in-selinux-states-and-modes.adoc @@ -0,0 +1,32 @@ +// Module included in the following assemblies: +// +// changing-selinux-states-and-modes.adoc + +[#{context}-changing-selinux-modes] += Permanent changes in SELinux states and modes + +As discussed in link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-security-enhanced_linux-introduction[Introduction to SELinux], SELinux can be enabled or disabled. When enabled, SELinux has two modes: enforcing and permissive. + +Use the [command]`getenforce` or [command]`sestatus` commands to check in which mode SELinux is running. The [command]`getenforce` command returns `Enforcing`, `Permissive`, or `Disabled`. + +The [command]`sestatus` command returns the SELinux status and the SELinux policy being used: + +[source,bash] +---- +~]$ sestatus +SELinux status: enabled +SELinuxfs mount: /sys/fs/selinux +SELinux root directory: /etc/selinux +Loaded policy name: targeted +Current mode: enforcing +Mode from config file: enforcing +Policy MLS status: enabled +Policy deny_unknown status: allowed +Memory protection checking: actual (secure) +Max kernel policy version: 31 +---- + +[NOTE] +==== +When systems run SELinux in permissive mode, users are able to label files incorrectly. Files created while SELinux is disabled are not labeled at all. This behavior causes problems when changing to enforcing mode because files are labeled incorrectly or are not labeled at all. To prevent incorrectly labeled and unlabeled files from causing problems, file systems are automatically relabeled when changing from the disabled state to permissive or enforcing mode. +==== diff --git a/en-US/modules/proc_changing-to-enforcing-mode.adoc b/en-US/modules/proc_changing-to-enforcing-mode.adoc new file mode 100644 index 0000000..8a47da6 --- /dev/null +++ b/en-US/modules/proc_changing-to-enforcing-mode.adoc @@ -0,0 +1,52 @@ +// Module included in the following assemblies: +// +// changing-selinux-states-and-modes.adoc + +[#{context}-changing-to-enforcing-mode] += Changing to enforcing mode + +When SELinux is running in enforcing mode, it enforces the SELinux policy and denies access based on SELinux policy rules. In Fedora, enforcing mode is enabled by default when the system was initially installed with SELinux. + +If SELinux was disabled, follow the procedure below to change mode to enforcing again: + +This procedure assumes that the [package]*selinux-policy-targeted*, [package]*selinux-policy*, [package]*libselinux*, [package]*libselinux-python*, [package]*libselinux-utils*, [package]*policycoreutils*, and [package]*policycoreutils-python* packages are installed. To verify that the packages are installed, use the following command: +[subs="quotes"] +---- +~]$ rpm -q _package_name_ +---- + +. Edit the `/etc/selinux/config` file as follows: ++ +---- +# This file controls the state of SELinux on the system. +# SELINUX= can take one of these three values: +# enforcing - SELinux security policy is enforced. +# permissive - SELinux prints warnings instead of enforcing. +# disabled - No SELinux policy is loaded. +SELINUX=pass:quotes[*enforcing*] +# SELINUXTYPE= can take one of these two values: +# targeted - Targeted processes are protected, +# mls - Multi Level Security protection. +SELINUXTYPE=targeted +---- + +. Reboot the system: ++ +---- +~]# reboot +---- ++ +On the next boot, SELinux relabels all the files and directories within the system and adds SELinux context for files and directories that were created when SELinux was disabled. + +[NOTE] +==== +After changing to enforcing mode, SELinux may deny some actions because of incorrect or missing SELinux policy rules. To view what actions SELinux denies, enter the following command as root: +---- +~]# ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today +---- +Alternatively, with the [package]*setroubleshoot-server* package installed, enter the following command as root: +---- +~]# grep "SELinux is preventing" /var/log/messages +---- +If SELinux denies some actions, see the link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-security-enhanced_linux-troubleshooting[Troubleshooting] chapter in the link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/index[Red Hat Enterprise Linux 7 SELinux User's and Administrator's Guide] for information about troubleshooting. +==== diff --git a/en-US/modules/proc_changing-to-permissive-mode.adoc b/en-US/modules/proc_changing-to-permissive-mode.adoc new file mode 100644 index 0000000..f9affb6 --- /dev/null +++ b/en-US/modules/proc_changing-to-permissive-mode.adoc @@ -0,0 +1,31 @@ +// Module included in the following assemblies: +// +// assembly_changing-selinux-states-and-modes.adoc + +[#{context}-changing-to-permissive-mode] += Changing to permissive mode + +When SELinux is running in permissive mode, SELinux policy is not enforced. The system remains operational and SELinux does not deny any operations but only logs AVC messages, which can be then used for troubleshooting, debugging, and SELinux policy improvements. Each AVC is logged only once in this case. + +To permanently change mode to permissive, follow the procedure below: + +. Edit the `/etc/selinux/config` file as follows: ++ +---- +# This file controls the state of SELinux on the system. +# SELINUX= can take one of these three values: +# enforcing - SELinux security policy is enforced. +# permissive - SELinux prints warnings instead of enforcing. +# disabled - No SELinux policy is loaded. +SELINUX=pass:quotes[*permissive*] +# SELINUXTYPE= can take one of these two values: +# targeted - Targeted processes are protected, +# mls - Multi Level Security protection. +SELINUXTYPE=targeted +---- + +. Reboot the system: ++ +---- +~]# reboot +---- diff --git a/en-US/modules/proc_disabling-selinux.adoc b/en-US/modules/proc_disabling-selinux.adoc new file mode 100644 index 0000000..6d0e69c --- /dev/null +++ b/en-US/modules/proc_disabling-selinux.adoc @@ -0,0 +1,38 @@ +// Module included in the following assemblies: +// +// changing-selinux-states-and-modes.adoc + +[#{context}-Enabling_and_Disabling_SELinux-Disabling_SELinux] += Disabling SELinux + +When SELinux is disabled, SELinux policy is not loaded at all; it is not enforced and AVC messages are not logged. Therefore, all benefits of running SELinux listed in link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-security-enhanced_linux-introduction#sect-Security-Enhanced_Linux-Introduction-Benefits_of_running_SELinux[Benefits of SELinux] are lost. + +[IMPORTANT] +==== +It is recommended to use permissive mode instead of permanently disabling SELinux. See <<{context}-changing-to-permissive-mode>> for more information about permissive mode. +==== + +To permanently disable SELinux, follow the procedure below: + +. Configure [option]`SELINUX=disabled` in the `/etc/selinux/config` file: ++ +---- + +# This file controls the state of SELinux on the system. +# SELINUX= can take one of these three values: +# enforcing - SELinux security policy is enforced. +# permissive - SELinux prints warnings instead of enforcing. +# disabled - No SELinux policy is loaded. +SELINUX=pass:quotes[*disabled*] +# SELINUXTYPE= can take one of these two values: +# targeted - Targeted processes are protected, +# mls - Multi Level Security protection. +SELINUXTYPE=targeted +---- + +. Reboot your system. After reboot, confirm that the [command]`getenforce` command returns `Disabled`: ++ +---- +`~]$`pass:attributes[{blank}] pass:attributes[{blank}][command]`getenforce` +Disabled +---- diff --git a/en-US/modules/proc_enabling-selinux.adoc b/en-US/modules/proc_enabling-selinux.adoc new file mode 100644 index 0000000..465cf22 --- /dev/null +++ b/en-US/modules/proc_enabling-selinux.adoc @@ -0,0 +1,28 @@ +// Module included in the following assemblies: +// +// changing-selinux-states-and-modes.adoc + +[#{context}-enabling-selinux] += Enabling SELinux + +When enabled, SELinux can run in one of two modes: enforcing or permissive. The following sections show how to permanently change into these modes. + +While enabling SELinux on systems that previously had it disabled, to avoid problems, such as systems unable to boot or process failures, follow this procedure: + +. Enable SELinux in permissive mode. For more information, see <<{context}-changing-to-permissive-mode>>. + +. Reboot your system. + +. Check for SELinux denial messages. +// For more information, see <>. + +. If there are no denials, switch to enforcing mode. For more information, see <<{context}-changing-to-enforcing-mode>>. + +To run custom applications with SELinux in enforcing mode, choose one of the following scenarios: + +* Run your application in the `unconfined_service_t` domain. +// See <> for more information. + +* Write a new policy for your application. See the link:++https://access.redhat.com/solutions/117583++[Writing Custom SELinux Policy] Knowledgebase article for more information. + +// Temporary changes in modes are covered in <<{context}-selinux-states-and-modes>>. diff --git a/en-US/modules/ref_changing-selinux-modes-at-boot-time.adoc b/en-US/modules/ref_changing-selinux-modes-at-boot-time.adoc new file mode 100644 index 0000000..2072d2a --- /dev/null +++ b/en-US/modules/ref_changing-selinux-modes-at-boot-time.adoc @@ -0,0 +1,31 @@ +// Module included in the following assemblies: +// +// assembly_changing-selinux-states-and-modes.adoc + +[#{context}-Enabling_and_Disabling_SELinux-Dracut-parameters] += Changing SELinux Modes at Boot Time + +On boot, you can set several kernel parameters to change the way SELinux runs: + +enforcing=0:: Setting this parameter causes the machine to boot in permissive mode, which is useful when troubleshooting issues. Using permissive mode might be the only option to detect a problem if your file system is too corrupted. Moreover, in permissive mode the system continues to create the labels correctly. The AVC messages that are created in this mode can be different than in enforcing mode. In permissive mode, only the first denial is reported. However, in enforcing mode you might get a denial on reading a directory and an application stops. In permissive mode, you get the same AVC message, but the application continues reading files in the directory and you get an AVC for each denial in addition. + +selinux=0:: This parameter causes the kernel to not load any part of the SELinux infrastructure. The init scripts notice that the system booted with the [option]`selinux=0` parameter and touch the `/.autorelabel` file. This causes the system to automatically relabel the next time you boot with SELinux enabled. ++ +[IMPORTANT] +==== +Using the [option]`selinux=0` parameter is not recommended. To debug your system, prefer using permissive mode. +==== + +autorelabel=1:: This parameter forces the system to relabel similarly to the following commands: ++ +---- +~]# touch /.autorelabel +~]# reboot +---- ++ +If the system labeling contains a large amount of errors, you might need to boot in permissive mode in order that the autorelabel succeeds. + +For additional SELinux-related kernel boot parameters, such as [option]`checkreqprot`, see the `kernel-parameters.txt` file. This file is available in the source package of your Linux kernel (.src.rpm). To download the source package containing the currently used kernel: +---- +~]# dnf download --source kernel +----