On Thu, 30 Dec 2004 16:26:24 -0600, David Hart wrote:

I need help understanding SELinux!

Me too! But I seem to be a bit further along, so I'll see if I can help.

I've read just about every on-line SELinux article I can find, and I am getting progressively more confused as I read more. Following along in these articles on a Fedora Core 3 system, reading documents written for Fedora Core 2 Test 3 and before, is confusing. The older the document, the more my installation fails to match the documentation.

Yes it is unfortunate that the documentation ages so quickly, but this is I think unavoidable. SELinux is still quite a new technology and has a lot of maturing to do.

It also doesn't help that Fedora have patched upstream SElinux extensively in the process of actually making it usable, for instance they've made a lot of stuff more automatic. I believe these patches are being folded back in upstream, but the problem with doing it "upside down" like this is that the official docs which most people find first do not correspond to an actual FC3 installation, which is what most people are actually playing with SELinux on.

I do not know why these patches weren't developed upstream then pulled down as they became ready. I guess there are good reasons.

And, the answers to some basic questions:

1. Why does a Fedora Core 3 installation, with SELinux "Active" or "Warn", not install selinux-policy-targeted-sources? I kept pulling my hair out (little that there is) when trying to find: /etc/selinux/targeted/src/policy All the documents referred to this directory, and it was VERY confusing not to find it. This directory should at least be an empty directory after a fresh install.

They're quite large and not needed for SELinux to function. It's unfortunate that the docs assume it's installed, but it's quite a common mistake (eg instructions that tell you to compile software assuming the dev tools are installed, very common Linux newbie mistake).

2. Are the setools and setools-gui packages required to be used on a SELinux enabled system? If so, why are they not installed when SELinux is installed? In particular, I am very confused about how to create new users and new groups. It looks like I need to update our in-house instructions to use seuseradd, seuserdel, etc. instead of useradd and userdel?

I don't think they are required. On Fedora I think the standard commands like su etc were patched to use SELinux automatically, so a standard "useradd" should do the trick.

3. Where the heck is the SELinux audit file? Try as much as I could, I can't find it. Every document references it, but none I have found actually refer to it by path/filename.

If you mean where AVCs are logged that'd be /var/log/messages.

4. I know you guys discuss policy problems all the time, from the viewpoint of their AVC log events, but I'd like to see what one of these AVC log events looks like on my system.

Here is one from mine:

Dec 30 22:40:39 littlegreen kernel: audit(1104446439.698:0): avc: denied { search } for pid=4659 exe=/sbin/ldconfig name=lib dev=hdd2 ino=4244688 scontext=user_u:system_r:ldconfig_t tcontext=user_u:object_r:file_t tclass=dir

You can get the same error by creating a directory eg ~/.local/lib, dropping a library in there then running:

/sbin/ldconfig -n .

which should create some magic symlinks for the linker to use, but with policy as of December 30th 2004 this generates an AVC.

5. Does it make sense to have a Workstation installation with the "strict" policy? Under what circumstances?

Probably not. Strict seems to be under heavy development still. There seem to be issues with targetted policy still judging by the above test! That ldconfig command should not have failed.

I am putting instructions together for people in my Lab on how to install and use Fedora Core 3. One of the early lessons I want to document is some simple instructions on how to use SELinux. Then, as other instructions are written for other Lab-oriented tasks, I would integrate SELinux into these instructions. The people in the Lab are responsible for maintaining their various computers, so knowledge about SELinux appears necessary. If I can't understand it and explain it to them, things are going to get messy.

For now I think it's best to ignore SELinux and assume it'll work in the background, even if sometimes it doesn't for whatever reason. You need to know about SELinux for effective system administration, or will in future, and perhaps also for software development. But regular users should be able to ignore it and just enjoy the benefits.

thanks -mike

On Thu, 2004-12-30 at 16:26 -0600, David Hart wrote:

I need help understanding SELinux!

I've read just about every on-line SELinux article I can find, and I am getting progressively more confused as I read more. Following along in these articles on a Fedora Core 3 system, reading documents written for Fedora Core 2 Test 3 and before, is confusing. The older the document, the more my installation fails to match the documentation.

The Fedora docs project needs writers and content. While the FAQ is (relatively) up-to-date for FC3, we need more HOWTO documentation. If you know any writers who want to tackle SELinux tutorials, send them over to fedora-docs-list, I'll do what I can to get them started.

I need a starting place, some things to look at once I have my Fedora Core 3 installation running. Some simple things, some that work correctly, some that fail and I can learn how to track down and fix.

And, the answers to some basic questions:

1. Why does a Fedora Core 3 installation, with SELinux "Active" or "Warn", not install selinux-policy-targeted-sources? I kept pulling my hair out (little that there is) when trying to find: /etc/selinux/targeted/src/policy All the documents referred to this directory, and it was VERY confusing not to find it. This directory should at least be an empty directory after a fresh install.

In the first "Tip" near the top of http://fedora.redhat.com/docs/selinux-faq-fc3/ is a link to a pre-filled "bugzilla template". Use that to fill out a bug, severity: Feature. I'll then include this question in the FAQ.

To answer you, there are several reasons for the policy source not being installed by default:

* As with the rest of Fedora Core, SELinux needs to be able to run with just a binary policy present and no source installed. This is why they are separate packages.

* Updating the policy does different things depending on if you have the source installed. If you have only the binary policy, i.e., the default supported environment, you only have to update the binary policy at /etc/selinux/targeted/policy/policy.version. If you have the policy source installed, it may be because you are customizing the policy, and rpm needs to be careful not to clobber you changes.

Others can contribute further reasons.

2. Are the setools and setools-gui packages required to be used on a SELinux enabled system? If so, why are they not installed when SELinux is installed? In particular, I am very confused about how to create new users and new groups. It looks like I need to update our in-house instructions to use seuseradd, seuserdel, etc. instead of useradd and userdel?

You do not, unless you plan on customizing policy to divide users to be controlled by SELinux. SELinux maintains its own set of users, e.g., all untrusted users are part of user_u. Under the targeted policy, aiui the user is generally not controlled.

3. Where the heck is the SELinux audit file? Try as much as I could, I can't find it. Every document references it, but none I have found actually refer to it by path/filename.

aiui, this is just /var/log/messages.

Flask is a framework, and the documentation tends to be vague about particulars like where you choose to put audit logs. SELinux, the implementation of Flask, generally uses /var/log/messages, but I'm sure even that could be different if you wanted.

4. I know you guys discuss policy problems all the time, from the viewpoint of their AVC log events, but I'd like to see what one of these AVC log events looks like on my system. In particular, I have a Fedora Core 3 Workstation installation running the targeted policy in enforcing mode. I'd appreciate a simple test I could perform that would generate an AVC log entry, some idea on how to look for the log entry, and some idea about how to analyze the log entry.

This should work with a default targeted policy:

1. In one terminal, 'su - root' and 'tail -f /var/log/messages'

2. In another term, as a normal user, type 'chcon -t unlabeled_t /etc/httpd/conf/httpd.conf' -- this is trying to change the file context of httpd.conf, specifically the type attribute. You should get an error such as:

[auser@urania ~]$ chcon -t unlabeled_t /etc/httpd/conf/httpd.conf chcon: failed to change context of /etc/httpd/conf/httpd.conf to system_u:object_r:unlabeled_t: Operation not permitted

3. You'll notice that no error is generated in /var/log/messages. This is because normal UNIX security has intercepted the command; normal user permissions has blocked the user from writing to the file attributes. SELinux is not reached, so no AVC error is generated.

4. In the second term, 'su - root' and 'chcon -t unlabeled_t /etc/httpd/conf/httpd.conf'. You should get an error such as:

[root@urania policy]# chcon -t unlabeled_t /etc/httpd/conf/httpd.conf chcon: failed to change context of /etc/httpd/conf/httpd.conf to system_u:object_r:unlabeled_t: Permission denied

Note the permission denied -- UNIX ownership said it was OK to change this file, but SELinux rules said no.

5. Look in the log and you will see this denial message:

Dec 30 15:01:40 urania kernel: audit(1104447700.246:0): avc: denied { associate } for pid=26444 exe=/usr/bin/chcon name=httpd.conf dev=dm-0 ino=1018443 scontext=system_u:object_r:unlabeled_t tcontext=system_u:object_r:fs_t tclass=filesystem

* The action denied is an "associate", i.e., trying to associate a new file attribute with the target file.

* The process is exe=/usr/bin/chcon

* The file acted upon (object) is name=httpd.conf at ino=1018443 (sometimes it's useful to have the inode).

* The source context scontext=system_u:object_r:unlabeled_t is trying to be associated with a target context tcontext=system_u:object_r:fs_t. fs_t is the default type for conventional file systems.

AIUI, the policy does not allow a user to change the type of a file on the file system to unlabeled_t. The denial is happening at the file system level before getting to the file itself.

[This is where someone with more understanding of the policy specifics steps in with the final detail ;-) ]

The reason I picked httpd.conf is that it is a file that the user is denied UNIX permissions, but root should be able to manipulate.

I know, blasphemy. But there are three ways that adults learn: 1. Visual: people who learn by seeing it done. 2. Auditory: people who learn by hearing. 3. Kenesthetic: people who learn by doing (touch and body movement). I'm a #3.

In a freeform, off-topic discussion, I'd posit more than three. :)

5. Does it make sense to have a Workstation installation with the "strict" policy? Under what circumstances?

I can think of usage scenarios.

1. Kiosks 2. Library Web browser machines 3. Specific lab usages

The first two seem reasonable right now, based on my understanding of the policy for Mozilla et al. In fact, strict policy will likely just work for a machine dedicated to Web browsing, email, and light office productivity. YMMV. :)

The third would require a tight requirement spec and work to customize the policy, I'd reckon.

I am putting instructions together for people in my Lab on how to install and use Fedora Core 3. One of the early lessons I want to document is some simple instructions on how to use SELinux. Then, as other instructions are written for other Lab-oriented tasks, I would integrate SELinux into these instructions. The people in the Lab are responsible for maintaining their various computers, so knowledge about SELinux appears necessary. If I can't understand it and explain it to them, things are going to get messy.

There is not much they should bump up against. Said as a user of FC3 with SELinux. If you want to have them serve content from ~/public_html, you may need to educate them on using 'chcon' to fix the labels on files they put in there. If you want to have them execute their own Web scripts, you can likely configure it so that it mainly works from their standpoint.

- Karsten

On Thu, 2004-12-30 at 16:26 -0600, David Hart wrote:

I need help understanding SELinux!

I've read just about every on-line SELinux article I can find, and I am getting progressively more confused as I read more. Following along in these articles on a Fedora Core 3 system, reading documents written for Fedora Core 2 Test 3 and before, is confusing. The older the document, the more my installation fails to match the documentation.

I need a starting place, some things to look at once I have my Fedora Core 3 installation running. Some simple things, some that work correctly, some that fail and I can learn how to track down and fix.

Have you read "NSA's Open Source Security Enhanced Linux" By O'reilly? http://www.oreilly.com/catalog/selinux/

I have the E-book and you can find it on google with little trouble. Someone was suppose to get it for me for Christmas, but low and behold.. socks!