Follow:

Latest articles in ‘Selinux’


  1. SELinux cheatsheet

    Published: Fri 08 September 2017 in Cookbook.
    A mind-refresher on SELinux main commands, files and behavior.

    This page is only designed as a memory-refresher. SElinux may be a complex thing to get right, if you are not familiar with it yet I highly encourage you to read Sven Vermeulen books.

    SELinux state

    To detect whether SELinux is enabled or not:

    • From a script, selinuxenabled doesn’t produce any output and its exit code gives SELinux status.
    • From an interactive prompt, sestatus provides more information.

    SELinux main configuration file is /etc/selinux/config, it defines:

    • SELINUX=: SELinux state:

      • enforcing: Enabled and block unauthorized actions (policy violations).

      • permissive: Enabled, but only logs unauthorized actions and does not block them (useful for development and HIDS purposes).

      • disabled: SELinux is completely disabled.

        Warning

        If SELinux has been temporarily disabled (which is not recommended, there are usually cleaner ways to proceed), a global relabel will be required before re-enabling SELinux.

        More information.

    • SELINUXTYPE=: The policy currently in use, available policies depend …


  2. SELinux System Administration & SELinux Cookbook (Sven Vermeulen)

    Published: Wed 06 September 2017 in Library.
    The best book to discover SELinux and learn how to take the most out of it.

    Sven Vermeulen, the author of these two books, is deeply involved in the Gentoo community.

    Quoting his biography from the book introduction:

    In 2003, he joined the ranks of the Gentoo Linux project as a documentation developer and has since worked in several roles, including Gentoo Foundation trustee, council member, project lead for various documentation initiatives, and (his current role) project lead for Gentoo Hardened SELinux integration and the system integrity project.

    He is both knowledgeable technically, pedagogically and in SELinux. In these books, he uses his talent to spread the light on a domain which is often conceived as obscure and daunting, explaining in a clear and effective way how and why the things are the way they are so everything finally takes its place into our minds.

    Don’t let the affiliation with the Gentoo project let you think that these books are only about Gentoo. These books …


  3. How to examine Android SELinux policy

    Published: Mon 15 August 2016 in Cookbook.
    A step-by-step guide from building your environment to a concrete example showing the tools in action.

    Examining SELinux policy should be a trivial thing, but Android turns this into some kind of nightmare. In fact, Google has designed Android mainly from a consumer perspective, and not for power users. The result is that, as soon as you want to do something outside of using the latest Facebook app or playing Candy Crush, you very quickly find yourself back in realm of early-2000 Linux, when a developer-like knowledge was required to change what should be simple settings. I believe that the situation will fastly evolve as Android system gets more mature, but for now we have to do with what we have got…

    As you said, there are two reasons why it is necessary to compile your own SELinux toolset:

    • The system provided toolset is usually a version behind. While Android’s SELinux relies on policy DB version 30, current Linux boxes usually handle only version up …

  4. Can SELinux really confine the root user?

    Published: Thu 20 August 2015 in Opinions.
    How but most importantly why SELinux allows to confine even the root user.

    Several projects such as [this one][play_root] propose a free root access to a Linux box in order to demonstrate SELinux confinement abilities. Even given a root access on a box, SELinux still prevents any harm from being done.

    Is this for real or is there any trick behing such setup?

    This is indeed possible because SELinux does not actually care about the current Unix user: all it sees is a supplementary metadata called the context (which includes, among other fields, a domain field) and which lets SELinux decide whether the requested action can be authorized or not.

    What one usually conceives as the root user should be mapped in SELinux as a root Unix user running either the unconfined_t or sysadm_t SELinux domain. It is the classical full-powered omnipotent root user.

    However, one could perfectly setup his system to spawn a root shell (I mean root Unix user shell …

Popular tags see all

Website

Author

Follow