Difference between revisions of "ConfigurationFiles"

From SELinux Wiki
Jump to: navigation, search
(SELinux Configuration Files)
(2 intermediate revisions by the same user not shown)
Line 2: Line 2:
 
This section explains each SELinux configuration file with its format, example content and where applicable, any supporting SELinux command or library API function names where the appropriate man(3) pages should be consulted regarding their use).  
 
This section explains each SELinux configuration file with its format, example content and where applicable, any supporting SELinux command or library API function names where the appropriate man(3) pages should be consulted regarding their use).  
  
Note: Configuration file names and content have changed over the various releases of SELinux, this section defines those seen in the Fedora 10 release when building custom and Reference Policy policies.
+
Note: Configuration file names and content have changed over the various releases of SELinux, this section defines those seen in the Fedora 12 release when building custom and Reference Policy policies.
  
 
This Section classifies the types of configuration file used in SELinux as follows:
 
This Section classifies the types of configuration file used in SELinux as follows:
  
* Global Configuration files that affect the active policy and their supporting SELinux-aware applications, utilities or commands. These can be located in /etc/selinux or other places depending on the application.
+
* Global Configuration files that affect the active policy and their supporting SELinux-aware applications, utilities or commands. These can be located in <tt>/etc/selinux</tt> or other places depending on the application.
* Files specific to a named policy configuration that are located at <nowiki>/etc/selinux/<policy_name></nowiki>, where <nowiki><policy_name></nowiki> is the name given in the SELINUXTYPE= entry of the /etc/selinux/config file. The files in this area are split into two main sections:
+
* Files specific to a named policy configuration that are located at <tt>/etc/selinux/<policy_name></tt>, where <tt><policy_name></tt> is the name given in the <tt>SELINUXTYPE=</tt> entry of the <tt>/etc/selinux/config</tt> file. The files in this area are split into two main sections:
** The Policy Store Configuration files that are 'private'[Ref 1]and managed by the semanage(8) and semodule(8) commands [Ref 2]. These are located in the <nowiki>/etc/selinux/<policy_name>/module</nowiki> set of directories. These are used to build the majority of the Policy Configuration files.  
+
** The Policy Store Configuration files that are 'private'<ref name="ref1">They should NOT be edited as together they describe the 'policy'.</ref> and managed by the <tt>semanage(8)</tt> and <tt>semodule(8)</tt> commands<ref name="ref2">The <tt>system-config-selinux</tt> GUI (supplied in the polycoreutils-gui rpm) can also be used to manage users, booleans and the general configuration of SELinux as it calls semanage, however it does not manage all that the semanage command can (it also gets bitter & twisted if there are no MCS/MLS labels on some operations).</ref>. These are located in the <tt>/etc/selinux/<policy_name>/module</tt> set of directories. These are used to build the majority of the Policy Configuration files.  
** The Policy Configuration files that are used when the policy is activated [Ref 3]. The majority of these files are now managed via the Policy Store and should not be edited directly, however others are specific to SELinux-aware applications and have no configuration utilities (e.g. debus and X-Windows context files).
+
** The Policy Configuration files that are used when the policy is activated<ref name="ref3">The 'active policy' is pointed to by an entry in the <tt>/etc/selinux/config</tt> file discussed in the <tt>/etc/selinux/config</tt> file section.</ref>. The majority of these files are now managed via the Policy Store and should not be edited directly, however others are specific to SELinux-aware applications and have no configuration utilities (e.g. debus and X-Windows context files).
* SELinux Kernel Configuration files that are located under the /selinux directory and reflect the current configuration of SELinux and the active policy. This area is used extensively by the libselinux library for user space object managers and other SELinux-aware applications. These files and directories should not be updated by users (the majority are read only anyway), however they can be read to check various configuration parameters. ToDO - Put in link to these when I've done them.
+
* SELinux Kernel Configuration files that are located under the <tt>/selinux</tt> directory and reflect the current configuration of SELinux and the active policy. This area is used extensively by the <tt>libselinux</tt> library for user space object managers and other SELinux-aware applications. These files and directories should not be updated by users (the majority are read only anyway), however they can be read to check various configuration parameters. ToDO - Put in link to these when I've done them.
  
 
Whenever possible the appropriate SELinux application should be used to manage all of these configuration files.
 
Whenever possible the appropriate SELinux application should be used to manage all of these configuration files.
Line 45: Line 45:
  
 
== Policy Configuration Files ==
 
== Policy Configuration Files ==
* The following files are described in the [[PolicyConfigurationFiles|PolicyConfiguration Files]] section:
+
* The following files are described in the [[PolicyConfigurationFiles|Policy Configuration Files]] section:
 
** seusers File
 
** seusers File
 
** setrans.conf File
 
** setrans.conf File
 +
** secolor.conf File
 
** <nowiki>policy/policy[ver] File</nowiki>
 
** <nowiki>policy/policy[ver] File</nowiki>
 
** contexts/customizable_types File
 
** contexts/customizable_types File
Line 59: Line 60:
 
** contexts/securetty_types File
 
** contexts/securetty_types File
 
** contexts/userhelper_context File
 
** contexts/userhelper_context File
 +
** contexts/virtual_domain_context File
 +
** contexts/virtual_image_context File
 
** contexts/x_contexts File
 
** contexts/x_contexts File
 
** contexts/files/file_contexts File
 
** contexts/files/file_contexts File
Line 66: Line 69:
 
** <nowiki>contexts/users/[seuser_id] File</nowiki>
 
** <nowiki>contexts/users/[seuser_id] File</nowiki>
  
ToDo - Find out how to put in footnotes correctly !!!!
+
<references/>
* [Ref 1] - They should NOT be edited as together they describe the 'policy'.
+
* [Ref 2] - The system-config-selinux GUI (supplied in the polycoreutils-gui rpm) can also be used to manage users, booleans and the general configuration of SELinux as it calls semanage, however it does not manage all that the semanage command can (it also gets bitter & twisted if there are no MCS/MLS labels on some operations).
+
* [Ref 3] - The 'active policy' is pointed to by an entry in the /etc/selinux/config file discussed in the /etc/selinux/config file section.
+

Revision as of 13:58, 12 May 2010

SELinux Configuration Files

This section explains each SELinux configuration file with its format, example content and where applicable, any supporting SELinux command or library API function names where the appropriate man(3) pages should be consulted regarding their use).

Note: Configuration file names and content have changed over the various releases of SELinux, this section defines those seen in the Fedora 12 release when building custom and Reference Policy policies.

This Section classifies the types of configuration file used in SELinux as follows:

  • Global Configuration files that affect the active policy and their supporting SELinux-aware applications, utilities or commands. These can be located in /etc/selinux or other places depending on the application.
  • Files specific to a named policy configuration that are located at /etc/selinux/<policy_name>, where <policy_name> is the name given in the SELINUXTYPE= entry of the /etc/selinux/config file. The files in this area are split into two main sections:
    • The Policy Store Configuration files that are 'private'[1] and managed by the semanage(8) and semodule(8) commands[2]. These are located in the /etc/selinux/<policy_name>/module set of directories. These are used to build the majority of the Policy Configuration files.
    • The Policy Configuration files that are used when the policy is activated[3]. The majority of these files are now managed via the Policy Store and should not be edited directly, however others are specific to SELinux-aware applications and have no configuration utilities (e.g. debus and X-Windows context files).
  • SELinux Kernel Configuration files that are located under the /selinux directory and reflect the current configuration of SELinux and the active policy. This area is used extensively by the libselinux library for user space object managers and other SELinux-aware applications. These files and directories should not be updated by users (the majority are read only anyway), however they can be read to check various configuration parameters. ToDO - Put in link to these when I've done them.

Whenever possible the appropriate SELinux application should be used to manage all of these configuration files.

When these configuration files are used to configure a security context when the policy supports MCS / MLS, then the appropriate level or range should be added (generally an object like a file has a level, and a user or process (a subject) has a level and range, although directories can have a range if they support polyinstantiation).

Global Configuration Files

  • The following files are described in the Global Configuration Files section:
    • /etc/selinux/config File
    • /etc/selinux/semanage.conf File
    • /etc/selinux/restorecond.conf File
    • /etc/sestatus.conf File
    • /etc/security/sepermit.conf File

Policy Store Configuration Files

  • The following files are described in the Policy Store Configuration Files section:
    • base.pp File
    • base.linked File
    • commit_num File
    • file_contexts.template File
    • file_contexts File
    • homedir_template File
    • file_contexts.homedirs File
    • netfilter_contexts & netfilter.local File
    • policy.kern File
    • seusers.final and seusers Files
    • users_extra, users_extra.local and users.local Files
    • booleans.local File
    • file_contexts.local File
    • interfaces.local File
    • nodes.local File
    • ports.local File
    • modules Directory Contents

Policy Configuration Files

  • The following files are described in the Policy Configuration Files section:
    • seusers File
    • setrans.conf File
    • secolor.conf File
    • policy/policy[ver] File
    • contexts/customizable_types File
    • contexts/default_contexts File
    • contexts/debus_contexts File
    • contexts/default_type File
    • contexts/failsafe_context File
    • contexts/initrc_context File
    • contexts/netfilter_contexts File
    • contexts/removable_contexts File
    • contexts/securetty_types File
    • contexts/userhelper_context File
    • contexts/virtual_domain_context File
    • contexts/virtual_image_context File
    • contexts/x_contexts File
    • contexts/files/file_contexts File
    • contexts/files/file_contexts.local File
    • contexts/files/file_contexts.homedirs File
    • contexts/files/media File
    • contexts/users/[seuser_id] File
  1. They should NOT be edited as together they describe the 'policy'.
  2. The system-config-selinux GUI (supplied in the polycoreutils-gui rpm) can also be used to manage users, booleans and the general configuration of SELinux as it calls semanage, however it does not manage all that the semanage command can (it also gets bitter & twisted if there are no MCS/MLS labels on some operations).
  3. The 'active policy' is pointed to by an entry in the /etc/selinux/config file discussed in the /etc/selinux/config file section.