Difference between revisions of "GlobalConfigurationFiles"

From SELinux Wiki
Jump to: navigation, search
(/etc/selinux/semanage.conf File)
 
Line 1: Line 1:
 
= Global Configuration Files =
 
= Global Configuration Files =
Listed in the sections that follow are the common configuration files used by SELinux and are therefore not policy specific.
+
Listed in the sections that follow are the common configuration files used by SELinux and are not policy specific. The two most important files are:
 +
* <tt>/etc/selinux/config</tt> - This defines the policy to be activated and its enforcing mode.
 +
* <tt>/etc/selinux/semanage.conf</tt> - This is used by the SELinux policy configuration subsystem for modular or CIL policies.
  
 
== /etc/selinux/config File ==
 
== /etc/selinux/config File ==
If this file is missing or corrupt no SELinux policy will be loaded (i.e. SELinux is disabled). The config file controls the state of SELinux using the following parameters:
+
If this file is missing or corrupt no SELinux policy will be loaded (i.e. SELinux is disabled). The file man page is <tt>'''selinux_config'''(5)</tt>, this is because 'config' has already been taken. The config file controls the state of SELinux using the following parameters:
 
<pre>
 
<pre>
 
SELINUX=enforcing|permissive|disabled
 
SELINUX=enforcing|permissive|disabled
Line 11: Line 13:
 
AUTORELABEL=0|1
 
AUTORELABEL=0|1
 
</pre>
 
</pre>
 
 
'''Where:'''
 
'''Where:'''
 +
 
{| border="1"
 
{| border="1"
| | SELINUX
+
| SELINUX
| | This can contain one of three values:
+
| This entry can contain one of three values:
  
'''enforcing''' - SELinux security policy is enforced.
+
'''enforcing'''
  
'''permissive''' - SELinux logs warnings (see the Audit Logs section) instead of enforcing the policy (i.e. the action is allowed to proceed).
+
SELinux security policy is enforced.
  
'''disabled''' - No SELinux policy is loaded.
+
'''permissive'''
 +
 
 +
SELinux logs warnings instead of enforcing the policy (i.e. the action is allowed to proceed).
 +
 
 +
'''disabled'''
 +
 
 +
No SELinux policy is loaded.
 +
 
 +
Note that this configures the global SELinux enforcement mode. It is still possible to have domains running in permissive mode and/or object managers running as disabled, permissive or enforcing, when the global mode is enforcing or permissive.
  
 
|-
 
|-
| | SELINUXTYPE
+
| SELINUXTYPE
| | Where policy_name is the policy type or name that will be loaded at system boot time.  
+
| The policy_name is used as the directory name where the active policy and its configuration files will be located. The system will then use this information to locate and load the policy contained within this directory structure.  
  
The policy MUST be located at:  
+
The policy directory must be located at:  
  
 
<nowiki>/etc/selinux/<policy_name>/</nowiki>
 
<nowiki>/etc/selinux/<policy_name>/</nowiki>
  
 
|-
 
|-
| | SETLOCALDEFS
+
| SETLOCALDEFS
| | This optional field should be set to 0 (or the entry removed) as so that the policy store management infrastructure is used (semanage / semodule).  
+
| This optional field should be set to 0 (or the entry removed) as the policy store management infrastructure ('''semanage'''(8) / '''semodule'''(8)) is now used.
  
If set to 1, then init(8) and load_policy(8) will read the local customisation for booleans and users.
+
If set to 1, then '''init'''(8) and '''load_policy'''(8) will read the local customisation for booleans and users.
  
 
|-
 
|-
| | REQUIRESEUSERS
+
| REQUIRESEUSERS
| | This optional field can be used to fail the login when there is no seusers file if it is set to 1.
+
| This optional field can be used to fail a login if there is no matching or default entry in the '''seusers''' file or if the file is missing.
 +
 
 +
It is checked by the <tt>libselinux</tt> function '''getseuserbyname'''(3) that is used by SELinux-aware login applications such as <tt>'''PAM'''(8)</tt>.
 +
 
 +
If it is set to 0 or the entry missing:
 +
 
 +
'''getseuserbyname'''(3) will return the GNU / Linux user name as the SELinux user.  
 +
 
 +
If it is set to 1:
  
The default action (if 0 or the entry is not present) the libselinux function getseuserbyname will use the GNU / Linux user name.  
+
'''getseuserbyname'''(3) will fail.
  
 
|-
 
|-
| | AUTORELABEL
+
| AUTORELABEL
| | This is an optional field. If set to '0' and there is a file called .autorelabel in the root directory, then on a reboot, the loader will drop to a shell where a root logon is required. An administrator can then manually relabel the file system.
+
| This is an optional field. If set to '<tt>0</tt>' and there is a file called <tt>.autorelabel</tt> in the root directory, then on a reboot, the loader will drop to a shell where a root logon is required. An administrator can then manually relabel the file system.
  
If set to '1' or the parameter name is not used (the default) there is no login for manual relabeling, however should the /.autorelabel file exist, then the file system will be automatically relabeled using fixfiles -F restore.  
+
If set to '1' or the parameter name is not used (the default) there is no login for manual relabeling, however should the <tt>/.autorelabel</tt> file exists, then the file system will be automatically relabeled using <tt>fixfiles -F restore</tt>.  
  
In both cases the /.autorelabel file will be removed so the relabel is not done again.  
+
In both cases the <tt>/.autorelabel</tt> file will be removed so the relabel is not done again.
  
 
|}
 
|}
Line 56: Line 74:
 
'''Example config file contents are:'''
 
'''Example config file contents are:'''
 
<pre>
 
<pre>
<nowiki># This file controls the state of SELinux on the system.</nowiki>
+
# This file controls the state of SELinux on the system.
<nowiki># SELINUX= can take one of these three values:</nowiki>
+
# SELINUX= can take one of these three values:
<nowiki># </nowiki>enforcing - SELinux security policy is enforced.
+
# enforcing - SELinux security policy is enforced.
<nowiki># </nowiki>permissive - SELinux prints warnings instead of enforcing.
+
# permissive - SELinux prints warnings instead of enforcing.
<nowiki># </nowiki>disabled - No SELinux policy is loaded.
+
# disabled - No SELinux policy is loaded.
 
SELINUX=permissive
 
SELINUX=permissive
<nowiki>#</nowiki>
+
#
<nowiki># SELINUXTYPE= can take one of these two values:</nowiki>
+
# SELINUXTYPE= can take one of these two values:
<nowiki># </nowiki>targeted - Targeted processes are protected,
+
# targeted - Targeted processes are protected,
<nowiki># </nowiki>mls - Multi Level Security protection.
+
# mls - Multi Level Security protection.
 
SELINUXTYPE=targeted
 
SELINUXTYPE=targeted
 
</pre>
 
</pre>
  
 
== /etc/selinux/semanage.conf File ==
 
== /etc/selinux/semanage.conf File ==
The semanage.config file controls the configuration and actions of the semanage and semodule set of commands using the following parameters:
+
The '''semanage.config'''(5) file controls the configuration and actions of the '''semanage'''(8) and '''semodule'''(8) set of commands using the following parameters:
 
<pre>
 
<pre>
 
module-store = method
 
module-store = method
Line 82: Line 100:
 
bzip-blocksize = 0|1..9
 
bzip-blocksize = 0|1..9
 
bzip-small true|false
 
bzip-small true|false
 +
usepasswd = true|false
 +
 +
ignoredirs dir [;dir] ...
 +
 
[verify kernel]
 
[verify kernel]
path = <path to policy checker>
+
path = <application_to_run>
args = <args>
+
args = <arguments>
 
[end]
 
[end]
 +
 +
[verify module]
 +
path = <application_to_run>
 +
args = <arguments>
 +
[end]
 +
 +
[verify linked]
 +
path = <application_to_run>
 +
args = <arguments>
 +
[end]
 +
 +
[load_policy]
 +
path = <application_to_run>
 +
args = <arguments>
 +
[end]
 +
 +
[setfiles]
 +
path = <application_to_run>
 +
args = <arguments>
 +
[end]
 +
 +
[sefcontext_compile]
 +
path = <application_to_run>
 +
args = <arguments>
 +
[end]
 +
 +
[load_policy]
 +
path = <application_to_run>
 +
args = <arguments>
 +
[end]
 +
 +
# libsepol (v2.4) with CIL support add the following:
 +
store-root = <path>
 +
compiler-directory = <path>
 +
ignore-module-cache = true|false
 +
target-platform = selinux | xen
 
</pre>
 
</pre>
  
 
'''Where:'''
 
'''Where:'''
 +
 
{| border="1"
 
{| border="1"
| | module-store
+
| module-store
| | The method can be one of four options:
+
| The method can be one of four options:
  
1) '''directlibsemanage''' - will write directly to a module store. This is the default value.
+
directlibsemanage will write directly to a module store. This is the default value.
  
2) '''sourcelibsemanage''' - manipulates a source SELinux policy.
+
sourcelibsemanage manipulates a source SELinux policy.
  
3) '''/foo/bar''' - Write via a policy management server, whose named socket is at /foo/bar. The path must begin with a '/'.
+
/foo/barWrite via a policy management server, whose named socket is at /foo/bar. The path must begin with a '/'.
  
4) '''foo.com:4242''' - Establish a TCP connection to a remote policy management server at foo.com. If there is a colon then the remainder is interpreted as a port number; otherwise default to port 4242.
+
foo.com:4242Establish a TCP connection to a remote policy management server at foo.com. If there is a colon then the remainder is interpreted as a port number; otherwise default to port 4242.
  
 
|-
 
|-
| | policy-version
+
| policy-version
| | This optional entry can contain a policy version number, however it is normally commented out as it then defaults to that supported by the system (for F-10 this is policy version 23).  
+
| This optional entry can contain a policy version number, however it is normally commented out as it then defaults to that supported by the system.  
  
 
|-
 
|-
| | expand-check
+
| expand-check
| | This optional entry controls whether hierarchy checking on module expansion is enabled (1) or disabled (0). The default is 0.
+
| This optional entry controls whether hierarchy checking on module expansion is enabled (1) or disabled (0). The default is 0.
 +
 
 +
It is also required to detect the presence of policy rules that are to be excluded with <tt>neverallow</tt> rules.
  
 
|-
 
|-
| | file-mode
+
| file-mode
| | This optional entry allows the file permissions to be set on runtime policy files. The format is the same as the mode parameter of the chmod command and defaults to 0644 if not present.
+
| This optional entry allows the file permissions to be set on runtime policy files. The format is the same as the mode parameter of the chmod command and defaults to 0644 if not present.
  
 
|-
 
|-
| | save-previous
+
| save-previous
| | This optional entry controls whether the previous module directory is saved (TRUE) after a successful commit to the policy store. The default is to delete the previous version (FALSE).
+
| This optional entry controls whether the previous module directory is saved (TRUE) after a successful commit to the policy store. The default is to delete the previous version (FALSE).
  
 
|-
 
|-
| | save-linked
+
| save-linked
| | This optional entry controls whether the previously linked module is saved (TRUE) after a successful commit to the policy store. Note that this option will create a base.linked file in the module policy store.
+
| This optional entry controls whether the previously linked module is saved (TRUE) after a successful commit to the policy store. Note that this option will create a <tt>base.linked</tt> file in the module policy store.
  
 
The default is to delete the previous module (FALSE).  
 
The default is to delete the previous module (FALSE).  
  
 
|-
 
|-
| | disable-genhomedircon
+
| disable-genhomedircon
| | This optional entry controls whether the embedded genhomedircon function is run when using the semanage command. The default is FALSE.
+
| This optional entry controls whether the embedded genhomedircon function is run when using the '''semanage'''(8) command. The default is FALSE.
  
 
|-
 
|-
| | handle-unknown
+
| handle-unknown
| | This optional entry controls the kernel behaviour for handling permissions defined in the kernel but missing from the policy (that are declared at the start of the base.conf (loadable policy) or policy.conf (monolithic policy).  
+
| This optional entry controls the kernel behaviour for handling permissions defined in the kernel but missing from the policy (that are declared at the start of the base.conf (loadable policy) or policy.conf (monolithic policy)).  
  
The options are: allow the permission, reject by not loading the policy or deny the permission. The default is deny. See the SELinux Filesystem section for how these are reported in /selinux.
+
The options are: allow the permission, reject by not loading the policy or deny the permission. The default is deny. See the [[NB_LSM#SELinux_Filesystem | SELinux Filesystem]] section for how these are reported in /sys/fs/selinux.
  
Note: to activate any change, the base policy needs to be reloaded with the semodule -b command (as semodule -R does not change them).
+
Note: to activate any change, the base policy needs to be rebuilt with the semodule -B command.
  
 
|-
 
|-
| | bzip-blocksize
+
| bzip-blocksize
| | This optional entry determines whether the modules are compressed or not with bzip. If the entry is 0, then no compression will be used (this is required with tools such as sechecker and apol). This can also be set to a value between 1 and 9 that will set the block size used for compression (bzip will multiply this by 100,000, so '9' is faster but uses more memory).
+
| This optional entry determines whether the modules are compressed or not with bzip. If the entry is <tt>0</tt>, then no compression will be used (this is required with tools such as <tt>sechecker</tt> and <tt>apol</tt>). This can also be set to a value between <tt>1</tt> and <tt>9</tt> that will set the block size used for compression (<tt>bzip</tt> will multiply this by 100,000, so '<tt>9</tt>' is faster but uses more memory).
  
 
|-
 
|-
| | bzip-small
+
| bzip-small
| | When this optional entry is set to TRUE the memory usage is reduced for compression and decompression (the bzip -s or --small option). If FALSE or no entry present, then does not try to reduce memory requirements.
+
| When this optional entry is set to <tt>TRUE</tt> the memory usage is reduced for compression and decompression (the <tt>bzip</tt> <tt>-s</tt> or <tt>--small</tt> option). If <tt>FALSE</tt> or no entry present, then does not try to reduce memory requirements.
  
 
|-
 
|-
| | <nowiki>[verify kernel].. [end]</nowiki>
+
| usepasswd
| | This starts an additional set of entries that can be used to validate a policy with an external application during the build process. The validation process takes place before the policy is allowed to be inserted into the store with the SELinux Project web site showing a worked example at:
+
| When this optional entry is set to <tt>TRUE</tt> <tt>semanage</tt> will scan all password records for home directories and set up their labels correctly.
  
[http://selinuxproject.org/page/PolicyValidate http://selinuxproject.org/page/PolicyValidate]
+
If set to <tt>FALSE</tt> (the default if no entry present), then only the <tt>/home</tt> directory will be automatically re-labeled.  
  
The entries required for this option are as follows:
+
|-
<pre>
+
| ignoredirs
[verify kernel]
+
| With a list of directories to ignore (separated by '<tt><nowiki>;</nowiki></tt>') when setting up users home directories. This is used by some distributions to stop labeling <tt>/root</tt> as a home directory.
path = <application_to_run>
+
 
args = <arguments>
+
|-
[end]
+
| <nowiki>[verify kernel]</nowiki>
</pre>
+
| Start an additional set of entries that can be used to validate the kernel policy with an external application during the build process. There may be multiple <tt><nowiki>[verify kernel]</nowiki></tt> entries.
 +
 
 +
The validation process takes place before the policy is allowed to be inserted into the store with a worked example shown in the [[PolicyValidate | Policy Validation Example]].
 +
 
 +
|-
 +
| <nowiki>[verify module]</nowiki>
 +
| Start an additional set of entries that can be used to validate each module by an external application during the build process. There may be multiple <tt><nowiki>[verify module]</nowiki></tt> entries.
 +
 
 +
|-
 +
| <nowiki>[verify linked]</nowiki>
 +
| Start an additional set of entries that can be used to validate module linking by an external application during the build process. There may be multiple <tt><nowiki>[verify linked]</nowiki></tt> entries.
 +
 
 +
|-
 +
| <nowiki>[load_policy]</nowiki>
 +
| Replace the default load policy application with this new policy loader. Defaults are either: <tt>/sbin/load_policy</tt> or <tt>/usr/sbin/load_policy</tt>.
 +
 
 +
|-
 +
| <nowiki>[setfiles]</nowiki>
 +
| Replace the default set files application with this new set files. Defaults are either: <tt>/sbin/setfiles</tt> or <tt>/usr/sbin/setfiles</tt>.
 +
 
 +
|-
 +
| <nowiki>[sefcontexts_compile]</nowiki>
 +
| Replace the default file context build application with this new builder. Defaults are either: <tt>/sbin/</tt>sefcontexts_compile or <tt>/usr/sbin/</tt>sefcontexts_compile.
  
 
|}
 
|}
  
 +
 +
For <tt>libsepol</tt> (v2.4) with CIL support add the following entries:
 +
 +
{| border="1"
 +
| store-root
 +
| Specify an alternative store root path to use. The default is "<tt>/var/lib/selinux</tt>".
 +
 +
|-
 +
| compiler-directory
 +
| Specify an alternate directory that will hold the High Level Language (HLL) to CIL compilers. The default is "<tt>/usr/libexec/selinux/hll</tt>".
 +
 +
|-
 +
| ignore-module-cache
 +
| Whether or not to ignore the cache of CIL modules compiled from HLL. The default is <tt>false</tt>.
 +
 +
|-
 +
| target-platform
 +
| Target platform for generated policy. Default is "<tt>selinux</tt>", the alternate is "<tt>xen</tt>".
 +
 +
|}
  
 
'''Example semanage.config file contents are:'''
 
'''Example semanage.config file contents are:'''
 
<pre>
 
<pre>
<nowiki># </nowiki>/etc/selinux/semanage.conf
+
# /etc/selinux/semanage.conf
  
 
module-store = direct
 
module-store = direct
 
expand-check = 0
 
expand-check = 0
 +
 +
[verify kernel]
 +
path = /usr/local/bin/validate
 +
args = $@
 +
[end]
 
</pre>
 
</pre>
  
== /etc/selinux/restorecond.conf File ==
 
The restorecond.conf file contains a list of files that may be created by applications with an incorrect security context. The restorecond daemon will then watch for their creation or modification and automatically correct their security context to that specified by the active policy file context configuration files(located in the <nowiki>/etc/selinux/<policy_name>/contexts/files</nowiki> directory). The daemon uses functions in libselinux such as matchpathcon(3) to manage the context updates.
 
  
Each line of the file contains the full path of a file or directory. The only different entry is one that starts with a tilde (~) as that signifies that the entries will be expanded to logged in users home directories (e.g. ~/public_html would cause the daemon to listen for changes to public_html in all logged on users home directories).  
+
== /etc/selinux/restorecond.conf and restorecond-user.conf Files ==
 +
The restorecond.conf file contains a list of files that may be created by applications with an incorrect security context. The '''restorecond'''(8) daemon will then watch for their creation and automatically correct their security context to that specified by the active policy file context configuration files<ref name="ftn33"><sup>The daemon uses functions in libselinux such as '''matchpathcon'''(3) to manage the context updates.</sup></ref> (located in the <nowiki>/etc/selinux/<policy_name>/contexts/files</nowiki> directory).
 +
 
 +
Each line of the file contains the full path of a file or directory. Entries that start with a tilde (~) will be expanded to watch for files in users home directories (e.g. ~/public_html would cause the daemon to listen for changes to public_html in all logged on users home directories).
 +
 
 +
Note that it is possible to run <tt>restorecond</tt> in a user session using the <tt>-u</tt> option (see <tt>'''restorecond'''(8)</tt>). This requires a <tt>restorecond-user.conf</tt> file to be installed as shown in the examples below.
  
 
'''Example restorecond.conf file contents are:'''
 
'''Example restorecond.conf file contents are:'''
 
<pre>
 
<pre>
<nowiki># </nowiki>/etc/selinux/restorecond.conf
+
# /etc/selinux/restorecond.conf
  
 
/etc/services
 
/etc/services
Line 183: Line 294:
 
/var/run/utmp
 
/var/run/utmp
 
/var/log/wtmp
 
/var/log/wtmp
 +
</pre>
  
<nowiki># This entry expands to listen for all files created for all </nowiki>
+
'''Example restorecond-user.conf file contents are:'''
<nowiki># logged in users within their home directories:</nowiki>
+
<pre>
 +
# /etc/selinux/restorecond-user.conf
 +
 
 +
# This entry expands to listen for all files created for all
 +
# logged in users within their home directories:
 
~/*
 
~/*
 +
~/public_html/*
 
</pre>
 
</pre>
 +
 +
 +
== /etc/selinux/newrole_pam.conf ==
 +
The optional <tt>newrole_pam.conf</tt> file is used by <tt>'''newrole'''(1)</tt> and maps applications or commands to <tt>'''PAM'''(8)</tt> configuration files. Each line contains the executable file name followed by the name of a <tt>pam</tt> configuration file that exists in <tt>/etc/pam.d</tt>.
  
 
== /etc/sestatus.conf File ==
 
== /etc/sestatus.conf File ==
This file is used by the sestatus(8) command to list files and processes whose security context should be displayed when the -v flag is used (sestatus -v).  
+
The '''sestatus.conf'''(5) file is used by the '''sestatus'''(8) command to list files and processes whose security context should be displayed when the -v flag is used (sestatus -v).  
  
The sestatus.conf file has the following parameters:
+
The file has the following parameters:
 
<pre>
 
<pre>
<nowiki>[files]</nowiki>
+
[files]
 
List of files to display context
 
List of files to display context
  
<nowiki>[process]</nowiki>
+
[process]
 
List of processes to display context
 
List of processes to display context
 
</pre>
 
</pre>
  
Example sestatus.conf file contents are:
+
'''Example sestatus.conf file contents are:'''
 
<pre>
 
<pre>
<nowiki># </nowiki>/etc/sestatus.conf
+
# /etc/sestatus.conf
  
<nowiki>[files]</nowiki>
+
[files]
 
/etc/passwd
 
/etc/passwd
 
/etc/shadow
 
/etc/shadow
Line 219: Line 340:
 
/lib/ld.so.1
 
/lib/ld.so.1
  
<nowiki>[process]</nowiki>
+
[process]
 
/sbin/mingetty
 
/sbin/mingetty
 
/sbin/agetty
 
/sbin/agetty
 
/usr/sbin/sshd
 
/usr/sbin/sshd
 
</pre>
 
</pre>
 +
  
 
== /etc/security/sepermit.conf File ==
 
== /etc/security/sepermit.conf File ==
This file is used by the pam_sepermit.so module to allow or deny a user login depending on whether SELinux is enforcing the policy or not. An example use of this facility is the Red Hat kiosk mode where a terminal can be set up with a guest user that does not require a password, but can only log in if SELinux is in enforcing mode.
+
The '''sepermit.conf'''(5) file is used by the <tt>pam_sepermit.so</tt> module to allow or deny a user login depending on whether SELinux is enforcing the policy or not. An example use of this facility is the Red Hat kiosk policy where a terminal can be set up with a guest user that does not require a password, but can only log in if SELinux is in enforcing mode.
  
The entry is added to the appropriate /etc/pam.d configuration file, with the example shown being the /etc/pam.d/gdm file:
+
The entry is added to the appropriate <tt>/etc/pam.d</tt> configuration file, with the example shown being the <tt>/etc/pam.d/gdm</tt> file (the [[NB_PAM | PAM Login Process]] section describes PAM in more detail):
 
<pre>
 
<pre>
<nowiki>#%PAM-1.0</nowiki>
+
#%PAM-1.0
auth <nowiki>[success=done ignore=ignore default=bad] pam_selinux_permit.so</nowiki>
+
auth <nowiki>[success=done ignore=ignore default=bad] pam_selinux_permit.so
<nowiki># auth </nowiki>required pam_succeed_if.so user != root quiet
+
auth required pam_succeed_if.so user != root quiet
 
auth required pam_env.so
 
auth required pam_env.so
 
auth substack system-auth
 
auth substack system-auth
Line 249: Line 371:
 
</pre>
 
</pre>
  
The usage is described in the pam_sepermit man page, but the following example describes the configuration:
+
The usage is described in <tt>'''pam_sepermit'''(5)</tt>, with the following example that describes the configuration:
 
<pre>
 
<pre>
<nowiki># /etc/security/sepermit.conf</nowiki><nowiki>#</nowiki>
+
# /etc/security/sepermit.conf
<nowiki># Each line contains either:</nowiki>
+
#
<nowiki># </nowiki>- an user name
+
# Each line contains either:
<nowiki># </nowiki>- a group name, with @group syntax
+
#   - an user name
<nowiki># </nowiki>- a SELinux user name, with %seuser syntax
+
#   - a group name, with @group syntax
<nowiki># Each line can contain optional arguments separated by :</nowiki>
+
#   - a SELinux user name, with %seuser syntax
<nowiki># The possible arguments are:</nowiki>
+
<nowiki># </nowiki>- exclusive - only single login session will be allowed for
+
<nowiki># </nowiki>the user and the user's processes will be killed on logout
+
<nowiki># An example entry for 'kiosk mode':</nowiki>
+
  
 +
# Each line can contain an optional argument:
 +
#  exclusive - only single login session will be allowed for
 +
#              the user and the user's processes will be
 +
#              killed on logout
 +
#
 +
#  ignore - The module will never return PAM_SUCCESS status
 +
#            for the user.
 +
 +
# An example entry for 'kiosk mode':
 
xguest:exclusive
 
xguest:exclusive
 
</pre>
 
</pre>
 +
 +
 +
{| style="width: 100%;" border="0"
 +
|-
 +
| [[ConfigurationFiles | '''Previous''']]
 +
| <center>[[NewUsers | '''Home''']]</center>
 +
| <center>[[PolicyStoreConfigurationFiles | '''Next''']]</center>
 +
|}
 +
 +
 +
----
 +
<references/>
 +
 +
[[Category:Notebook]]

Latest revision as of 15:35, 8 December 2014

Global Configuration Files

Listed in the sections that follow are the common configuration files used by SELinux and are not policy specific. The two most important files are:

  • /etc/selinux/config - This defines the policy to be activated and its enforcing mode.
  • /etc/selinux/semanage.conf - This is used by the SELinux policy configuration subsystem for modular or CIL policies.

/etc/selinux/config File

If this file is missing or corrupt no SELinux policy will be loaded (i.e. SELinux is disabled). The file man page is selinux_config(5), this is because 'config' has already been taken. The config file controls the state of SELinux using the following parameters: 

SELINUX=enforcing|permissive|disabled
SELINUXTYPE=policy_name
SETLOCALDEFS=0|1
REQUIREUSERS=0|1
AUTORELABEL=0|1

Where:

SELINUX This entry can contain one of three values:

enforcing

SELinux security policy is enforced.

permissive

SELinux logs warnings instead of enforcing the policy (i.e. the action is allowed to proceed).

disabled

No SELinux policy is loaded.

Note that this configures the global SELinux enforcement mode. It is still possible to have domains running in permissive mode and/or object managers running as disabled, permissive or enforcing, when the global mode is enforcing or permissive.

SELINUXTYPE The policy_name is used as the directory name where the active policy and its configuration files will be located. The system will then use this information to locate and load the policy contained within this directory structure.

The policy directory must be located at:

/etc/selinux/<policy_name>/

SETLOCALDEFS This optional field should be set to 0 (or the entry removed) as the policy store management infrastructure (semanage(8) / semodule(8)) is now used.

If set to 1, then init(8) and load_policy(8) will read the local customisation for booleans and users.

REQUIRESEUSERS This optional field can be used to fail a login if there is no matching or default entry in the seusers file or if the file is missing.

It is checked by the libselinux function getseuserbyname(3) that is used by SELinux-aware login applications such as PAM(8).

If it is set to 0 or the entry missing:

getseuserbyname(3) will return the GNU / Linux user name as the SELinux user.

If it is set to 1:

getseuserbyname(3) will fail.

AUTORELABEL This is an optional field. If set to '0' and there is a file called .autorelabel in the root directory, then on a reboot, the loader will drop to a shell where a root logon is required. An administrator can then manually relabel the file system.

If set to '1' or the parameter name is not used (the default) there is no login for manual relabeling, however should the /.autorelabel file exists, then the file system will be automatically relabeled using fixfiles -F restore.

In both cases the /.autorelabel file will be removed so the relabel is not done again.


Example config file contents are: 

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
#
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted

/etc/selinux/semanage.conf File

The semanage.config(5) file controls the configuration and actions of the semanage(8) and semodule(8) set of commands using the following parameters: 

module-store = method
policy-version = policy_version
expand-check = 0|1
file-mode = mode
save-previous = true|false
save-linked = true|false
disable-genhomedircon = true|false
handle-unknown = allow|deny|reject
bzip-blocksize = 0|1..9
bzip-small true|false
usepasswd = true|false

ignoredirs dir [;dir] ...

[verify kernel]
path = <application_to_run>
args = <arguments>
[end]

[verify module]
path = <application_to_run>
args = <arguments>
[end]

[verify linked]
path = <application_to_run>
args = <arguments>
[end]

[load_policy]
path = <application_to_run>
args = <arguments>
[end]

[setfiles]
path = <application_to_run>
args = <arguments>
[end]

[sefcontext_compile]
path = <application_to_run>
args = <arguments>
[end]

[load_policy]
path = <application_to_run>
args = <arguments>
[end]

# libsepol (v2.4) with CIL support add the following:
store-root = <path>
compiler-directory = <path>
ignore-module-cache = true|false
target-platform = selinux | xen

Where:

module-store The method can be one of four options:

directlibsemanage will write directly to a module store. This is the default value.

sourcelibsemanage manipulates a source SELinux policy.

/foo/barWrite via a policy management server, whose named socket is at /foo/bar. The path must begin with a '/'.

foo.com:4242Establish a TCP connection to a remote policy management server at foo.com. If there is a colon then the remainder is interpreted as a port number; otherwise default to port 4242.

policy-version This optional entry can contain a policy version number, however it is normally commented out as it then defaults to that supported by the system.
expand-check This optional entry controls whether hierarchy checking on module expansion is enabled (1) or disabled (0). The default is 0.

It is also required to detect the presence of policy rules that are to be excluded with neverallow rules.

file-mode This optional entry allows the file permissions to be set on runtime policy files. The format is the same as the mode parameter of the chmod command and defaults to 0644 if not present.
save-previous This optional entry controls whether the previous module directory is saved (TRUE) after a successful commit to the policy store. The default is to delete the previous version (FALSE).
save-linked This optional entry controls whether the previously linked module is saved (TRUE) after a successful commit to the policy store. Note that this option will create a base.linked file in the module policy store.

The default is to delete the previous module (FALSE).

disable-genhomedircon This optional entry controls whether the embedded genhomedircon function is run when using the semanage(8) command. The default is FALSE.
handle-unknown This optional entry controls the kernel behaviour for handling permissions defined in the kernel but missing from the policy (that are declared at the start of the base.conf (loadable policy) or policy.conf (monolithic policy)).

The options are: allow the permission, reject by not loading the policy or deny the permission. The default is deny. See the SELinux Filesystem section for how these are reported in /sys/fs/selinux.

Note: to activate any change, the base policy needs to be rebuilt with the semodule -B command.

bzip-blocksize This optional entry determines whether the modules are compressed or not with bzip. If the entry is 0, then no compression will be used (this is required with tools such as sechecker and apol). This can also be set to a value between 1 and 9 that will set the block size used for compression (bzip will multiply this by 100,000, so '9' is faster but uses more memory).
bzip-small When this optional entry is set to TRUE the memory usage is reduced for compression and decompression (the bzip -s or --small option). If FALSE or no entry present, then does not try to reduce memory requirements.
usepasswd When this optional entry is set to TRUE semanage will scan all password records for home directories and set up their labels correctly.

If set to FALSE (the default if no entry present), then only the /home directory will be automatically re-labeled.

ignoredirs With a list of directories to ignore (separated by ';') when setting up users home directories. This is used by some distributions to stop labeling /root as a home directory.
[verify kernel] Start an additional set of entries that can be used to validate the kernel policy with an external application during the build process. There may be multiple [verify kernel] entries.

The validation process takes place before the policy is allowed to be inserted into the store with a worked example shown in the Policy Validation Example.

[verify module] Start an additional set of entries that can be used to validate each module by an external application during the build process. There may be multiple [verify module] entries.
[verify linked] Start an additional set of entries that can be used to validate module linking by an external application during the build process. There may be multiple [verify linked] entries.
[load_policy] Replace the default load policy application with this new policy loader. Defaults are either: /sbin/load_policy or /usr/sbin/load_policy.
[setfiles] Replace the default set files application with this new set files. Defaults are either: /sbin/setfiles or /usr/sbin/setfiles.
[sefcontexts_compile] Replace the default file context build application with this new builder. Defaults are either: /sbin/sefcontexts_compile or /usr/sbin/sefcontexts_compile.


For libsepol (v2.4) with CIL support add the following entries:

store-root Specify an alternative store root path to use. The default is "/var/lib/selinux".
compiler-directory Specify an alternate directory that will hold the High Level Language (HLL) to CIL compilers. The default is "/usr/libexec/selinux/hll".
ignore-module-cache Whether or not to ignore the cache of CIL modules compiled from HLL. The default is false.
target-platform Target platform for generated policy. Default is "selinux", the alternate is "xen".

Example semanage.config file contents are: 

# /etc/selinux/semanage.conf

module-store = direct
expand-check = 0

[verify kernel]
path = /usr/local/bin/validate
args = $@
[end]


/etc/selinux/restorecond.conf and restorecond-user.conf Files

The restorecond.conf file contains a list of files that may be created by applications with an incorrect security context. The restorecond(8) daemon will then watch for their creation and automatically correct their security context to that specified by the active policy file context configuration files[1] (located in the /etc/selinux/<policy_name>/contexts/files directory).

Each line of the file contains the full path of a file or directory. Entries that start with a tilde (~) will be expanded to watch for files in users home directories (e.g. ~/public_html would cause the daemon to listen for changes to public_html in all logged on users home directories).

Note that it is possible to run restorecond in a user session using the -u option (see restorecond(8)). This requires a restorecond-user.conf file to be installed as shown in the examples below.

Example restorecond.conf file contents are: 

# /etc/selinux/restorecond.conf

/etc/services
/etc/resolv.conf
/etc/samba/secrets.tdb
/etc/mtab
/var/run/utmp
/var/log/wtmp

Example restorecond-user.conf file contents are: 

# /etc/selinux/restorecond-user.conf

# This entry expands to listen for all files created for all
# logged in users within their home directories:
~/*
~/public_html/*


/etc/selinux/newrole_pam.conf

The optional newrole_pam.conf file is used by newrole(1) and maps applications or commands to PAM(8) configuration files. Each line contains the executable file name followed by the name of a pam configuration file that exists in /etc/pam.d.

/etc/sestatus.conf File

The sestatus.conf(5) file is used by the sestatus(8) command to list files and processes whose security context should be displayed when the -v flag is used (sestatus -v).

The file has the following parameters: 

[files]
List of files to display context

[process]
List of processes to display context

Example sestatus.conf file contents are: 

# /etc/sestatus.conf

[files]
/etc/passwd
/etc/shadow
/bin/bash
/bin/login
/bin/sh
/sbin/agetty
/sbin/init
/sbin/mingetty
/usr/sbin/sshd
/lib/libc.so.6
/lib/ld-linux.so.2
/lib/ld.so.1

[process]
/sbin/mingetty
/sbin/agetty
/usr/sbin/sshd


/etc/security/sepermit.conf File

The sepermit.conf(5) file is used by the pam_sepermit.so module to allow or deny a user login depending on whether SELinux is enforcing the policy or not. An example use of this facility is the Red Hat kiosk policy where a terminal can be set up with a guest user that does not require a password, but can only log in if SELinux is in enforcing mode.

The entry is added to the appropriate /etc/pam.d configuration file, with the example shown being the /etc/pam.d/gdm file (the PAM Login Process section describes PAM in more detail): 

#%PAM-1.0
auth <nowiki>[success=done ignore=ignore default=bad] pam_selinux_permit.so
auth required pam_succeed_if.so user != root quiet
auth required pam_env.so
auth substack system-auth
auth optional pam_gnome_keyring.so
account required pam_nologin.so
account include system-auth
password include system-auth
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session optional pam_gnome_keyring.so auto_start
session include system-auth

The usage is described in pam_sepermit(5), with the following example that describes the configuration: 

# /etc/security/sepermit.conf
#
# Each line contains either:
#   - an user name
#   - a group name, with @group syntax
#   - a SELinux user name, with %seuser syntax

# Each line can contain an optional argument:
#   exclusive - only single login session will be allowed for
#               the user and the user's processes will be
#               killed on logout
#
#   ignore - The module will never return PAM_SUCCESS status
#            for the user.

# An example entry for 'kiosk mode':
xguest:exclusive


Previous
Home
Next


  1. The daemon uses functions in libselinux such as matchpathcon(3) to manage the context updates.
Retrieved from "http://www.selinuxproject.org/w/?title=GlobalConfigurationFiles&oldid=1725"