What's New in Fedora Core 3 SE Linux

Security Enhanced Linux (SE Linux) now is the default configuration for an installation of
Fedora Core 3 (FC3). When you install FC3, you have the option of turning
off SE Linux. Alternatively, you can turn it off manually after it has been
installed. In FC2, SE Linux was not installed by default but was an
option offered during the installation process, where you had to supply
selinux as a parameter to the boot loader.
The Strict and Targeted Policies
The default SE Linux policy in FC3 is the targeted policy. Two types of
policies are offered--targeted and strict. Targeted policy
is new in FC3. Under the targeted policy, only some of the more
commonly used daemons run with SE Linux restricting what they can do.
These daemons include named, httpd, dhcpd, portmap, squid, nscd, syslogd,
snmpd and ntpd. These daemons run in their own domains; httpd, for
instance, runs in the httpd_t domain.

Daemons and system processes that do not have a policy installed
run in the unconfined_t domain. Processes running in the
unconfined_t domain have the standard Linux DACs (discretionary
access controls) applied. SE Linux MACs (mandatory access controls)
are applied, in that processes running in unconfined_t have a
policy that says allow everything.

To see which domains are targeted, examine your
/etc/selinux/targeted/src/domains/program/ directory. To see
which programs are running unconfined, run ps axZ
to see what is running in the unconfined_t domain.

Strict policy applies the SE Linux MAC controls to all processes.
The unconfined_t domain is not used by default in the strict
policy, as there is a domain for each daemon and restricted domains for
user logins. No restrictions exist for user login domains under the
targeted policy. The strict policy is not installed by default, as it is
more difficult to administer. Strict policy is more secure than targeted
because of the SE Linux MAC controls being applied to all processes, apart
from a small number of important system processes--init scripts, insmod,
hotplug, firstboot, RPM and anaconda. This is opposed to only being applied
to a small selection of important daemons under the targeted policy.
One can see that a tradeoff exists here between usability and security.
If you were to run strict policy, you would be more likely to edit
policy manually, because the controls are tighter. Chances are, an operation
you want to do would not be allowed, and you therefore would be required
to make local customizations.

You can switch from targeted to strict policy and vice versa, but you
first should test this on a non-production system. If you were to
change from targeted to strict policy on a production system, you
probably would find that some things you want to do are not allowed, requiring
manual modifications to system policy. If you are not confident with
troubleshooting and solving SE Linux policy-related issues, it is advised
that you run the targeted policy. Switching from strict to targeted
policy should not result in any major glitches.

The process of changing from one policy type to another is quite simple,
and command-line instructions can be found in the Fedora Core 3 test3
SELinux FAQ (see Resources). Another way to change to
the other policy type is to run the system-config-securitylevel
program. It currently is available only in graphics mode, not text mode.
At the time of this writing, there is a bug in FC3 pre-release: the /.autorelabel
file is not created by the system-config-securitylevel script, so you have to create it by
hand. This bug will be fixed for the FC3 release. The existence
of this file causes all filesystems to be relabeled on boot.
The /etc/rc.sysinit script removes this file upon boot.
Changes to the SE Linux Base Directory
In FC2, the SE Linux directory was /etc/security/selinux; in FC3,
it has been changed to /etc/selinux, with subdirectories of strict
and targeted. Under the strict and targeted directories you can find
the necessary files for the strict and targeted policies. The strict
and targeted directories also contain a file called booleans.
This file contains settings for default values for items that may be
changed, such as httpd_enable_cgi, a value that allows CGI scripts to be run.

The /etc/selinux/config file also is a new addition in FC3.
It contains the SELINUX variable, which can be set to enforcing,
permissive or disabled. The config file also contains the SELINUXTYPE
variable, which can be set to targeted or strict. The config.v file is
the version control file for the config file. You can edit the config
file by hand but it isn't recommended. Instead, you should use the
system-config-securitylevel program. The config file is read at boot
time, so making a runtime change to it doesn't alter the current running
of your system. If you change the value of the SELINUXTYPE variable
between strict and targeted, you must reload the new policy
and relabel all filesystems. Creating the .autorelabel flag
file is the only recommended way of doing this, followed by a reboot.

A more detailed discussion of the /etc/selinux/ directory is
beyond the scope of this article, but it will be covered in a
future article.
Future Developments
Development work currently is underway on making the strict
policy more flexible and on making defaults that will work more easily out
of the box. Work also is being done on Security Enhanced X, where the
aim is to have control over the X sessions so that, for instance, a
hostile X program can't interfere with other X programs on the display.
Examples of this are programs not being able to sniff the keyboard and
seeing windows or concealing windows without the X user knowing.

The SE Linux user base is growing consistently, and with the inclusion
of SE Linux in Fedora releases, more and more people are becoming aware
of its many advantages. At first glance, SE Linux may appear quite daunting,
and many users find the targeted policy a good starting point. Support may be
found in the form of FAQs, HOWTOs, mailing lists, published articles and IRC channels.
Resources
Fedora Core
3 test3 SELinux FAQ

Faye Coker works as a freelance systems administrator and often
finds herself running the systems at ISPs and converting servers to
Linux. She has worked in Europe and Australia. She also has been asked
"are you lost?" far too many times at Linux conferences.