What's New in Fedora Core 3 SE Linux
Security Enhanced Linux (SE Linux) now is the default configuration for an installation of Fedora Core 3 (FC3). When you install FC3, you have the option of turning off SE Linux. Alternatively, you can turn it off manually after it has been installed. In FC2, SE Linux was not installed by default but was an option offered during the installation process, where you had to supply selinux as a parameter to the boot loader.
The default SE Linux policy in FC3 is the targeted policy. Two types of policies are offered--targeted and strict. Targeted policy is new in FC3. Under the targeted policy, only some of the more commonly used daemons run with SE Linux restricting what they can do. These daemons include named, httpd, dhcpd, portmap, squid, nscd, syslogd, snmpd and ntpd. These daemons run in their own domains; httpd, for instance, runs in the httpd_t domain.
Daemons and system processes that do not have a policy installed run in the unconfined_t domain. Processes running in the unconfined_t domain have the standard Linux DACs (discretionary access controls) applied. SE Linux MACs (mandatory access controls) are applied, in that processes running in unconfined_t have a policy that says allow everything.
To see which domains are targeted, examine your /etc/selinux/targeted/src/domains/program/ directory. To see which programs are running unconfined, run ps axZ to see what is running in the unconfined_t domain.
Strict policy applies the SE Linux MAC controls to all processes. The unconfined_t domain is not used by default in the strict policy, as there is a domain for each daemon and restricted domains for user logins. No restrictions exist for user login domains under the targeted policy. The strict policy is not installed by default, as it is more difficult to administer. Strict policy is more secure than targeted because of the SE Linux MAC controls being applied to all processes, apart from a small number of important system processes--init scripts, insmod, hotplug, firstboot, RPM and anaconda. This is opposed to only being applied to a small selection of important daemons under the targeted policy. One can see that a tradeoff exists here between usability and security. If you were to run strict policy, you would be more likely to edit policy manually, because the controls are tighter. Chances are, an operation you want to do would not be allowed, and you therefore would be required to make local customizations.
You can switch from targeted to strict policy and vice versa, but you first should test this on a non-production system. If you were to change from targeted to strict policy on a production system, you probably would find that some things you want to do are not allowed, requiring manual modifications to system policy. If you are not confident with troubleshooting and solving SE Linux policy-related issues, it is advised that you run the targeted policy. Switching from strict to targeted policy should not result in any major glitches.
The process of changing from one policy type to another is quite simple, and command-line instructions can be found in the Fedora Core 3 test3 SELinux FAQ (see Resources). Another way to change to the other policy type is to run the system-config-securitylevel program. It currently is available only in graphics mode, not text mode. At the time of this writing, there is a bug in FC3 pre-release: the /.autorelabel file is not created by the system-config-securitylevel script, so you have to create it by hand. This bug will be fixed for the FC3 release. The existence of this file causes all filesystems to be relabeled on boot. The /etc/rc.sysinit script removes this file upon boot.
In FC2, the SE Linux directory was /etc/security/selinux; in FC3, it has been changed to /etc/selinux, with subdirectories of strict and targeted. Under the strict and targeted directories you can find the necessary files for the strict and targeted policies. The strict and targeted directories also contain a file called booleans. This file contains settings for default values for items that may be changed, such as httpd_enable_cgi, a value that allows CGI scripts to be run.
The /etc/selinux/config file also is a new addition in FC3. It contains the SELINUX variable, which can be set to enforcing, permissive or disabled. The config file also contains the SELINUXTYPE variable, which can be set to targeted or strict. The config.v file is the version control file for the config file. You can edit the config file by hand but it isn't recommended. Instead, you should use the system-config-securitylevel program. The config file is read at boot time, so making a runtime change to it doesn't alter the current running of your system. If you change the value of the SELINUXTYPE variable between strict and targeted, you must reload the new policy and relabel all filesystems. Creating the .autorelabel flag file is the only recommended way of doing this, followed by a reboot.
A more detailed discussion of the /etc/selinux/ directory is beyond the scope of this article, but it will be covered in a future article.
|Designing Electronics with Linux||May 22, 2013|
|Dynamic DNS—an Object Lesson in Problem Solving||May 21, 2013|
|Using Salt Stack and Vagrant for Drupal Development||May 20, 2013|
|Making Linux and Android Get Along (It's Not as Hard as It Sounds)||May 16, 2013|
|Drupal Is a Framework: Why Everyone Needs to Understand This||May 15, 2013|
|Home, My Backup Data Center||May 13, 2013|
- RSS Feeds
- Dynamic DNS—an Object Lesson in Problem Solving
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- Designing Electronics with Linux
- Using Salt Stack and Vagrant for Drupal Development
- New Products
- A Topic for Discussion - Open Source Feature-Richness?
- Drupal Is a Framework: Why Everyone Needs to Understand This
- Validate an E-Mail Address with PHP, the Right Way
- What's the tweeting protocol?
- Kernel Problem
5 hours 33 min ago
- BASH script to log IPs on public web server
10 hours 47 sec ago
13 hours 36 min ago
- Reply to comment | Linux Journal
14 hours 8 min ago
- All the articles you talked
16 hours 32 min ago
- All the articles you talked
16 hours 35 min ago
- All the articles you talked
16 hours 37 min ago
21 hours 1 min ago
- Keeping track of IP address
22 hours 52 min ago
- Roll your own dynamic dns
1 day 4 hours ago
Enter to Win an Adafruit Pi Cobbler Breakout Kit for Raspberry Pi
It's Raspberry Pi month at Linux Journal. Each week in May, Adafruit will be giving away a Pi-related prize to a lucky, randomly drawn LJ reader. Winners will be announced weekly.
Fill out the fields below to enter to win this week's prize-- a Pi Cobbler Breakout Kit for Raspberry Pi.
Congratulations to our winners so far:
- 5-8-13, Pi Starter Pack: Jack Davis
- 5-15-13, Pi Model B 512MB RAM: Patrick Dunn
- 5-21-13, Prototyping Pi Plate Kit: Philip Kirby
- Next winner announced on 5-27-13!
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?