What's New in Fedora Core 3 SE Linux
Security Enhanced Linux (SE Linux) now is the default configuration for an installation of Fedora Core 3 (FC3). When you install FC3, you have the option of turning off SE Linux. Alternatively, you can turn it off manually after it has been installed. In FC2, SE Linux was not installed by default but was an option offered during the installation process, where you had to supply selinux as a parameter to the boot loader.
The default SE Linux policy in FC3 is the targeted policy. Two types of policies are offered--targeted and strict. Targeted policy is new in FC3. Under the targeted policy, only some of the more commonly used daemons run with SE Linux restricting what they can do. These daemons include named, httpd, dhcpd, portmap, squid, nscd, syslogd, snmpd and ntpd. These daemons run in their own domains; httpd, for instance, runs in the httpd_t domain.
Daemons and system processes that do not have a policy installed run in the unconfined_t domain. Processes running in the unconfined_t domain have the standard Linux DACs (discretionary access controls) applied. SE Linux MACs (mandatory access controls) are applied, in that processes running in unconfined_t have a policy that says allow everything.
To see which domains are targeted, examine your /etc/selinux/targeted/src/domains/program/ directory. To see which programs are running unconfined, run ps axZ to see what is running in the unconfined_t domain.
Strict policy applies the SE Linux MAC controls to all processes. The unconfined_t domain is not used by default in the strict policy, as there is a domain for each daemon and restricted domains for user logins. No restrictions exist for user login domains under the targeted policy. The strict policy is not installed by default, as it is more difficult to administer. Strict policy is more secure than targeted because of the SE Linux MAC controls being applied to all processes, apart from a small number of important system processes--init scripts, insmod, hotplug, firstboot, RPM and anaconda. This is opposed to only being applied to a small selection of important daemons under the targeted policy. One can see that a tradeoff exists here between usability and security. If you were to run strict policy, you would be more likely to edit policy manually, because the controls are tighter. Chances are, an operation you want to do would not be allowed, and you therefore would be required to make local customizations.
You can switch from targeted to strict policy and vice versa, but you first should test this on a non-production system. If you were to change from targeted to strict policy on a production system, you probably would find that some things you want to do are not allowed, requiring manual modifications to system policy. If you are not confident with troubleshooting and solving SE Linux policy-related issues, it is advised that you run the targeted policy. Switching from strict to targeted policy should not result in any major glitches.
The process of changing from one policy type to another is quite simple, and command-line instructions can be found in the Fedora Core 3 test3 SELinux FAQ (see Resources). Another way to change to the other policy type is to run the system-config-securitylevel program. It currently is available only in graphics mode, not text mode. At the time of this writing, there is a bug in FC3 pre-release: the /.autorelabel file is not created by the system-config-securitylevel script, so you have to create it by hand. This bug will be fixed for the FC3 release. The existence of this file causes all filesystems to be relabeled on boot. The /etc/rc.sysinit script removes this file upon boot.
In FC2, the SE Linux directory was /etc/security/selinux; in FC3, it has been changed to /etc/selinux, with subdirectories of strict and targeted. Under the strict and targeted directories you can find the necessary files for the strict and targeted policies. The strict and targeted directories also contain a file called booleans. This file contains settings for default values for items that may be changed, such as httpd_enable_cgi, a value that allows CGI scripts to be run.
The /etc/selinux/config file also is a new addition in FC3. It contains the SELINUX variable, which can be set to enforcing, permissive or disabled. The config file also contains the SELINUXTYPE variable, which can be set to targeted or strict. The config.v file is the version control file for the config file. You can edit the config file by hand but it isn't recommended. Instead, you should use the system-config-securitylevel program. The config file is read at boot time, so making a runtime change to it doesn't alter the current running of your system. If you change the value of the SELINUXTYPE variable between strict and targeted, you must reload the new policy and relabel all filesystems. Creating the .autorelabel flag file is the only recommended way of doing this, followed by a reboot.
A more detailed discussion of the /etc/selinux/ directory is beyond the scope of this article, but it will be covered in a future article.
Practical books for the most technical people on the planet. Newly available books include:
- Agile Product Development by Ted Schmidt
- Improve Business Processes with an Enterprise Job Scheduler by Mike Diehl
- Finding Your Way: Mapping Your Network to Improve Manageability by Bill Childers
- DIY Commerce Site by Reven Lerner
Plus many more.