/**************************************************/
/*********** http://linux.meetup.com/85 ***********/
/** Bob Carnaghi Mon 07 Dec 2009 11:05:00 AM CST **/
/**************************************************/

selinux: http://wiki.centos.org/HowTos/SELinux

/********** Mode **********/
SELinux has 3 basic modes of operation out of which Enforcing is set as the default mode.
    Enforcing: The default mode which will enable and enforce the SELinux security policy on the system, denying access and logging actions.
    Permissive: In Permissive mode, SELinux is enabled but will not enforce the security policy, only warn and log actions. Permissive mode is useful for troubleshooting SELinux issues.
    Disabled: SELinux is turned off 

/********** Policy **********/
SELinux Policy

targeted: "targets" and confines key system processes.
strict: by default everything is denied and then a policy is written that gives each element of the system only the access required to function.

/**************************************************/
SELinux has 3 forms of access control:

    Type Enforcement (TE): Type Enforcement is the primary mechanism of access control used in the targeted policy
    Role-Based Access Control (RBAC): Based around SELinux users (not necessarily the same as the Linux user), but not used in the default targeted policy
    Multi-Level Security (MLS): Not used and often hidden in the default targeted policy.

SELinux security context fields:

 	 _______________________________________
	| system_u:object_r:httpd_sys_content_t |
     ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
       user   ↑  role  ↑     type              

/**************************************************/
root@thresher ~/
--> rpm -qa | grep selinux
libselinux-devel-1.33.4-5.5.el5
libselinux-1.33.4-5.5.el5
libselinux-1.33.4-5.5.el5
selinux-policy-2.4.6-255.el5_4.1
libselinux-devel-1.33.4-5.5.el5
libselinux-utils-1.33.4-5.5.el5
libselinux-python-1.33.4-5.5.el5
selinux-policy-targeted-2.4.6-255.el5_4.1
11:20:21
root@thresher ~/
/**********/
root@thresher ~/
--> yum search selinux
Loaded plugins: fastestmirror
Determining fastest mirrors
 * addons: holmes.umflint.edu
 * base: centos.omnispring.com
 * extras: mirrors.netdna.com
 * updates: ftp.linux.ncsu.edu
addons                                                                        |  951 B     00:00     
base                                                                          | 2.1 kB     00:00     
extras                                                                        | 1.1 kB     00:00     
updates                                                                       | 1.9 kB     00:00     
updates/primary_db                                                            | 320 kB     00:00     
========================================= Matched: selinux ==========================================
checkpolicy.x86_64 : SELinux policy compiler
libselinux.i386 : SELinux library and simple utilities
libselinux.x86_64 : SELinux library and simple utilities
libselinux-devel.i386 : Header files and libraries used to build SELinux
libselinux-devel.x86_64 : Header files and libraries used to build SELinux
libselinux-python.x86_64 : python bindings for libselinux
libselinux-ruby.x86_64 : SELinux ruby bindings for libselinux
libselinux-utils.x86_64 : SELinux libselinux utilies
libsemanage.x86_64 : SELinux binary policy manipulation library
libsepol.i386 : SELinux binary policy manipulation library
libsepol.x86_64 : SELinux binary policy manipulation library
mcstrans.x86_64 : SELinux Translation Daemon
policycoreutils.x86_64 : SELinux policy core utilities.
policycoreutils-gui.x86_64 : SELinux configuration GUI
selinux-policy.noarch : SELinux policy configuration
selinux-policy-devel.noarch : SELinux policy development
selinux-policy-minimum.noarch : SELinux minimum base policy
selinux-policy-mls.noarch : SELinux mls base policy
selinux-policy-strict.noarch : SELinux strict base policy
selinux-policy-targeted.noarch : SELinux targeted base policy
setools.x86_64 : SELinux tools for managing policy
setroubleshoot.noarch : Helps troubleshoot SELinux problems
setroubleshoot-plugins.noarch : Analysis plugins for use with setroubleshoot
setroubleshoot-server.noarch : SELinux troubleshoot server
11:21:21
root@thresher ~/

/**************************************************/
bob@thresher /mnt/md0/bernate/svc/
--> lsa
total 856K
drwxrwxr-x 3 bob bob 4.0K Dec  2 08:34 ad
drwxrwxr-x 2 bob bob 4.0K Oct 28 07:49 admin
-rw-rw-r-- 1 bob bob 163K Sep 16 08:16 ad_minutes_033108.doc
-rw-rw-r-- 1 bob bob 2.4K Oct 12 13:48 amber_kelly.txt
drwxr-xr-x 2 bob bob 4.0K Oct 20 08:37 bob
-rwxr--r-- 1 bob bob  165 Nov 30 15:38 ~$ce_cmd.xlsx
-rwxr--r-- 1 bob bob 113K Dec  2 09:48 ce_cmd.xlsx
-rwxr--r-- 1 bob bob 239K Oct 22 11:15 ce_printers.png
drwxrwxr-x 2 bob bob 4.0K Oct  6 09:44 ce-servers
drwxrwxr-x 2 bob bob 4.0K Nov 20 16:32 dell_ms-event
-rwxr--r-- 1 bob bob 142K Oct  8 06:26 IT Servers.doc
drwxrwxr-x 3 bob bob 4.0K Oct 26 14:51 nagios
drwxrwxr-x 2 bob bob 4.0K Sep 16 13:15 orgchart
-rwxr--r-- 1 bob bob  165 Oct 20 15:04 ~$svc0.xlsx
-rwxr--r-- 1 bob bob  62K Dec  7 08:44 svc0.xlsx
drwxr-xr-x 6 bob bob 4.0K Dec  1 09:37 technet
10:57:00
bob@thresher /mnt/md0/bernate/svc/
--> 
/**************************************************/
bob@thresher /mnt/md0/bernate/svc/
--> ls -Z
drwxrwxr-x  bob bob user_u:object_r:file_t           ad
drwxrwxr-x  bob bob user_u:object_r:file_t           admin
-rw-rw-r--  bob bob user_u:object_r:file_t           ad_minutes_033108.doc
-rw-rw-r--  bob bob user_u:object_r:file_t           amber_kelly.txt
drwxr-xr-x  bob bob system_u:object_r:file_t         bob
-rwxr--r--  bob bob system_u:object_r:file_t         ~$ce_cmd.xlsx
-rwxr--r--  bob bob system_u:object_r:file_t         ce_cmd.xlsx
-rwxr--r--  bob bob system_u:object_r:file_t         ce_printers.png
drwxrwxr-x  bob bob user_u:object_r:file_t           ce-servers
drwxrwxr-x  bob bob system_u:object_r:file_t         dell_ms-event
-rwxr--r--  bob bob system_u:object_r:file_t         IT Servers.doc
drwxrwxr-x  bob bob user_u:object_r:file_t           nagios
drwxrwxr-x  bob bob user_u:object_r:file_t           orgchart
-rwxr--r--  bob bob system_u:object_r:file_t         ~$svc0.xlsx
-rwxr--r--  bob bob user_u:object_r:file_t           svc0.xlsx
drwxr-xr-x  bob bob system_u:object_r:file_t         technet
10:57:38
bob@thresher /mnt/md0/bernate/svc/
/**************************************************/
bob@thresher /var/www/html/
--> ls -Z
-rw-r--r--  bob bob user_u:object_r:httpd_sys_content_t index.html
drwxr-xr-x  bob bob user_u:object_r:httpd_sys_content_t ks
-rw-r--r--  bob bob user_u:object_r:httpd_sys_content_t thresher.jpg
10:58:26
bob@thresher /var/www/html/
/**************************************************/

selinux critical commands:
    `system-config-selinux`
    `system-config-securitylevel`
    `setsebool`
    `getsebool`
    `chcon`
    	`chcon -Rv --type=httpd_sys_content_t /html`
    `restorecon` - used to restore file(s) default SELinux security contexts.
    	`restorecon -Rv /var/www/html` 
    `setenforce enforcing | permissive` - changes boolean /selinux/enforce, not persistent across reboot
    `getenforce`
    `semanage`
    `ls -Z`
    `ls -Zd`
    `ps -Z`
    `sealert [-b | -h | etc]`
    `find -context`
    `audit2allow` - creatie custom SELinux policy modules 
    `audit2why`
    `setsebool`
    `getsebool -a`
    `sestatus [-v]`

To automatically relabel the complete filesystem upon reboot, do:
	touch /.autorelabel
	reboot 

/**************************************************/
critical file locations:
    '/etc/sysconfig/selinux'
    '/etc/selinux/targeted/contexts/files/file_contexts' (default contexts)
    '/selinux' (booleans directory)

selinux troubleshooting logs
	`setroubleshoot`      

to generate human-readable reports from the command line:
	`sealert -a /var/log/audit/audit.log > /path/to/mylogfile.txt` 
/**************************************************/
http selinux
	`setsebool -P httpd.enable.homedirs 1` # permits reading of home directories through httpd
	`chcon -R -t httpd_sys_content_t /path/to/home-dir/public_html`

selinux
	'named_write_master_zones': `setsebool -P named_write_master_zones 1`

squid selinux
    squid_connect_any - allows squid to connect to network
    squid_disable_trans - disable sel @ squid

ftp selinux
    `setsebool -P ftp_home_directory 1`
    'allow_ftpd_anon_write' (context for files = 'public_content_rw_t')
    'allow_ftpd_use_cifs'
    'allow_ftpd_use_nfs'
    'ftp_is_daemon' (allow ftp to run directly without inetd, necessary for user up/downloads)
    'ftp_home_directory' (allow ftp to read/write files in user home directories, necessary for user up/downloads)

samba selinux
    allow_smb_anon_write - supports writing files to directories configured with 'public_content_rw_t'
    samba_enable_home_dirs - allows samba to share users' home directories
    samba_share_nfs - allows samba to share directories already shared via NFS
    use_samba_home_dirs - supports remote access to local home directories


/**************************************************/
Troubleshooting SELinux

Sooner or later you may run into situations were SELinux denies access to something and you need to troubleshoot the issue. There are a number of fundamental reasons why SELinux may deny access to a file, process or resource:

    A mislabeled file
    A process running under the wrong SELinux security context
    A bug in policy. An application requires access to a file that wasn't anticipated when the policy was written and generates an error
    An intrusion attempt.