Linux Mint Forums

[Cr4ashT3stDum44'/]

Hi, I've been using lmde 64 bit for a while now and I am thinking about installing selinux with the default policy. I started reading the selinux notebook but I ran into two problems:
-it's huge
-it's very complex.
I read about selinux in the debian administrator handbook and I did some googling, on fedora forums a lot of people complain about it. From what I understand it might be the best way to secure a system but I dont want to have every custom program I use blocked or worst not even being able to login (or have MATE rainbows up, it happened with cinnamon)... So, is it a good idea to set up selinux without knowing it inside out? would the default policy protect me (at least until I fully understand how to modify it) without hindering my every move?

[widget]

You should be able to use your system with SELinux installed. Use packages "selinux-basics" and "selinux-policy-default".

One thing you could do to make sure you are comfortable with it is to do a new install, say a huge 6 to 10 gigs) and try it there. If you don't like it you could then reinstall to have a clean slate to work on and try apparmor.

[Cr4ashT3stDum44'/]

Thanks for the advice. I'll try in a VM

[widget]

Thanks for the advice. I'll try in a VM

That should work.

There are advantages to having another real install though. There are many things you may want to try out that will not really do well in VB. Anything that has to interact directly with your hardware may not respond exactly the same under a real install as in VB.

Of coarse that is less a problem if using exactly the same version as your host OS but there can still be surprises. This is the reason that all development releases need tested by people actually installing them because development takes place in a virtual environment.

Having a "Throw Away" install makes you a lot more willing to experiment and speeds the learning process. There is no better way to learn than to break things. Not a real good idea on an install you are trying to use.

[stratus_ss]

I work with SELinux writing my own basic policies for things like mysql, corosync, zabbix etc.

Its actually not that hard once you grasp a few things

1) EVERYTHING has a context, using ls -lZ on a file or directory will produce something similar to this

Code: Select all

drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 Desktop


You can disregard MOST of this information unless you are going to tweak individual users.

So to break this down

Code: Select all

unconfined_u:


Is an SELinux user, which like I said unless you are heavily tweaking a multi-user environment, you probably dont need to worry about

Code: Select all

object_r

This section for objects is not fully implemented and almost all admins disregard this for now

What you really care about is this

Code: Select all

admin_home_t

This is what kind of dictates what can access a given folder. If this is incorrect for what you want, it will be automatically denied. ({AVC Denied} will show up in the audit.log). So if you wanted to share this desktop out via samba, samba would share the file but SELinux would deny anyone from interacting with it (writing to, or reading from it)

2) semamange fcontext is your friend! this is how you change context types. In our above example, to be able to share the folder via samba you would have to do something like this

Code: Select all

semanage fcontext -a -t samba_share_t "/root/Desktop(/.*)?"
restorecon -Rvv /root/Desktop


This would change the context so that samba sharing would be enabled

3) learn the audit2allow command! It can generate custom rules based on what is showing up in your logs

For example, if you are having a problem with a service called corosync you would do something like this:

Code: Select all

cat /var/log/audit/audit.log |grep corosync |audit2allow


This would output that should be human readable. I just launched it on my machine right now and this is what it looks like

Code: Select all

[root@ldap ~]# cat /var/log/audit/audit.log |audit2allow


#============= xdm_t ==============
#!!!! This avc can be allowed using the boolean 'allow_polyinstantiation'

allow xdm_t admin_home_t:dir read;
#!!!! This avc can be allowed using the boolean 'xdm_exec_bootloader'

allow xdm_t bootloader_exec_t:file getattr;
allow xdm_t cvs_exec_t:file getattr;
allow xdm_t dhcpc_exec_t:file getattr;
allow xdm_t fsadm_exec_t:file getattr;
allow xdm_t gpg_exec_t:file getattr;
allow xdm_t ifconfig_exec_t:file getattr;
allow xdm_t insmod_exec_t:file getattr;
allow xdm_t ipsec_mgmt_exec_t:file getattr;
allow xdm_t iptables_exec_t:file getattr;
allow xdm_t java_exec_t:file getattr;
allow xdm_t lpr_exec_t:file getattr;
allow xdm_t lvm_exec_t:file getattr;
allow xdm_t netutils_exec_t:file getattr;
allow xdm_t ntpdate_exec_t:file getattr;
allow xdm_t postfix_master_exec_t:file getattr;
allow xdm_t rsync_exec_t:file getattr;
allow xdm_t ssh_exec_t:file getattr;


Just for an example here is a custom samba.te that I created

Code: Select all

module local 1.0;

require {
       type samba_var_t;
        type smbd_t;
        type nmbd_t;
        type default_t;
        type etc_runtime_t;

        class file { write unlink create getattr };
        class sock_file unlink;
        class capability { sys_admin sys_resource };
        class dir { write remove_name create rmdir add_name };
}

#============= smbd_t ==============
allow smbd_t etc_runtime_t:dir { write remove_name create add_name rmdir };
allow smbd_t etc_runtime_t:file create;
allow smbd_t etc_runtime_t:file write;
allow smbd_t etc_runtime_t:file unlink;
allow smbd_t default_t:file getattr;
allow nmbd_t self:capability { sys_admin sys_resource };
allow nmbd_t samba_var_t:sock_file unlink;


Thos allow statements were generated by audit2allow. It looks big and scary, but its really not that difficult. It just takes practice.

4) Dont get bogged down with learning it all at first. Learn what you need to get it working and then expand your knowledge once you are confident you can solve most of the basic problems.

Dont forget to ask questions!