Red_Hat_Enterprise_Linux-7-SELinux_Users_and_Administrators_Guide-en-US.pdf

(7458 KB) Pobierz
Red Hat Enterprise Linux 7
SELinux User's and
Administrator's Guide
Basic and advanced configuration of Security-Enhanced Linux (SELinux)
Tomáš Čapek
Barbora Ančincová
Red Hat Enterprise Linux 7 SELinux User's and Administrator's Guide
Basic and advanced configuration of Security-Enhanced Linux (SELinux)
To máš Čapek
Red Hat Engineering Co ntent Services
tcapek@redhat.co m
Barbo ra Ančinco vá
Red Hat Engineering Co ntent Services
bancinco @redhat.co m
Legal Notice
Copyright © 2013 Red Hat, Inc.
T his document is licensed by Red Hat under the
Creative Commons Attribution-ShareAlike 3.0 Unported
License.
If you distribute this document, or a modified version of it, you must provide attribution to Red
Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be
removed.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section
4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo,
and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux ® is the registered trademark of Linus T orvalds in the United States and other countries.
Java ® is a registered trademark of Oracle and/or its affiliates.
XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States
and/or other countries.
MySQL ® is a registered trademark of MySQL AB in the United States, the European Union and other
countries.
Node.js ® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or
endorsed by the official Joyent Node.js open source or commercial project.
T he OpenStack ® Word Mark and OpenStack Logo are either registered trademarks/service marks or
trademarks/service marks of the OpenStack Foundation, in the United States and other countries and
are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or
sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Abstract
T his books consists of two parts: SELinux and Managing Confined Services. T he former describes the
basics and principles upon which SELinux functions, the latter is more focused on practical tasks to set
up and configure various services.
Table of Contents
Table of Contents
P . . . . . . . . . .
. .art .I. SELinux. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 . . . . . . . .
.
C . . . . . . . Introduction
. .hapter. 1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 . . . . . . . .
.
1.1. Benefits of running SELinux
6
1.2. Examples
6
1.3. SELinux Architecture
7
1.4. SELinux Modes
7
1.5. What Is New in Red Hat Enterprise Linux 7
8
C . . . . . . . SELinux . . . . . . . .
. .hapter. 2. . . . . . . . . Contexts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 . . . . . . . .
..
2.1. Domain T ransitions
12
2.2. SELinux Contexts for Processes
13
2.3. SELinux Contexts for Users
14
C . . . . . . . . argeted . . . . .
. .hapter. 3. T . . . . . . . . Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 . . . . . . . .
..
3.1. Confined Processes
15
3.2. Unconfined Processes
17
3.3. Confined and Unconfined Users
20
C . . . . . . Working . . . . SELinux
. .hapter. 4 . . . . . . . . . with . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 . . . . . . . .
..
4 .1. SELinux Packages
23
4 .2. Which Log File is Used
24
4 .3. Main Configuration File
25
4 .4. Enabling and Disabling SELinux
25
4 .5. Booleans
29
4 .6. SELinux Contexts – Labeling Files
31
4 .7. T he file_t and default_t T ypes
37
4 .8. Mounting File Systems
37
4 .9. Maintaining SELinux Labels
40
4 .10. Information Gathering T ools
47
4 .11. Multi-Level Security (MLS)
49
4 .12. File Name T ransition
54
4 .13. Disable ptrace()
55
4 .14. T humbnail Protection
56
C . . . . . . . T . sepolicy . . . . .
. .hapter. 5. . .he. . . . . . . . . Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 . . . . . . . .
..
5.1. T he sepolicy Python Bindings
58
5.2. Generating SELinux Policy Modules: sepolicy generate
58
5.3. Understanding Domain T ransitions: sepolicy transition
59
5.4. Generating Manual Pages: sepolicy manpage
60
C . . . . . . . Confining Users
. .hapter. 6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 . . . . . . . .
..
6.1. Linux and SELinux User Mappings
61
6.2. Confining New Linux Users: useradd
61
6.3. Confining Existing Linux Users: semanage login
62
6.4. Changing the Default Mapping
64
6.5. xguest: Kiosk Mode
64
6.6. Booleans for Users Executing Applications
65
C . . . . . . . sVirt
. .hapter. 7. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 . . . . . . . .
..
Non-Virtualized Environment
67
Virtualized Environment
67
7.1. Security and Virtualization
67
7.2. sVirt Labeling
68
C . . . . . . . Secure . . . . . . . . . . . . . .
. .hapter. 8. . . . . . . . Linux .Containers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 . . . . . . . .
..
1

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika:

Zgłoś jeśli naruszono regulamin