You are on page 1of 17

Using SELinux on RHEL 6

George Hacker Curriculum Manager, Red Hat 06.26.12

What Is SELinux?

A security feature of the inu! kernel "riginally de#elo$ed %y the &'A (nitially used to secure ser#ices All system o%)ects *files, $orts, $rocesses+ are la%eled ,he $olicy defines the rules that affect ho- #arious system o%)ects can interact -ith each other

,he $olicy is loaded into the kernel at %oot time

CLI Support for SELinux

'. inu! acti#ation state

getenforce*/+, setenforce*/+ 23 o$tion to ls*1+ and $s*1+ chcon*/+, restorecon*/+, setfiles*/+ getse%ool*/+, setse%ool*/+, togglese%ool*/+

0is$lay file1$rocess conte!t information

Mani$ulate file conte!ts

0is$lay and ad)ust $olicy %ooleans

CLI Support for SELinux (cont.)


getenforce setenforce 0 ls 23 $s 2e3 chcon 2t tm$4t tem$dir restorecon 1#ar1---1html1inde!.html getse%ool 2a setse%ool htt$d4ena%le4homedirs 1

Introducing li s!linux

5ro#ided %y li%selinu! and li%selinu!2de#el $ackages

li%selinu! $ro#ides run2time su$$ort li%selinu!2de#el re6uired for %uilding '. inu! $rograms 7include 8selinu!1selinu!.h9 gcc 2o $rogram $rogram.c 2lselinu!

C source code must include selinu!.h header file

ink -ith the li%selinu! li%rary

"ro#id!d H!ad!r $il!s

5rimary header file

7include 8selinu!1selinu!.h9 7include 8selinu!1a#c.h9 7include 8selinu!1conte!t.h9 7include 8selinu!1flask.h9 7include 8selinu!1get4conte!t4list.h9 7include 8selinu!1la%el.h9

Additional header files

li s!linux % SELinux Status $unctions

Get current '. inu! status

security4getenforce*+ selinu!4getenforcemode*int :mode+ security4setenforce*int enforce+

Get %oot2time '. inu! configuration

'et current '. inu! status

li s!linux % $il! Cont!xt $unctions

0ata ty$e; security4conte!t4t Get the '. inu! conte!t of a file

getfilecon*char :$ath, security4conte!t4t :conte!t+ freecon*security4conte!t4t conte!t+

<ree an allocated conte!t

li s!linux % $il! Cont!xt $unctions (cont.)

'et the '. inu! conte!t of a file

setfilecon*char :$ath, security4conte!t4t conte!t+ fsetfilecon*int fd, security4conte!t4t conte!t+ lsetfilecon*char :$ath, security4conte!t4tconte!t+ getfscreatecon*security4conte!t4t :conte!t+ setfscreatecon*security4conte!t4t conte!t+

Get1set the default '. inu! conte!t of a $rogram

li s!linux % Cont!xt $unctions

Mani$ulate fields of security4conte!t4t strings Header file

7include 8selinu!1conte!t.h9

0ata ty$e; conte!t4t <unctions to allocate1free conte!t4t #aria%les

conte!t4ne-*security4conte!t4t conte!t+ conte!t4free*conte!t4t ct4conte!t+ conte!t4str*conte!t4t ct4conte!t+

Con#ersion to security4conte!t4t

li s!linux % Cont!xt $unctions (cont.)

<unctions to e!tract conte!t elements

conte!t4user4get*conte!t4t ct4conte!t+ conte!t4role4get*conte!t4t ct4conte!t+ conte!t4ty$e4get*conte!t4t ct4conte!t+ conte!t4range4get*conte!t4t ct4conte!t+ conte!t4user4set*conte!t4t ct4conte!t, char :user+ conte!t4role4set*conte!t4t ct4conte!t, char :role+ conte!t4ty$e4set*conte!t4t ct4conte!t, char :ty$e+ conte!t4range4set*conte!t4t ct4conte!t, char :range+

<unctions to assign conte!t elements

li s!linux % "roc!ss Cont!xt $unctions

Get the '. inu! conte!t of the current $rocess

getcon*security4conte!t4t :conte!t+ get$idcon*int $id, security4conte!t4t :conte!t+

Get the '. inu! conte!t of another $rocess

=se freecon*>+ -hen finished

li s!linux % "roc!ss Cont!xt $unctions (cont.)

'et the '. inu! conte!t of the current $rocess

setcon*security4conte!t4t :conte!t+ sete!eccon*security4conte!t4t :conte!t+ 'ets the '. inu! conte!t for the ne!t $rocess created -ith the e!ec#e*2+ system call

'et the '. inu! conte!t of a s$a-ned $rocess

li s!linux % &ool!an $unctions

Get the #alue of a %oolean security4get4%oolean4acti#e*char :%ool4name+

security4get4%oolean4$ending*char :%ool4name+

'et the #alue of a %oolean security4set4 %oolean*char :%ool4name, int #alue+ Commit all $ending %oolean changes security4commit4%ooleans*+

li s!linux % &ool!an $unctions (cont.)

0ata ty$e; '. %oolean

A structure -ith t-o fields; char :name, int #alue security4set4%oolean4list*si?e4t n%ools, '. %oolean :%oolean4list, int $ermanent+

'et multi$le %oolean #alues

$or $urth!r Stud'

"#er#ie- of '. inu!

Red Hat 'ummit 2010 2 '. inu! for Mere Mortals, ,homas Cameron and 0an @alsh Red Hat 'ummit 2010 2 &ot Aour GrandfatherBs '. inu!, 0an @alsh

Red Hat .nter$rise inu! 6 '. inu! <eatures

RH'C2D E Red Hat .nter$rise '. inu! 5olicy Administration