From patchwork Tue Aug 25 08:37:41 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11735175 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 451F714F6 for ; Tue, 25 Aug 2020 08:38:26 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 1FD052074D for ; Tue, 25 Aug 2020 08:38:26 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="jXukjAO1" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728975AbgHYIiZ (ORCPT ); Tue, 25 Aug 2020 04:38:25 -0400 Received: from mailomta10-sa.btinternet.com ([213.120.69.16]:21299 "EHLO sa-prd-fep-043.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1728986AbgHYIiT (ORCPT ); Tue, 25 Aug 2020 04:38:19 -0400 Received: from sa-prd-rgout-005.btmx-prd.synchronoss.net ([10.2.38.8]) by sa-prd-fep-043.btinternet.com with ESMTP id <20200825083813.MPLC26847.sa-prd-fep-043.btinternet.com@sa-prd-rgout-005.btmx-prd.synchronoss.net>; Tue, 25 Aug 2020 09:38:13 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1598344693; bh=JvwxzYr/Vo0koxLkoamrclXNqzAbBWzj4pO8Jtdp/0o=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=jXukjAO10bNBjUHLU5uJ0WEUi/FOGg6xOMrDLjASpt4ZhU1qmWFtRZlhen8SM1gwlcNqnuuWJijA7R5H4U6QhBpSGlfpeBK82Ams5+hlxdy2q0yREZ0cHzdGQubU+XtgdrmoP6XHPJRcGYSZ8Rjz4YpGUgO7gMEHRgcdHOPhxFPdHCF48KYzcae3bM0VcxxOyrWprVmLrsZdgTonCL9pl3Np17xfXucRfq5b1srXxNWL7iBbUW/TkVk82GnpH/h1VD20VNXQToa1/fVGA1I6n0GVaMDWFdPwyKp97lOZRRpMdRAk47IV+zCpAUJTX7ovpIM6cNkQJ9f2oX2wEfgyyQ== Authentication-Results: btinternet.com; none X-Originating-IP: [109.155.130.160] X-OWM-Source-IP: 109.155.130.160 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedruddvtddgtdejucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeeutddtleelheeugefgiefhiedtheeukeffveeitdffgeffieeugeeljeegvefgieenucfkphepuddtledrudehhedrudeftddrudeitdenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhephhgvlhhopehlohgtrghlhhhoshhtrdhlohgtrghlughomhgrihhnpdhinhgvthepuddtledrudehhedrudeftddrudeitddpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (109.155.130.160) by sa-prd-rgout-005.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9B8A70D599E70; Tue, 25 Aug 2020 09:38:13 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 16/18] global_config_files: Convert to markdown Date: Tue, 25 Aug 2020 09:37:41 +0100 Message-Id: <20200825083743.6508-17-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200825083743.6508-1-richard_c_haines@btinternet.com> References: <20200825083743.6508-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Add a TOC to aid navigation and convert to markdown. Signed-off-by: Richard Haines --- src/global_config_files.md | 389 +++++++++++++++++++++---------------- 1 file changed, 220 insertions(+), 169 deletions(-) diff --git a/src/global_config_files.md b/src/global_config_files.md index 80e557b..7c8132d 100644 --- a/src/global_config_files.md +++ b/src/global_config_files.md @@ -1,13 +1,21 @@ # Global Configuration Files +- [*/etc/selinux/config*](#etcselinuxconfig) +- [*/etc/selinux/semanage.conf*](#etcselinuxsemanage.conf) +- [*/etc/selinux/restorecond.conf*](#etcselinuxrestorecond.conf) +- [*restorecond-user.conf*](#restorecond-user.conf) +- [*/etc/selinux/newrole_pam.conf*](#etcselinuxnewrole_pam.conf) +- [*/etc/sestatus.conf*](#etcsestatus.conf) +- [*/etc/security/sepermit.conf*](#etcsecuritysepermit.conf) + Listed in the sections that follow are the common configuration files used by SELinux and are therefore not policy specific. The two most important files are: -- */etc/selinux/config* - This defines the policy to be activated and - its enforcing mode. -- */etc/selinux/semanage.conf* - This is used by the SELinux policy - configuration subsystem for modular or CIL policies. +- */etc/selinux/config* - This defines the policy to be activated and + its enforcing mode. +- */etc/selinux/semanage.conf* - This is used by the SELinux policy + configuration subsystem for modular or CIL policies. ## */etc/selinux/config* @@ -26,44 +34,59 @@ AUTORELABEL=0|1 **Where:** - - - - - - - - - - - - - - - - - - - - - - - -
SELINUX

This entry can contain one of three values:

-

enforcing - SELinux security policy is enforced.

-

permissive - SELinux logs warnings (see the Auditing SELinux Events section) instead of enforcing the policy (i.e. the action is allowed to proceed).

-

disabled - No SELinux policy is loaded.

-

Note that this configures the global SELinux enforcement mode. It is still possible to have domains running in permissive mode and/or object managers running as disabled, permissive or enforcing, when the global mode is enforcing or permissive.

SELINUXTYPE

The policy_name is used as the directory name where the active policy and its configuration files will be located. The system will then use this information to locate and load the policy contained within this directory structure.

-

The policy directory must be located at:

-

/etc/selinux

SETLOCALDEFS

Deprecated This optional field should be set to 0 (or the entry removed) as the policy store management infrastructure (semanage(8) / semodule(8)) is now used.

-

If set to 1, then init(8) and load_policy(8) will read the local customisation for booleans and users.

REQUIRESEUSERS

Deprecated This optional field can be used to fail a login if there is no matching or default entry in the seusers file or if the file is missing.

-

It is checked by the libselinux function getseuserbyname(3) that is used by SELinux-aware login applications such as PAM(8).

-

If it is set to 0 or the entry missing:

-

getseuserbyname(3) will return the GNU / Linux user name as the SELinux user.

-

If it is set to 1:

-

getseuserbyname(3) will fail.

AUTORELABEL

This is an optional field. If set to '0' and there is a file called .autorelabel in the root directory, then on a reboot, the loader will drop to a shell where a root logon is required. An administrator can then manually relabel the file system.

-

If set to '1' or the parameter name is not used (the default) there is no login for manual relabeling, however should the /.autorelabel file exist, then the file system will be automatically relabeled using fixfiles -F restore.

-

In both cases the /.autorelabel file will be removed so relabeling is not done again.

+*SELINUX* + +This entry can contain one of three values: + +- *enforcing* - SELinux security policy is enforced. +- *permissive* - SELinux logs warnings (see the + [**Auditing SELinux Events**](auditing.md#auditing-selinux-events) section) + instead of enforcing the policy (i.e. the action is allowed to proceed). +- *disabled* - No SELinux policy is loaded. Note that this configures + the global SELinux enforcement mode. It is still possible to have domains + running in permissive mode and/or object managers running as disabled, + permissive or enforcing, when the global mode is enforcing or permissive. + +*SELINUXTYPE* + +The *policy_name* is used as the directory name where the active policy +and its configuration files will be located. The system will then use this +information to locate and load the policy contained within this directory +structure. The policy directory must be located at: */etc/selinux* + +*SETLOCALDEFS* + +**Deprecated** - This optional field should be set to 0 (or the entry removed) +as the policy store management infrastructure (***semanage**(8)* / +***semodule**(8)*) is now used. If set to 1, then ***init**(8)* and +***load_policy**(8)* will read the local customisation for booleans and users. + +*REQUIRESEUSERS* + +**Deprecated** - This optional field can be used to fail a login if there is +no matching or default entry in the *seusers* file or if the file is missing. +It is checked by the *libselinux* function ***getseuserbyname**(3)* that is +used by SELinux-aware login applications such as ***PAM**(8)*. +If it is set to 0 or the entry missing: + +- ***getseuserbyname**(3)* will return the GNU / Linux user name as the + SELinux user. + +If it is set to 1: + +- ***getseuserbyname**(3)* will fail. + +*AUTORELABEL* + +This is an optional field. If set to \'*0*\' and there is a file called +*.autorelabel* in the root directory, then on a reboot, the loader will drop +to a shell where a root logon is required. An administrator can then manually +relabel the file system. +If set to '1' or the parameter name is not used (the default) there is no +login for manual relabeling, however should the */.autorelabel* file exist, +then the file system will be automatically relabeled using *fixfiles -F restore*. +In both cases the */.autorelabe*l file will be removed so relabeling is not +done again. **Example */etc/selinux/config* file contents are:** @@ -139,124 +162,152 @@ args = **Where:** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
module-store

The method can be one of four options:

-

directlibsemanage will write directly to a module store. This is the default value.

-

sourcelibsemanage manipulates a source SELinux policy.

-

/foo/bar Write via a policy management server, whose named socket is at /foo/bar. The path must begin with a '/'.

-

foo.com:4242 Establish a TCP connection to a remote policy management server at foo.com. If there is a colon then the remainder is interpreted as a port number; otherwise default to port 4242.

policy-versionThis optional entry can contain a policy version number, however it is normally commented out as it then defaults to that supported by the system.
expand-check

This optional entry controls whether hierarchy checking on module expansion is enabled (1) or disabled (0). The default is 0.

-

It is also required to detect the presence of policy rules that are to be excluded with neverallow rules.

file-modeThis optional entry allows the file permissions to be set on runtime policy files. The format is the same as the mode parameter of the chmod command and defaults to 0644 if not present.
save-previousThis optional entry controls whether the previous module directory is saved (TRUE) after a successful commit to the policy store. The default is to delete the previous version (FALSE).
save-linked

This optional entry controls whether the previously linked module is saved (TRUE) after a successful commit to the policy store. Note that this option will create a base.linked file in the module policy store.

-

The default is to delete the previous module (FALSE).

disable-genhomedirconThis optional entry controls whether the embedded genhomedircon function is run when using the semanage(8) command. The default is FALSE.
handle-unknown

This optional entry controls the kernel behaviour for handling permissions defined in the kernel but missing from the policy.

-

The options are: allow the permission, reject by not loading the policy or deny the permission. The default is deny.

-

Note: to activate any change, the base policy needs to be rebuilt with the semodule -B command.

bzip-blocksizeThis optional entry determines whether the modules are compressed or not with bzip. If the entry is 0, then no compression will be used (this is required with tools such as sechecker and apol). This can also be set to a value between 1 and 9 that will set the block size used for compression (bzip will multiply this by 100,000, so '9' is faster but uses more memory).
bzip-smallWhen this optional entry is set to TRUE the memory usage is reduced for compression and decompression (the bzip -s or --small option). If FALSE or no entry present, then does not try to reduce memory requirements.
usepasswd

When this optional entry is set to TRUE semanage will scan all password records for home directories and set up their labels correctly.

-

If set to FALSE (the default if no entry present), then only the /home directory will be automatically re-labeled.

ignoredirsWith a list of directories to ignore (separated by ';') when setting up users home directories. This is used by some distributions to stop labeling /root as a home directory.
store-rootSpecify an alternative policy store path . The default is "/var/lib/selinux".
compiler-directorySpecify an alternate directory that will hold the High Level Language (HLL) to CIL compilers. The default is "/usr/libexec/selinux/hll".
remove-hllWhen set TRUE, HLL files will be removed after compilation into CIL (Read semanage.conf(5) for the consequences of removing these files). Default is FALSE.
ignore-module-cacheWhether or not to ignore the cache of CIL modules compiled from HLL. The default is false.
target-platformTarget platform for generated policy. Default is "selinux", the alternate is "xen".

[verify kernel]

-

..

-

[end]

Start an additional set of entries that can be used to validate the kernel policy with an external application during the build process. There may be multiple [verify kernel] entries.

-

The validation process takes place before the policy is allowed to be inserted into the store with a worked example shown in Policy Validation Example

[verify module]

-

..

-

[end]

Start an additional set of entries that can be used to validate each module by an external application during the build process. There may be multiple [verify module] entries.

[verify linked]

-

..

-

[end]

Start an additional set of entries that can be used to validate module linking by an external application during the build process. There may be multiple [verify linked] entries.

[load_policy]

-

..

-

[end]

Replace the default load policy application with this new policy loader. Defaults are either: /sbin/load_policy or /usr/sbin/load_policy.

[setfiles]

-

..

-

[end]

Replace the default setfiles(8) application with this new setfiles. Defaults are either: /sbin/setfiles or /usr/sbin/setfiles.

[sefcontexts_compile]

-

..

-

[end]

Replace the default file context build application with this new builder. Defaults are either: /sbin/sefcontexts_compile or /usr/sbin/sefcontexts_compile.
+*module-store* + +The method can be one of four options: + +1. *directlibsemanage* will write directly to a module store. + This is the default value. +2. *sourcelibsemanage* manipulates a source SELinux policy. +3. */foo/bar* - Write via a policy management server, whose named socket is + at /foo/bar. The path must begin with a '/'. +4. *foo.com:4242* - Establish a TCP connection to a remote policy management + server at *foo.com*. If there is a colon then the remainder is interpreted + as a port number; otherwise default to port 4242. + +*policy-version* + +This optional entry can contain a policy version number, however it is normally +commented out as it then defaults to that supported by the system. + +*expand-check* + +This optional entry controls whether hierarchy checking on module expansion +is enabled (1) or disabled (0). The default is 0. It is also required to detect +the presence of policy rules that are to be excluded with *neverallow* rules. + +*file-mode* + +This optional entry allows the file permissions to be set on runtime policy +files. The format is the same as the mode parameter of the ***chmod**(1)* +command and defaults to 0644 if not present. + +*save-previous* + +This optional entry controls whether the previous module directory is saved +(TRUE) after a successful commit to the policy store. The default is to delete +the previous version (FALSE). + +*save-linked* + +This optional entry controls whether the previously linked module is saved +(TRUE) after a successful commit to the policy store. Note that this option +will create a *base.linked* file in the module policy store. +The default is to delete the previous module (FALSE). + +*disable-genhomedircon* + +This optional entry controls whether the embedded *genhomedircon* function is +run when using the ***semanage**(8)* command. The default is FALSE. + +*handle-unknown* + +This optional entry controls the kernel behaviour for handling permissions +defined in the kernel but missing from the policy. +The options are: *allow* the permission, *reject* by not loading the policy +or *deny* the permission. The default is *deny*. +Note: to activate any change, the base policy needs to be rebuilt with the +*semodule -B* command. + +*bzip-blocksize* + +This optional entry determines whether the modules are compressed or not +with *bzip*. If the entry is *0*, then no compression will be used (this is +required with tools such as ***apol**(1)*. This can also be set to a value +between *1* and *9* that will set the block size used for compression +(*bzip* will multiply this by 100,000, so '*9*' is faster but uses more memory). + +*bzip-small* + +When this optional entry is set to *TRUE* the memory usage is reduced for +compression and decompression (the *bzip* *-s* or *\-\-small* option). If *FALSE* +or no entry present, then does not try to reduce memory requirements. + +*usepasswd* + +When this optional entry is set to *TRUE* *semanage* will scan all password +records for home directories and set up their labels correctly. +If set to *FALSE* (the default if no entry present), then only the +*/home* directory will be automatically re-labeled. + +*ignoredirs* + +With a list of directories to ignore (separated by '*;*') when setting up users +home directories. This is used by some distributions to stop labeling */root* +as a home directory. + +*store-root* + +Specify an alternative policy store path. The default is */var/lib/selinux*. + +*compiler-directory* + +Specify an alternate directory that will hold the High Level Language (HLL) +to CIL compilers. The default is */usr/libexec/selinux/hll*. + +*remove-hll* + +When set *TRUE*, HLL files will be removed after compilation into CIL +(Read ***semanage.conf**(5)* for the consequences of removing these files). +Default is *FALSE*. + +*ignore-module-cache* + +Whether or not to ignore the cache of CIL modules compiled from HLL. +The default is *false*. + +*target-platform* + +Target platform for generated policy. Default is *selinux*, the alternate +is *xen*. + +*\[verify kernel\] .. \[end\]* + +Start an additional set of entries that can be used to validate the kernel +policy with an external application during the build process. There may be +multiple *\[verify kernel\]* entries. +The validation process takes place before the policy is allowed to be inserted +into the store with a worked example shown in +[**Policy Validation Example**](policy_validation_example.md#appendix-e---policy-validation-example) + + +*\[verify module\] .. \[end\]* + +Start an additional set of entries that can be used to validate each module +by an external application during the build process. There may be multiple +*\[verify module\]* entries. + +*\[verify linked\] .. \[end\]* + +Start an additional set of entries that can be used to validate module linking +by an external application during the build process. There may be multiple +*\[verify linked\]* entries. + +*\[load_policy\] .. \[end\]* + +Replace the default load policy application with this new policy loader. +Defaults are either: */sbin/load_policy* or */usr/sbin/load_policy*. + +*\[setfiles\] .. \[end\]* + +Replace the default ***setfiles**(8)* application with this new *setfiles*. +Defaults are either: */sbin/setfiles* or */usr/sbin/setfiles*. + +*\[sefcontexts_compile\] .. \[end\]* + +Replace the default file context build application with this new builder. +Defaults are either: */sbin/sefcontexts_compile* or +*/usr/sbin/sefcontexts_compile* **Example *semanage.config* file contents are:** @@ -279,19 +330,19 @@ by applications with an incorrect security context. The ***restorecond**(8)* daemon will then watch for their creation and automatically correct their security context to that specified by the active policy file context configuration files (located in the -*/etc/selinux/<SELINUXTYPE>/contexts/files* directory). +*/etc/selinux/\/contexts/files* directory). Each line of the file contains the full path of a file or directory. -Entries that start with a tilde (~) will be expanded to watch for files -in users home directories (e.g. *~/public\_html* would cause the daemon to -listen for changes to *public\_html* in all logged on users home +Entries that start with a tilde \'\~\' will be expanded to watch for files +in users home directories (e.g. *\~/public_html* would cause the daemon to +listen for changes to *public_html* in all logged on users home directories). -1. It is possible to run *restorecond* in a user session using - the *-u* option (see ***restorecond**(8)*). This requires a - *restorecond-user.conf* file to be installed as shown in the examples below. -2. The files names and location can be changed if *restorecond* is run - with the *-f* option. +1. It is possible to run *restorecond* in a user session using + the *-u* option (see ***restorecond**(8)*). This requires a + *restorecond-user.conf* file to be installed as shown in the examples below. +2. The files names and location can be changed if *restorecond* is run + with the *-f* option. **Example *restorecond.conf* file contents are:**