Thursday, January 21, 2010

3. SELinux Labeling

   As we discussed earlier SELinux works based on MAC systems, so that the system admin can separate the subjects from objects and this separation is based on the proper labeling of files in the filesystem. So this labeling becomes the heart of the SELinux functionality. SELinux enforces "types based" on the labels stored with in the files.

Labeling of Objects to support Type Enforcement(TE):

Labeling Features:
  1. To ensure that SELinux functions properly all Objects must be properly labeled to facilitate the Type Enforcement.
  2. File that are improperly labeled will not be protected.
# cd /root
# ls -lZ 

-rw-r--r--    root    root    user_u:object_r:file_t    install.log
    This will show the context information of the SELinux(labeling of each file), stored in the extended attributes of the file which supported by the ext2, ext3 reizerfs file systems inside the root folder. Files will be only properly labeled if we enable SELinux while creation of the files, that means while installation if we enable the SELinux all the files will be properly labeled and will be protected by SELinux and the file that created while SELinux was disabled will not be labeled and we have to do it manually.

       3.  Tuples/labels are the Security context. it is defined in user:role:type
                user example:- system_u, root etc
                role example:-  object_r
                type example:-  user_home_t, file_t etc
       4. Type applied to subject (httpd) is called = DOMAIN
       5. Type applied to Object (install.log) is called = TYPE

Re-Labeling the files to support SELinux
    Two ways to relabel the filesystem
1. Suggested way
    a. # touch /.autorelabel && reboot
        This will properly relabels all the files in the system. This will make the init to initiate the SELinux labeling This will happens before the programs start running.

2. Using the command "fixfiles"
    /sbin/fixfiles which belongs to "policycoreutils" rpm will change the context information will be done with out the system reboot.
To work with the fixfiles, the SELinux must be disabled before creation of the files and then use fixfiles to relabel the file
# fixfiles relabel
    This will relabels entire filesystem
# fixfiles -l fixedfile_log relabel
    This will relabels entire filesystem and logs output to the file fixedfile_log.
# fixfiles -R package name
    This will restore the labeling information of all the files installed by the particular package

No comments:

Post a Comment

tag ur valuable ideas below