Daily Archives: May 6, 2007

SELinux and Type Enforcement

FedoraAs some people know, one of the many hats I wear on the job is security. That being the case, I figured I should learn SELinux.

Turns out, Easier said than done. If your doing anything unusual (What are the odds in my case?) you need to make Policies and ensure that the programs are the proper file context with the proper access. Think of a default deny firewall and you'll see the issue. Nothing is allowed unless permission is explicitly given. Fedora comes with a lot of default policies, but for unusual web server CGI scripts, chances are you need to write a policy for it. 

1st problem: I don't have the proper package to create policies and install them. A little research and I find I need "selinux-policy-devel". 


$ yum install selinux-policy-devel

2nd Problem: While I'm familiar with Type Enforcement, I have no idea what rights to give each application. The only way I know of finding out what rights each app needs is to run it, and see what audit errors pop up in the log.

3rd problem: I'm not used to the syntax of the policy files, or the various types and classes that I need to use to grant the exact access I need. 

After a few hours work: I mostly configured ONE application. This is going to be a long project…

Music I'm listening to right Now:
"Midnight Show" by The Killers from the "Hot Fuss"