Tuning Your SELinux Policy with Audit2allow
Kevin Fenzi
Fedora Core 3 Linux has been shipping with Security Enhanced Linux (SELinux)
enabled by default for about six months now. SELinux allows privileges to be
separated much more finely than the typical approach of having users and groups
and the all-powerful root "superuser". The default SELinux configuration is
fine for some uses, but the SELinux configuration files make sendmail.cf look
easy. In this article, I will show you step-by-step how to tune your SELinux
policy to your specific needs using the audit2allow tool.
What Is SELinux?
SELinux is a kernel patch (which was merged into the main kernel.org kernel
in the 2.6.0-test series) that provides the hooks needed to detect, log, and
enforce Mandatory Access Controls on processes. The rules that control what
is allowed and disallowed constitute a "policy". This policy includes rules
specifying which things are managed under the SELinux framework.
The traditional permissions model consists of users and groups and Unix file
permissions. Using this model, you can restrict which users and groups of users
can read, write, and execute files. SELinux provides a richer set of permissions
with users, roles, and types.
For example, under a traditional permissions model, you must give root (superuser)
access to processes that wish to listen on privileged (less than 1024) ports.
Once these processes have that access, they can perform any of the actions that
the root user can perform. Under a SELinux model, you can grant the specific
server permission to open its specific port and nothing else.
Which Linux Versions Provide SELinux Support?
At least the following distributions now include support for SELinux:
- Fedora Core 2
- Fedora Core 3
- Red Hat Enterprise Linux 4
- CentOS 4
- Debian unstable (kernel support)
- Hardened Gentoo project
- SUSE 9.x
|
