Home » , , » selinux in linux

selinux in linux

Written By 1 on Sunday, February 6, 2011 | 1:29 AM


Introduction
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Quantcast Security-Enhanced Linux (SELinux) is a mandatory access control (MAC) security mechanism implemented in the kernel. SELinux was first introduced in RHEL4 and significantly enhanced in RHEL5.

The Problems

In order to better understand why SELinux is important and what it can do for you it is easiest to look at some examples. Without SELinux enabled, discretionary access control (DAC) methods such as file permissions or access control lists (ACLs) are used to grant file access to users. Users and programs alike are allowed to grant insecure file permissions to others or gain access to parts of the system that should not otherwise be necessary for normal operation. For example:
  • Administrators have no way to control users: A user could set world readable permissions on sensitive files such as ssh keys
  • Processes can change security properties: A user’s mail files should be readable only by that user, but the mail client software
has the ability to change them to be world readable
  • Processes inherit user’s rights: Firefox, if compromised, can read a user’s private ssh keys even though it has no reason to do so.
Essentially there are two privilege levels, root and user, and no easy way to enforce the model of least-privilege. Many processes that are launched by root later drop their rights to run as a restricted user and some processes may be run in a chroot jail, but all of these security methods are discretionary.

The Solution

SELinux follows the model of least-privilege. By default, everything is denied and then a policy is written that gives each element of the system (a service, program, user) only the access required to function. If a service, program or user tries to access or modify a file or resource not necessary for it to function then access is denied and the action is logged. Because SELinux is implemented within the kernel, individual applications do not need to be especially written or modified to work with SELinux. If SELinux blocks an action, this appears as just a normal “access denied” type error to the application.

SELinux Modes

SELinux has 3 basic modes of operation out of which Enforcing is set as the default mode
  • Enforcing: The default mode which will enable and enforce the SELinux security policy on the system, denying access and logging actions
  • Permissive: In Permissive mode, SELinux is enabled but will not enforce the security policy, only warn and log actions. Permissive mode is useful for troubleshooting SELinux issues
  • Disabled: SELinux is turned off
The SELinux mode can be viewed and changed by using the SELinux Management GUI tool available on the Administration menu or from the command line by running ‘system-config-selinux’ (the SELinux Management GUI tool is part of the policycoreutils-gui package and is not installed by default).
Users who prefer the command line may use the ‘sestatus’ command to view the current SELinux status:

# sestatus

SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
The ‘setenforce’ command may be used to switch between Enforcing and Permissive modes on the fly but note that these changes do not persist
through a system reboot.
To make changes persistent through a system reboot, edit the SELINUX= line in /etc/selinux/config for either ‘enforcing’, ‘permissive’, or ‘disabled’. For example, SELINUX=permissive.

SELinux Policy

Earlier we mentioned that SELinux follows the model of least-privilege; by default everything is denied and then a policy is written that gives each element of the system only the access required to function. This description best describes the strict policy. However, such a policy is difficult to write that would be suitable in the wide range of circumstances that a product such as Enterprise Linux is likely to be used. The end result is that SELinux is likely to cause problems for system administrators and end users, and rather than resolve these issues system administrators are likely to just disable SELinux which defeats the purpose.
Luckily, SELinux allows different policies to be written that are interchangeable. The default policy in CentOS 4 and 5 is the targeted policy which “targets” and confines key system processes. In CentOS 4 only 15 defined targets existed (including httpd, named, dhcpd, mysqld) whereas in CentOS 5 this number has risen to over 200 targets. Everything else on the system runs in an unconfined domain and is unaffected by SELinux. The goal is for every process that is installed and running at boot by default to be running in a confined domain. The targeted policy is designed to protect as many key processes as possible without adversely affecting the end user experience and most users should be totally unaware that SELinux is even running.

SELinux Access Control

SELinux has 3 forms of access control:
  • Type Enforcement (TE): Type Enforcement is the primary mechanism of access control used in the targeted policy
  • Role-Based Access Control (RBAC): Based around SELinux users (not necessarily the same as the Linux user), but not used in the default targeted policy
  • Multi-Level Security (MLS): Not used and often hidden in the default targeted policy.
All processes and files have an SELinux security context. Lets see these in action by looking at the SELinux security context of our Apache homepage, index.html: $ ls -Z /var/www/html/index.html  -rw-r–r–   phil phil system_u:object_r:httpd_sys_content_t /var/www/html/index.html
In addition to the standard file permissions and ownership, we can see the SELinux security context fields: system_u:object_r:httpd_sys_content_t.
This is based upon user:role:type:mls. In our example above, user:role:type fields are displayed and mls is hidden. Within the default targeted policy, type is the important field used to implement Type Enforcement, in this case httpd_sys_content_t.
Now lets look at the SELinux security context of the Apache web server process, httpd:
$ ps axZ | grep httpd
system_u:system_r:httpd_t         3234 ?                Ss             0:00             /usr/sbin/httpd
Here we see the from the type field that Apache is running under the httpd_t type domain.
Finally, lets look at the SELinux security context of a file in our home directory:
$ ls -Z /home/phil/myfile.txt
-rw-r–r–                 phil phil                 user_u:object_r:user_home_t             /home/phil/myfile.txt
where we see the type is user_home_t, the default type for files in a users home directory.
Access is only allowed between similar types, so Apache running as httpd_t can read /var/www/html/index.html of type httpd_sys_content_t. Because Apache runs in the httpd_t domain, it can not access /home/phil/myfile.txt even though this file is world readable because it’s SELinux security context is not of type httpd_t. If Apache were to be exploited, it would not be able to start any process not in the httpd_t domain (which prevents escalation of privileges) or access any file not in an httpd_t related domain.

Troubleshooting SELinux

Sooner or later you may run into situations were SELinux denies access to something and you need to troubleshoot the issue. There are a number of fundamental reasons why SELinux may deny access to a file, process or resource:
  • A mislabeled file
  • A process running under the wrong SELinux security context
  • A bug in policy. An application requires access to a file that wasn’t anticipated when the policy was written and generates an error
  • An intrusion attempt.
The first 3 we can deal with whereas the 4th case is exactly the intended behaviour.
To troubleshoot any issue, log files are key and SELinux is no different. By default SELinux log messages are written to /var/log/audit/audit.log via the Linux Auditing System (auditd) which is started by default. If auditd is not running then messages are written to /var/log/messages. SELinux log messages are labeled with the “AVC” keyword so that they can be easily filtered from other messages.
Starting with CentOS 5 the SELinux Troubleshooting tool can be used to help analyze log files converting them into a more human-readable format. The tool consists of a GUI tool for displaying messages in human-readable format and possible solutions, a desktop notification icon alerting of new issues and a daemon process (setroubleshootd) that checks for new SELinux AVC alerts and feeds the notification icon (email notifications may also be configured for those not running an X server). The SELinux Troubleshooting tool is provided by the setroubleshoot package and is installed by default. The tool may be launched from the System menu or from the command line:
$ sealert -b
Those not running an X server may generate human-readable reports from the command line:
sealert -a /var/log/audit/audit.log > /path/to/mylogfile.txt

Relabeling Files

The ‘chcon’ command may be used to change SELinux security context of a file or files/directories in a similar way to how chown or chmod may be used to change the ownership or standard file permissions of a file.
Lets look at some examples.
Using Apache as an example, suppose you want to change the DocumentRoot to serve web pages from a location other than the default /var/www/html directory. Suppose we create a directory (or maybe a mount point) at /html and create our index.html file there:
# mkdir /html
# touch /html/index.html
# ls -Z /html/index.html
-rw-r–r– root root user_u:object_r:default_t /html/index.html
# ls -Z | grep html
drwxr-xr-x root root user_u:object_r:default_t html
we see that both the directory /html and file /html/index.html have the security context type default_t. If we start our web browser and try to view the page SELinux will deny access and log the error because the directory and file(s) have the wrong security context. We need to set the correct security context type for Apache of httpd_sys_content_t:
# chcon -v –type=httpd_sys_content_t /html
context of /html changed to user_u:object_r:httpd_sys_content_t
# chcon -v –type=httpd_sys_content_t /html/index.html
context of /html/index.html changed to user_u:object_r:httpd_sys_content_t
# ls -Z /html/index.html
-rw-r–r– root root user_u:object_r:httpd_sys_content_t /html/index.html
# ls -Z | grep html
drwxr-xr-x root root user_u:object_r:httpd_sys_content_t html
Equally we could have set both in one go using the -R recursive switch:
# chcon -Rv –type=httpd_sys_content_t /html
Modifying security contexts in this manner will persist between reboots unless the complete filesystem is relabeled (see later). To make the security context changes permanent, even through a complete filesystem relabel, we can use the SELinux Management Tool or the ‘semanage’ command from the command line:
semanage fcontext -a -t httpd_sys_content_t “/html(/.*)?”
to add a file context of type httpd_sys_content_t for everything under /html.

Restore Default Security Contexts

The ‘restorecon’ command may be used to restore file(s) default SELinux security contexts.
Again, lets use Apache as an example. Suppose a user edits a copy of index.html in his/her home directory and moves (mv) the file to the DocumentRoot /var/www/html. Whilst the copy (cp) command will typically adopt the destination directory’s or file’s security context, move (mv) will maintain the source’s security context. We could use the ‘chcon’ command to change the security context of the file(s) in question but as the file(s) are now in the default Apache DocumentRoot (/var/www/html) we can just restore the default security contexts for that directory or file(s). To restore just the index.html file, we would use:
# restorecon -v /var/www/html/index.html
or to recursively restore the default security contexts for the whole directory:
# restorecon -Rv /var/www/html
Additionally, if we simply wanted to examine the security contexts of the /var/www/html directory to see if any files needed their security contexts restored, we can use restorecon with the -n switch to prevent any relabelling occurring:
# restorecon -Rv -n /var/www/html

Relabel Complete Filesystem

Sometimes it is necessary to relabel the complete filesystem although this should only be necessary when enabling SELinux after it has been disabled or when changing the SELinux policy from the default targeted policy to strict. To automatically relabel the complete filesystem upon reboot, do:
# touch /.autorelabel
# reboot
Sometimes a complete filesystem relabel will fail if the system has been upgraded to CentOS-5.2 with SELinux disabled, and SELinux is then enabled. If the above procedure doesn’t correctly perform a complete filesystem relabel, try issuing the ‘genhomedircon’ command first:
# genhomedircon
# touch /.autorelabel
# reboot

Allowing Access to a Port

We may want a service such as Apache to be allowed to bind and listen for incoming connections on a non-standard port. By default, the SELinux policy will only allow services access to recognized ports associated with those services. If we wanted to allow Apache to listen on tcp port 81, we can add a rule to allow that using the ‘semanage’ command:
# semanage port -a -t http_port_t -p tcp 81
A full list of ports that services are permitted access by SELinux can be obtained with:
# semanage port -l

Customizing SELinux Policies

Minor modifications to SELinux policies can be made without modifying and recompiling the policy source by setting boolean values for optional features. Such features include allowing users to share their home directories under Samba or allowing Apache to serve files from users home directories which would otherwise be denied by the SELinux policy.
There is a separate Wiki page dealing with booleans.

Which boolean do I need?

getsebool -a 
will show you all available booleans on your system which can be changed by you. So take a look at the list that gives you and check the booleans which might be interesting for you against the list below to see if it really does what you think it does.
admin@forge:~$/usr/sbin/getsebool -a | grep httpd
 allow_httpd_anon_write --> off
 allow_httpd_bugzilla_script_anon_write --> off
 allow_httpd_mod_auth_pam --> off
 allow_httpd_nagios_script_anon_write --> off
 allow_httpd_squid_script_anon_write --> off
 allow_httpd_sys_script_anon_write --> off
 httpd_builtin_scripting --> on
 httpd_can_network_connect --> off
 httpd_can_network_connect_db --> off
 httpd_can_network_relay --> off
 httpd_disable_trans --> off
 httpd_enable_cgi --> on
 httpd_enable_ftp_server --> off
 httpd_enable_homedirs --> on
 httpd_rotatelogs_disable_trans --> off
 httpd_ssi_exec --> off
 httpd_suexec_disable_trans --> off
 httpd_tty_comm --> on
 httpd_unified --> on
httpd_can_network_connect looks interesting – let us check with the list below:
httpd_can_network_connect (HTTPD Service):: Allow HTTPD scripts and modules to connect to the network.
Looks like it could be the one you need …
setsebool -P httpd_can_network_connect on
will turn that on for you. Et voilà – it works.
system-config-selinux from the policycoreutils-gui package has the same list as the one below. So if you have a GUI available you probably are better off installing that package and making the changes there.
For all others: Here is the :)
acct_disable_trans (SELinux Service Protection)
Disable SELinux protection for acct daemon
allow_cvs_read_shadow (CVS)
Allow cvs daemon to read shadow
allow_daemons_dump_core (Admin)
Allow all daemons to write corefiles to /.
allow_daemons_use_tty (Admin)
Allow all daemons the ability to use unallocated ttys.
allow_execheap (Memory Protection)
Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
allow_execmem (Memory Protection)
Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla
allow_execmod (Memory Protection)
Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t
allow_execstack (Memory Protection)
Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
allow_ftpd_full_access (FTP)
Allow ftpd to full access to the system
allow_ftpd_anon_write (FTP)
Allow ftpd to upload files to directories labeled public_content_rw_t
allow_ftpd_use_cifs (FTP)
Allow ftp servers to use cifs used for public file transfer services.
allow_ftpd_use_nfs (FTP)
Allow ftp servers to use nfs used for public file transfer services.
allow_gpg_execstack (Memory Protection)
Allow gpg executable stack
allow_gssd_read_tmp (NFS)
Allow gssd to read temp directory.
allow_httpd_anon_write (HTTPD Service)
Allow httpd daemon to write files in directories labeled public_content_rw_t
allow_httpd_mod_auth_pam (HTTPD Service)
Allow Apache to use mod_auth_pam.
allow_httpd_sys_script_anon_write (HTTPD Service)
Allow httpd scripts to write files in directories labeled public_content_rw_t
allow_java_execstack (Memory Protection)
Allow java executable stack
allow_kerberos (Kerberos)
Allow daemons to use kerberos files
allow_mount_anyfile (Mount)
Allow mount to mount any file
allow_mounton_anydir (Mount)
Allow mount to mount any dir
allow_mplayer_execstack (Memory Protection)
Allow mplayer executable stack
allow_nfsd_anon_write (NFS)
Allow nfs servers to modify public files used for public file transfer services.
allow_polyinstantiation (Polyinstatiation)
Enable polyinstantiated directory support.
allow_ptrace (Compatibility)
Allow sysadm_t to debug or ptrace applications
allow_rsync_anon_write (rsync)
Allow rsync to write files in directories labeled public_content_rw_t
allow_smbd_anon_write (Samba)
Allow Samba to write files in directories labeled public_content_rw_t
allow_ssh_keysign (SSH)
Allow ssh to run ssh-keysign
allow_unconfined_execmem_dyntrans (Memory Protection)
Allow unconfined to dyntrans to unconfined_execmem
allow_user_mysql_connect (Databases)
Allow user to connect to mysql socket
allow_user_postgresql_connect (Databases)
Allow user to connect to postgres socket
allow_write_xshm (XServer)
Allow clients to write to X shared memory
allow_ypbind (NIS)
Allow daemons to run with NIS
allow_zebra_write_config (Zebra)
Allow zebra daemon to write it configuration files
amanda_disable_trans (SELinux Service Protection)
Disable SELinux protection for amanda
amavis_disable_trans (SELinux Service Protection)
Disable SELinux protection for amavis
apmd_disable_trans (SELinux Service Protection)
Disable SELinux protection for apmd daemon
arpwatch_disable_trans (SELinux Service Protection)
Disable SELinux protection for arpwatch daemon
auditd_disable_trans (SELinux Service Protection)
Disable SELinux protection for auditd daemon
automount_disable_trans (Mount)
Disable SELinux protection for automount daemon
avahi_disable_trans (SELinux Service Protection)
Disable SELinux protection for avahi
bluetooth_disable_trans (SELinux Service Protection)
Disable SELinux protection for bluetooth daemon
canna_disable_trans (SELinux Service Protection)
Disable SELinux protection for canna daemon
cardmgr_disable_trans (SELinux Service Protection)
Disable SELinux protection for cardmgr daemon
ccs_disable_trans (SELinux Service Protection)
Disable SELinux protection for Cluster Server
cdrecord_read_content (User Privs)
Allow cdrecord to read various content. nfs, samba, removable devices, user temp and untrusted content files
ciped_disable_trans (SELinux Service Protection)
Disable SELinux protection for ciped daemon
clamd_disable_trans (SELinux Service Protection)
Disable SELinux protection for clamd daemon
clamscan_disable_trans (SELinux Service Protection)
Disable SELinux protection for clamscan
clvmd_disable_trans (SELinux Service Protection)
Disable SELinux protection for clvmd
comsat_disable_trans (SELinux Service Protection)
Disable SELinux protection for comsat daemon
courier_authdaemon_disable_trans (SELinux Service Protection)
Disable SELinux protection for courier daemon
courier_pcp_disable_trans (SELinux Service Protection)
Disable SELinux protection for courier daemon
courier_pop_disable_trans (SELinux Service Protection)
Disable SELinux protection for courier daemon
courier_sqwebmail_disable_trans (SELinux Service Protection)
Disable SELinux protection for courier daemon
courier_tcpd_disable_trans (SELinux Service Protection)
Disable SELinux protection for courier daemon
cpucontrol_disable_trans (SELinux Service Protection)
Disable SELinux protection for cpucontrol daemon
cpuspeed_disable_trans (SELinux Service Protection)
Disable SELinux protection for cpuspeed daemon
cron_can_relabel (Cron)
Allow system cron jobs to relabel filesystem for restoring file contexts.
crond_disable_trans (Cron)
Disable SELinux protection for crond daemon
cupsd_config_disable_trans (Printing)
Disable SELinux protection for cupsd backend server
cupsd_disable_trans (Printing)
Disable SELinux protection for cupsd daemon
cupsd_lpd_disable_trans (Printing)
Disable SELinux protection for cupsd_lpd
cvs_disable_trans (CVS)
Disable SELinux protection for cvs daemon
cyrus_disable_trans (SELinux Service Protection)
Disable SELinux protection for cyrus daemon
dbskkd_disable_trans (SELinux Service Protection)
Disable SELinux protection for dbskkd daemon
dbusd_disable_trans (SELinux Service Protection)
Disable SELinux protection for dbusd daemon
dccd_disable_trans (SELinux Service Protection)
Disable SELinux protection for dccd
dccifd_disable_trans (SELinux Service Protection)
Disable SELinux protection for dccifd
dccm_disable_trans (SELinux Service Protection)
Disable SELinux protection for dccm
ddt_client_disable_trans (SELinux Service Protection)
Disable SELinux protection for ddt daemon
devfsd_disable_trans (SELinux Service Protection)
Disable SELinux protection for devfsd daemon
dhcpc_disable_trans (SELinux Service Protection)
Disable SELinux protection for dhcpc daemon
dhcpd_disable_trans (SELinux Service Protection)
Disable SELinux protection for dhcpd daemon
dictd_disable_trans (SELinux Service Protection)
Disable SELinux protection for dictd daemon
direct_sysadm_daemon (Admin)
Allow sysadm_t to directly start daemons
disable_evolution_trans (Web Applications)
Disable SELinux protection for Evolution
disable_games_trans (Games)
Disable SELinux protection for games
disable_mozilla_trans (Web Applications)
Disable SELinux protection for the web browsers
disable_thunderbird_trans (Web Applications)
Disable SELinux protection for Thunderbird
distccd_disable_trans (SELinux Service Protection)
Disable SELinux protection for distccd daemon
dmesg_disable_trans (SELinux Service Protection)
Disable SELinux protection for dmesg daemon
dnsmasq_disable_trans (SELinux Service Protection)
Disable SELinux protection for dnsmasq daemon
dovecot_disable_trans (SELinux Service Protection)
Disable SELinux protection for dovecot daemon
entropyd_disable_trans (SELinux Service Protection)
Disable SELinux protection for entropyd daemon
fcron_crond (Cron)
Enable extra rules in the cron domain to support fcron.
fetchmail_disable_trans (SELinux Service Protection)
Disable SELinux protection for fetchmail
fingerd_disable_trans (SELinux Service Protection)
Disable SELinux protection for fingerd daemon
freshclam_disable_trans (SELinux Service Protection)
Disable SELinux protection for freshclam daemon
fsdaemon_disable_trans (SELinux Service Protection)
Disable SELinux protection for fsdaemon daemon
ftpd_disable_trans (FTP)
Disable SELinux protection for ftpd daemon
ftpd_is_daemon (FTP)
Allow ftpd to run directly without inetd
ftp_home_dir (FTP)
Allow ftp to read/write files in the user home directories
global_ssp (Admin)
This should be enabled when all programs are compiled with ProPolice/SSP stack smashing protection. All domains will be allowed to read from /dev/urandom.
gpm_disable_trans (SELinux Service Protection)
Disable SELinux protection for gpm daemon
gssd_disable_trans (NFS)
Disable SELinux protection for gss daemon
hald_disable_trans (SELinux Service Protection)
Disable SELinux protection for hal daemon
hide_broken_symptoms (Compatibility)
Do not audit things that we know to be broken but which are not security risks
hostname_disable_trans (SELinux Service Protection)
Disable SELinux protection for hostname daemon
hotplug_disable_trans (SELinux Service Protection)
Disable SELinux protection for hotplug daemon
howl_disable_trans (SELinux Service Protection)
Disable SELinux protection for howl daemon
hplip_disable_trans (Printing)
Disable SELinux protection for cups hplip daemon
httpd_builtin_scripting (HTTPD Service)
Allow HTTPD to support built-in scripting
httpd_can_network_connect_db (HTTPD Service)
Allow HTTPD scripts and modules to network connect to databases.
httpd_can_network_connect (HTTPD Service)
Allow HTTPD scripts and modules to connect to the network.
httpd_can_network_relay (HTTPD Service)
Allow httpd to act as a relay.
httpd_disable_trans (HTTPD Service)
Disable SELinux protection for httpd daemon
httpd_enable_cgi (HTTPD Service)
Allow HTTPD cgi support
httpd_enable_ftp_server (HTTPD Service)
Allow HTTPD to run as a ftp server
httpd_enable_homedirs (HTTPD Service)
Allow HTTPD to read home directories
httpd_rotatelogs_disable_trans (SELinux Service Protection)
Disable SELinux protection for httpd rotatelogs
httpd_ssi_exec (HTTPD Service)
Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
httpd_suexec_disable_trans (HTTPD Service)
Disable SELinux protection for http suexec
httpd_tty_comm (HTTPD Service)
Unify HTTPD to communicate with the terminal. Needed for handling certificates.
httpd_unified (HTTPD Service)
Unify HTTPD handling of all content files.
hwclock_disable_trans (SELinux Service Protection)
Disable SELinux protection for hwclock daemon
i18n_input_disable_trans (SELinux Service Protection)
Disable SELinux protection for i18n daemon
imazesrv_disable_trans (SELinux Service Protection)
Disable SELinux protection for imazesrv daemon
inetd_child_disable_trans (SELinux Service Protection)
Disable SELinux protection for inetd child daemons
inetd_disable_trans (SELinux Service Protection)
Disable SELinux protection for inetd daemon
innd_disable_trans (SELinux Service Protection)
Disable SELinux protection for innd daemon
iptables_disable_trans (SELinux Service Protection)
Disable SELinux protection for iptables daemon
ircd_disable_trans (SELinux Service Protection)
Disable SELinux protection for ircd daemon
irqbalance_disable_trans (SELinux Service Protection)
Disable SELinux protection for irqbalance daemon
iscsid_disable_trans (SELinux Service Protection)
Disable SELinux protection for iscsi daemon
jabberd_disable_trans (SELinux Service Protection)
Disable SELinux protection for jabberd daemon
kadmind_disable_trans (Kerberos)
Disable SELinux protection for kadmind daemon
klogd_disable_trans (SELinux Service Protection)
Disable SELinux protection for klogd daemon
krb5kdc_disable_trans (Kerberos)
Disable SELinux protection for krb5kdc daemon
ktalkd_disable_trans (SELinux Service Protection)
Disable SELinux protection for ktalk daemons
kudzu_disable_trans (SELinux Service Protection)
Disable SELinux protection for kudzu daemon
locate_disable_trans (SELinux Service Protection)
Disable SELinux protection for locate daemon
lpd_disable_trans (SELinux Service Protection)
Disable SELinux protection for lpd daemon
lrrd_disable_trans (SELinux Service Protection)
Disable SELinux protection for lrrd daemon
lvm_disable_trans (SELinux Service Protection)
Disable SELinux protection for lvm daemon
mailman_mail_disable_trans (SELinux Service Protection)
Disable SELinux protection for mailman
mail_read_content (Web Applications)
Allow evolution and thunderbird to read user files
mdadm_disable_trans (SELinux Service Protection)
Disable SELinux protection for mdadm daemon
monopd_disable_trans (SELinux Service Protection)
Disable SELinux protection for monopd daemon
mozilla_read_content (Web Applications)
Allow the mozilla browser to read user files
mrtg_disable_trans (SELinux Service Protection)
Disable SELinux protection for mrtg daemon
mysqld_disable_trans (Databases)
Disable SELinux protection for mysqld daemon
nagios_disable_trans (SELinux Service Protection)
Disable SELinux protection for nagios daemon
named_disable_trans (Name Service)
Disable SELinux protection for named daemon
named_write_master_zones (Name Service)
Allow named to overwrite master zone files
nessusd_disable_trans (SELinux Service Protection)
Disable SELinux protection for nessusd daemon
NetworkManager_disable_trans (SELinux Service Protection)
Disable SELinux protection for NetworkManager
nfsd_disable_trans (NFS)
Disable SELinux protection for nfsd daemon
nfs_export_all_ro (NFS)
Allow NFS to share any file/directory read only
nfs_export_all_rw (NFS)
Allow NFS to share any file/directory read/write
nmbd_disable_trans (Samba)
Disable SELinux protection for nmbd daemon
nrpe_disable_trans (SELinux Service Protection)
Disable SELinux protection for nrpe daemon
nscd_disable_trans (Name Service)
Disable SELinux protection for nscd daemon
nsd_disable_trans (SELinux Service Protection)
Disable SELinux protection for nsd daemon
ntpd_disable_trans (SELinux Service Protection)
Disable SELinux protection for ntpd daemon
oddjob_disable_trans (SELinux Service Protection)
Disable SELinux protection for oddjob
oddjob_mkhomedir_disable_trans (SELinux Service Protection)
Disable SELinux protection for oddjob_mkhomedir
openvpn_disable_trans (SELinux Service Protection)
Disable SELinux protection for openvpn daemon
pam_console_disable_trans (SELinux Service Protection)
Disable SELinux protection for pam daemon
pegasus_disable_trans (SELinux Service Protection)
Disable SELinux protection for pegasus
perdition_disable_trans (SELinux Service Protection)
Disable SELinux protection for perdition daemon
portmap_disable_trans (SELinux Service Protection)
Disable SELinux protection for portmap daemon
portslave_disable_trans (SELinux Service Protection)
Disable SELinux protection for portslave daemon
postfix_disable_trans (SELinux Service Protection)
Disable SELinux protection for postfix
postgresql_disable_trans (Databases)
Disable SELinux protection for postgresql daemon
pppd_can_insmod (pppd)
Allow pppd daemon to insert modules into the kernel
pppd_disable_trans (pppd)
Disable SELinux protection for pppd daemon
pppd_disable_trans (pppd)
Disable SELinux protection for the mozilla ppp daemon
pppd_for_user (pppd)
Allow pppd to be run for a regular user.
pptp_disable_trans (SELinux Service Protection)
Disable SELinux protection for pptp
prelink_disable_trans (SELinux Service Protection)
Disable SELinux protection for prelink daemon
privoxy_disable_trans (SELinux Service Protection)
Disable SELinux protection for privoxy daemon
ptal_disable_trans (SELinux Service Protection)
Disable SELinux protection for ptal daemon
pxe_disable_trans (SELinux Service Protection)
Disable SELinux protection for pxe daemon
pyzord_disable_trans (SELinux Service Protection)
Disable SELinux protection for pyzord
quota_disable_trans (SELinux Service Protection)
Disable SELinux protection for quota daemon
radiusd_disable_trans (SELinux Service Protection)
Disable SELinux protection for radiusd daemon
radvd_disable_trans (SELinux Service Protection)
Disable SELinux protection for radvd daemon
rdisc_disable_trans (SELinux Service Protection)
Disable SELinux protection for rdisc
readahead_disable_trans (SELinux Service Protection)
Disable SELinux protection for readahead
read_default_t (Admin)
Allow programs to read files in non-standard locations default_t
read_untrusted_content (Web Applications)
Allow programs to read untrusted content without relabel
restorecond_disable_trans (SELinux Service Protection)
Disable SELinux protection for restorecond
rhgb_disable_trans (SELinux Service Protection)
Disable SELinux protection for rhgb daemon
ricci_disable_trans (SELinux Service Protection)
Disable SELinux protection for ricci
ricci_modclusterd_disable_trans (SELinux Service Protection)
Disable SELinux protection for ricci_modclusterd
rlogind_disable_trans (SELinux Service Protection)
Disable SELinux protection for rlogind daemon
rpcd_disable_trans (SELinux Service Protection)
Disable SELinux protection for rpcd daemon
rshd_disable_trans (SELinux Service Protection)
Disable SELinux protection for rshd
rsync_disable_trans (rsync)
Disable SELinux protection for rsync daemon
run_ssh_inetd (SSH)
Allow ssh to run from inetd instead of as a daemon
samba_enable_home_dirs (Samba)
Allow Samba to share users home directories
samba_share_nfs (Samba)
Allow Samba to share nfs directories
allow_saslauthd_read_shadow (SASL authentication server)
Allow sasl authentication server to read /etc/shadow
saslauthd_disable_trans (SASL authentication server)
Disable SELinux protection for saslauthd daemon
scannerdaemon_disable_trans (SELinux Service Protection)
Disable SELinux protection for scannerdaemon daemon
secure_mode (Admin)
Do not allow transition to sysadm_t, sudo and su effected
secure_mode_insmod (Admin)
Do not allow any processes to load kernel modules
secure_mode_policyload (Admin)
Do not allow any processes to modify kernel SELinux policy
sendmail_disable_trans (SELinux Service Protection)
Disable SELinux protection for sendmail daemon
setrans_disable_trans (SELinux Service Protection)
Disable SELinux protection for setrans
setroubleshootd_disable_trans (SELinux Service Protection)
Disable SELinux protection for setroublesoot daemon
slapd_disable_trans (SELinux Service Protection)
Disable SELinux protection for slapd daemon
slrnpull_disable_trans (SELinux Service Protection)
Disable SELinux protection for slrnpull daemon
smbd_disable_trans (Samba)
Disable SELinux protection for smbd daemon
snmpd_disable_trans (SELinux Service Protection)
Disable SELinux protection for snmpd daemon
snort_disable_trans (SELinux Service Protection)
Disable SELinux protection for snort daemon
soundd_disable_trans (SELinux Service Protection)
Disable SELinux protection for soundd daemon
sound_disable_trans (SELinux Service Protection)
Disable SELinux protection for sound daemon
spamassassin_can_network (Spam Assassin)
Allow Spam Assasin daemon network access
spamd_disable_trans (spam Protection)
Disable SELinux protection for spamd daemon
spamd_enable_home_dirs (spam Protection)
Allow spamd to access home directories
spammassasin_can_network (spam Protection)
Allow spammassasin to access the network
speedmgmt_disable_trans (SELinux Service Protection)
Disable SELinux protection for speedmgmt daemon
squid_connect_any (Squid)
Allow squid daemon to connect to the network
squid_disable_trans (Squid)
Disable SELinux protection for squid daemon
ssh_keygen_disable_trans (SSH)
Disable SELinux protection for ssh daemon
ssh_sysadm_login (SSH)
Allow ssh logins as sysadm_r:sysadm_t
staff_read_sysadm_file (Admin)
Allow staff_r users to search the sysadm home dir and read files such as ~/.bashrc
stunnel_disable_trans (Universal SSL tunnel)
Disable SELinux protection for stunnel daemon
stunnel_is_daemon (Universal SSL tunnel)
Allow stunnel daemon to run as standalone, outside of xinetd
swat_disable_trans (SELinux Service Protection)
Disable SELinux protection for swat daemon
sxid_disable_trans (SELinux Service Protection)
Disable SELinux protection for sxid daemon
syslogd_disable_trans (SELinux Service Protection)
Disable SELinux protection for syslogd daemon
system_crond_disable_trans (SELinux Service Protection)
Disable SELinux protection for system cron jobs
tcpd_disable_trans (SELinux Service Protection)
Disable SELinux protection for tcp daemon
telnetd_disable_trans (SELinux Service Protection)
Disable SELinux protection for telnet daemon
tftpd_disable_trans (SELinux Service Protection)
Disable SELinux protection for tftpd daemon
transproxy_disable_trans (SELinux Service Protection)
Disable SELinux protection for transproxy daemon
udev_disable_trans (SELinux Service Protection)
Disable SELinux protection for udev daemon
uml_switch_disable_trans (SELinux Service Protection)
Disable SELinux protection for uml daemon
unlimitedInetd (Admin)
Allow xinetd to run unconfined, including any services it starts that do not have a domain transition explicitly defined.
unlimitedRC (Admin)
Allow rc scripts to run unconfined, including any daemon started by an rc script that does not have a domain transition explicitly defined.
unlimitedRPM (Admin)
Allow rpm to run unconfined.
unlimitedUtils (Admin)
Allow privileged utilities like hotplug and insmod to run unconfined.
updfstab_disable_trans (SELinux Service Protection)
Disable SELinux protection for updfstab daemon
uptimed_disable_trans (SELinux Service Protection)
Disable SELinux protection for uptimed daemon
use_lpd_server (Printing)
Use lpd server instead of cups
use_nfs_home_dirs (NFS)
Support NFS home directories
user_canbe_sysadm (User Privs)
Allow user_r to reach sysadm_r via su, sudo, or userhelper. Otherwise, only staff_r can do so.
user_can_mount (Mount)
Allow users to execute the mount command
user_direct_mouse (User Privs)
Allow regular users direct mouse access only allow the X server
user_dmesg (User Privs)
Allow users to run the dmesg command
user_net_control (User Privs)
Allow users to control network interfaces also needs USERCTL=true
user_ping (User Privs)
Allow normal user to execute ping
user_rw_noexattrfile (User Privs)
Allow user to r/w noextattrfile FAT, CDROM, FLOPPY
user_rw_usb (User Privs)
Allow users to rw usb devices
user_tcp_server (User Privs)
Allow users to run TCP servers bind to ports and accept connection from the same domain and outside users disabling this forces FTP passive mode and may change other protocols
user_ttyfile_stat (User Privs)
Allow user to stat ttyfiles
use_samba_home_dirs (Samba)
Allow users to login with CIFS home directories
uucpd_disable_trans (SELinux Service Protection)
Disable SELinux protection for uucpd daemon
vmware_disable_trans (SELinux Service Protection)
Disable SELinux protection for vmware daemon
watchdog_disable_trans (SELinux Service Protection)
Disable SELinux protection for watchdog daemon
winbind_disable_trans (Samba)
Disable SELinux protection for winbind daemon
write_untrusted_content (Web Applications)
Allow web applications to write untrusted content to disk implies read
xdm_disable_trans (SELinux Service Protection)
Disable SELinux protection for xdm daemon
xdm_sysadm_login (XServer)
Allow xdm logins as sysadm_r:sysadm_t
xend_disable_trans (SELinux Service Protection)
Disable SELinux protection for xen daemon
xen_use_raw_disk (XEN)
Allow xen to read/write physical disk devices
xfs_disable_trans (SELinux Service Protection)
Disable SELinux protection for xfs daemon
xm_disable_trans (SELinux Service Protection)
Disable SELinux protection for xen constrol
ypbind_disable_trans (NIS)
Disable SELinux protection for ypbind daemon
yppasswdd_disable_trans (NIS)
Disable SELinux protection for NIS Password Daemon
ypserv_disable_trans (SELinux Service Protection)
Disable SELinux protection for ypserv daemon
ypxfr_disable_trans (NIS)
Disable SELinux protection for NIS Transfer Daemon
zebra_disable_trans (SELinux Service Protection)
Disable SELinux protection for zebra daemon
httpd_use_cifs (HTTPD Service)
Allow httpd to access samba/cifs file systems.
httpd_use_nfs (HTTPD Service)
Allow httpd to access nfs file systems.
samba_domain_controller (Samba)
Allow samba to act as the domain controller, add users, groups and change passwords
samba_export_all_ro (Samba)
Allow Samba to share any file/directory read only
samba_export_all_rw (Samba)
Allow Samba to share any file/directory read/write
webadm_manage_users_files (HTTPD Service)
Allow httpd to access nfs file systems.
webadm_read_users_files (HTTPD Service)
Allow httpd to access nfs file systems.

0 Comment:

Post a Comment