About SELinux

[Sandro]

Hi to All :)

 

I followed the Funtoo guide about SELinux (http://www.funtoo.org/SELinux/Install).

 

Actually, the status is:

ci74771ht ~ # sestatus -v 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              disabled
Policy deny_unknown status:     denied
Max kernel policy version:      30

Process contexts:
Current context:                unconfined_u:unconfined_r:unconfined_t
Init context:                   system_u:system_r:init_t
/sbin/agetty                    system_u:system_r:getty_t
/usr/sbin/sshd                  system_u:system_r:sshd_t

File contexts:
Controlling terminal:           unconfined_u:object_r:user_devpts_t
/sbin/init                      system_u:object_r:init_exec_t
/sbin/agetty                    system_u:object_r:getty_exec_t
/bin/login                      system_u:object_r:login_exec_t
/sbin/openrc                    system_u:object_r:rc_exec_t
/usr/sbin/sshd                  system_u:object_r:sshd_exec_t
/sbin/unix_chkpwd               system_u:object_r:chkpwd_exec_t
/etc/passwd                     system_u:object_r:etc_t
/etc/shadow                     system_u:object_r:shadow_t
/bin/sh                         system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
/bin/bash                       system_u:object_r:shell_exec_t
/usr/bin/newrole                system_u:object_r:newrole_exec_t
/lib/libc.so.6                  system_u:object_r:lib_t -> system_u:object_r:lib_t
/lib/ld-linux.so.2              system_u:object_r:lib_t -> system_u:object_r:ld_so_t

And:

ci74771ht ~ # id -Z 
unconfined_u:unconfined_r:unconfined_t

If I try to change to "enforcing" .... i had errors abuot iptables , ufw (then abou firewalls i think)  and xorg starts but i can notice only a "black screen" and the keyboard seems "freezed".

 

(excuse my bad us_lang).

 

What  could I do ?

 

Thx :)

[kryptus]

I would recommend a day or two of practice with audit2allow in permissive mode, just so you get used to it, and after that it will be easy for you to manage policies etc...

 

Your options pretty much like this:

 

(use permissive for practice, even though it doesn't "deny" it still prints denials, so commands below will work just as good (memorize necessary policies))

 

# audit2allow -w -a  <-- this command will tell you in a human-readable format what has been denied (you are going to use this, a lot)...when you're enforcing, a lot of stuff is going to be denied, like xorg stuff + ip/net stuff (of course)

 

# audit2allow -a  <-- this command will print a so-called "type-enforcement rule"

 

# audit2allow -a -M somepolicy  <-- Now this is your way around...the output of the audit2allow -a command will now be stored in a somepolicy.pp file (you can use any file name you like, instead of <somepolicy>)

 

# semodule -i mypolicy.pp   <-- This is how you install your custom modules, and everything that audit2allow -a has logged as denied will now be allowed

 

NOTE:

This is a bad practice in reality (production environment), you should never allow ALL denied services, but for practice it's perfectly fine. I think the policies you make in permissive mode remain across boots/type changes...

 

Let me know how it went, and...

Good luck!

 

P.S.

 

Here are some links you might find useful:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html

https://wiki.centos.org/HowTos/SELinux

http://danwalsh.livejournal.com/24750.html

[Sandro]

Thx Very much ;)