SELinux Configuration Files
This section explains each SELinux configuration file with its format, example content and where applicable, any supporting SELinux commands or libselinux library API function names.
Where configuration files have specific man pages, these are noted by adding the man page section (e.g. semanage.config(5)).
This Notebook classifies the types of configuration file used in SELinux as follows:
- Global Configuration Files that affect the active policy and their supporting SELinux-aware applications, utilities or commands. This Notebook will only refer to the commonly used configuration files.
- Policy Configuration Files used by an active (run time) policy and their supporting Policy Store Configuration Files.
- The Policy Store Configuration files are 'private' and managed by the semanage(8) and semodule(8) commands. These are used to build the majority of the Policy Configuration Files. This store will be moving as part of a migration programme, see https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration and Policy Store Migration for details.
- Note there can be multiple policy configuration areas on a system (e.g. /etc/selinux/targeted and /etc/selinux/mls), however only one can be the active policy).
- SELinux Kernel Configuration files located under the /sys/fs/selinux directory and reflect the current configuration of SELinux for the active policy. This area is used extensively by the libselinux library for userspace object managers and other SELinux-aware applications. These files and directories should not be updated by users (the majority are read only anyway), however they can be read to check various configuration parameters.
Policy Store Migration
When distributions move to version 2.4 of libsemanage, libsepol, and policycoreutils the policy module store will move from /etc/selinux/<SELINUXTYPE>/modules to /var/lib/selinux/<SELINUXTYPE>. Once the libraries are upgraded, all policy stores must be migrated before any commands can be executed that modify or use the store, for example semodule(8) or semanage(8). See https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration for details.
Once the migration is complete:
- The policy store configuration files will no longer be available.
- It will be possible to build policies containing a mixture of Reference Policy modules, kernel policy language modules and modules written in the CIL language as shown in the following example:
# Compile and install a base and two modules written in kernel language: checkmodule -o base.mod base.conf semodule_package -o base.pp -m base.mod -f base.fc checkmodule -m ext_gateway.conf -o ext_gateway.mod semodule_package -o ext_gateway.pp -m ext_gateway.mod -f gateway.fc checkmodule -m int_gateway.conf -o int_gateway.mod semodule_package -o int_gateway.pp -m int_gateway.mod semodule -s modular-test --priority 100 -i base.pp ext_gateway.pp int_gateway.pp # Compile and install an updated module written in CIL:> semodule -s modular-test --priority 400 -i custom/int_gateway.cil # Show a full listing of modules: semodule -s modular-test --list-modules=full 400 int_gateway cil 100 base pp 100 ext_gateway pp 100 int_gateway pp # Show a standard listing of modules: semodule -s modular-test --list-modules=standard base ext_gateway int_gateway
Note the use of --priority 100 and --priority 400 option that is available after migration for semodule(8). This command has a number of new options, with the most significant being:
- Setting module priorities (-X | --priority), this is discussed in The priority Option section.
- Listing modules (--list-modules=full | standard). The 'full' option shows all the available modules with their priority and policy format. The 'standard' option will only show the highest priority, enabled modules.
The priority Option
Priorities allow multiple modules with the same name to exist in the policy store, with the higher priority module included in the final kernel binary, and all lower priority modules of the same name ignored. For example:
semodule --priority 100 --install distribution/apache.pp semodule --priority 400 --install custom/apache.pp
Both apache modules are installed in the policy store as 'apache', but only the custom apache module is included in the final kernel binary. The distribution apache module is ignored. The --list-modules options can be used to show these:
# Show a full listing of modules: semodule --list-modules=full 400 apache pp 100 base pp 100 apache pp # Show a standard listing of modules: semodule --list-modules=standard base apache
The main use case for this is the ability to override a distribution provided policy, while keeping the distribution policy in the store.
This makes it easy for distributions, 3rd parties, configuration management tools (e.g. puppet), local administrators, etc. to update policies without erasing each others changes. This also means that if a distribution, 3rd party etc. updates a module, providing the local customisation is installed at a higher priority, it will override the new distribution policy.
This does require that policy managers adopt some kind of scheme for who uses what priority. No strict guidelines currently exist, however the value used by the semanage_migrate_store script is --priority 100 as this is assumed to be migrating a distribution. If a value is not provided, semodule will use a default of --priority 400 as it is assumed to be a locally customised policy.
When semodule builds a lower priority module when a higher priority is already available, the following message will be given: "A higher priority <name> module exists at priority <999> and will override the module currently being installed at priority <111>".
Converting policy packages to CIL
A component of the update is to add a facility that converts compiled policy modules (known as policy packages or the *.pp files) to CIL format. This is achieved via a pp to CIL high level language conversion utility located at /usr/libexec/selinux/hll/pp. This utility can be used manually as follows:
cat module_name.pp | /usr/libexec/selinux/hll/pp > module_name.cil
There is no man page for 'pp', however the help text is as follows:
Usage: pp [OPTIONS] [IN_FILE [OUT_FILE]] Read an SELinux policy package (.pp) and output the equivilent CIL. If IN_FILE is not provided or is -, read SELinux policy package from standard input. If OUT_FILE is not provided or is -, output CIL to standard output. Options: -h, --help print this message and exit
Global Configuration Files
- The following files are described in the Global Configuration Files section:
- /etc/selinux/restorecond.conf and restorecond-user.conf
Policy Store Configuration Files
- The following files are described in the Policy Store Configuration Files section:
- modules/active/netfilter_contexts & netfilter.local
- modules/active/seusers.final and seusers
- modules/active/users_extra, users_extra.local and users.local
- modules/active/nodes.local File
- modules/active/ports.local File
- modules/active/modules Directory Contents
Policy Configuration Files
- The following files are described in the Policy Configuration Files section:
- booleans and booleans.local
- contexts/initrc_context File
- contexts/lxc_contexts File
- contexts/files/file_contexts.subs and file_contexts.subs_dist
- They should NOT be edited as together they describe the 'policy'.
- The system-config-selinux GUI (supplied in the polycoreutils-gui rpm) can also be used to manage users, booleans and the general configuration of SELinux as it calls semanage(8), however it does not manage all that the semanage command can (it also gets bitter & twisted if there are no MCS/MLS labels on some operations).
- This text has been derived from: http://marc.info/?l=selinux&m=141044198403718&w=2.