SELinux Infrastructure SOP

From FedoraProject

(Difference between revisions)
Jump to: navigation, search
m
(redirect page to new infra-docs)
 
(7 intermediate revisions by 2 users not shown)
Line 1: Line 1:
= SELinux - SOP =
+
{{header|infra}}
 +
{{shortcut|ISOP:SELINUX}}
  
== Contact Information ==
 
Owner: Fedora Infrastructure Team
 
  
Contact: #fedora-admin, sysadmin-main, sysadmin-web groups
+
This SOP has moved to the fedora Infrastructure SOP git repo. Please see the current document at: http://infrastructure.fedoraproject.org/infra/docs/selinux.txt
  
Purpose: To ensure that we are able to fully wield the power of SELinux within our infrastructure.
+
For changes, questions or comments, please contact anyone in the Fedora Infrastructure team.  
  
== Description ==
 
  
SELinux is a fundamental part of our Operating System, but still has a large learning curve and remains quite intimidating to both developers and system administrators.  Fedora's Infrastructure has been growing at an unimagenary rate, and is full of custom software that needs to be locked down.  The goal of this SOP is to make it simple for developers and sysadmins to track down and fix SELinux policy related issues within Fedora's Infrastructure.
+
[[Category:Infrastructure SOPs]]
 
+
Fully deploying SELinux is still an ongoing task, and can be tracked in fedora-infrastructure [https://fedorahosted.org/fedora-infrastructure/ticket/230 ticket #230].
+
 
+
== Step One: Realizing you have a problem ==
+
 
+
At the moment, we have no easy way to detect SELinux violations across all of our infrastructure.  Once the audit/prelude/prewikka IDS stack is fully deployed, this will no longer be an issue, as all violations will be sent as alerts to the prelude-manager.
+
 
+
== Step Two: Tracking down the violation ==
+
 
+
Generate SELinux policy allow rules from logs of denied operations.  This is useful for getting a quick overview of what has been getting denied on the local machine.
+
<pre>
+
# audit2allow -la
+
</pre>
+
 
+
You can obtain more detailed audit messages by using ausearch to get the most recent violations
+
<pre>
+
# ausearch -m avc -ts recent
+
</pre>
+
 
+
== Step Three: Fixing the violation ==
+
 
+
Below are examples of using our current puppet configuration to make SELinux deployment changes.  These constructs are currently home-brewed, and do not exist in upstream Puppet.  For these functions to work, you must ensure that the host or servergroup is configured with 'include selinux', which will enable SELinux in permissive mode.  Once a host is properly configured, this can be changed to 'include selinux-enforcing' to enable SELinux Enforcing mode.
+
 
+
=== Allowing ports ===
+
<pre>
+
    semanage_port { '8081-8089': type => 'http_port_t', proto => 'tcp' }
+
</pre>
+
 
+
=== Toggling an SELinux boolean ===
+
SELinux booleans, which can be viewed by running `semanage boolean -l`, can easily be configured using the following syntax within your puppet configuration.
+
 
+
<pre>
+
    selinux_bool { 'httpd_can_network_connect_db': bool => 'on' }
+
</pre>
+
 
+
=== Setting custom context ===
+
Our infrastructure contains many custom applications, which may utilize non-standard file locations.  These issues can lead to trouble with SELinux, but they can easily be resolved by setting custom file context.
+
 
+
<pre>
+
    semanage_fcontext { '/var/tmp/l10n-data(/.*)?':
+
        type => 'httpd_sys_content_t'
+
    }
+
</pre>
+

Latest revision as of 19:03, 19 December 2011

Infrastructure InfrastructureTeamN1.png
Shortcut:
ISOP:SELINUX


This SOP has moved to the fedora Infrastructure SOP git repo. Please see the current document at: http://infrastructure.fedoraproject.org/infra/docs/selinux.txt

For changes, questions or comments, please contact anyone in the Fedora Infrastructure team.