1.a. SELinux Management Infrastructure

The SElinux management infrastructure manages several aspects of SELinux policy. These management tools are based on the core library libsemanage. There are several management programs to to various tasks, including semanage and semodule. They allow you to configure aspects of the policy without requiring the policy sources.

1.b. SELinux Policy Module Management

What is a policy module?

SELinux supports a modular policy. This means several pieces of policy are brought together to form one complete policy to be loaded in the kernel. This is a similar structure as the kernel itself and kernel modules. There is a main kernel image that is loaded, and various kernel modules can be added (assuming their dependencies are met) and removed on a running system without restarting. Similarly each policy has a base module and zero or more policy modules, all used to create a policy. Modules are built by compiling a piece of policy, and creating a policy package (*.pp) with that compiled policy, and optionally file contexts.

The base module policy package (base.pp) contains the basic requirements of the policy. All modular policies must have a base module at minimum. In Gentoo we have these plus policies for all parts of the system profile. This is contained in the selinux-base-policy ebuild. The other policy ebuilds in portage have one or more policy modules.

For more information on writing a policy module, in particular for managing your local customizations to the policy, please see the policy module guide.

The SELinux module store

When a policy module is inserted or removed, modules are copied into or removed from the module store. This repository has a copy of the modules that were used to create the current policy, in addition to several auxilliary files. This repository is stored in the /etc/selinux/{strict,targeted}/modules. You should never need to directly access the contents of the module store. A libsemanage-based tool should be used instead.

Libsemanage handles the module store transactionally. This means that if a set of operations (a transaction) is performed on the store and one part fails, the entire transaction is aborted. This keeps the store in a consistent state.

Managing the module store is accomplished with the semodule command. Listing the contents of the module store is done with the -l option.

# semodule -l
distcc  1.1.1

Since the base module is required in all cases, and is not versioned, it will not be shown in the list. All other modules will be listed, along with their versions.

Inserting a policy module

The module should be referenced by its file name.

# semodule -i module.pp

This will insert the module into module store for the currently configured policy as specified in /etc/selinux/config. If the insert succeeds, the policy will be loaded, unless the -n option is used. To insert the module into an alternate module store, the -s option.

# semodule -s targeted -i module.pp

Since this refers to an alternate module store, the policy will not be loaded.

Removing a policy module

The module is referenced by its name in the module store.

# semodule -r module

This will remove the module into module store for the currently configured policy as specified in /etc/selinux/config. If the remove succeeds, the policy will be loaded, unless the -n option is used. The remove command also respects the -s option.

1.c. Configuring User Login Mappings

The current method of assigning sets of roles to a user is by setting up a mapping between linux users and SELinux identities. When a user logs in, the login program will set the SELinux identity based on the this map. If there is no explicit map, the __default__ map is used.

Managing the SELinux user login map is accomplished with the semanage tool.

# semanage login -l
Login Name                SELinux User

__default__               user_u
root                      root

Add a user login mapping

To map the linux user pebenito to the SELinux identity staff_u:

# semanage login -a -s staff_u pebenito

For descriptions on the available SELinux identities, see the SELinux Overview.

Remove a user login mapping

To remove a login map for the linux user pebenito:

# semanage login -d pebenito

1.d. Configuring Initial Boolean States

The setsebool program is now a libsemanage tool. This tool's basic function is to set the state of a Boolean. However, if the machine is restarted, the Booelans will be set using the initial state as specified in the policy. To set the Boolean state, and make that the new initial state in the policy, the -P option of setsebool is used.

# setsebool -P fcron_crond 1

This will set the fcron_crond Boolean to true and also make the initial state for the Boolean true.

1.e. Configuring SELinux Identities

Generally SELinux identities need not be added to the policy, as user login mappings are sufficient. However, one reason to add them is for improved auditing, since the SELinux identity is part of the scontext of a denial message.

Managing the SELinux identities is accomplished with the semanage tool.

# semanage user -l
SELinux User    SELinux Roles

root            sysadm_r staff_r
staff_u         sysadm_r staff_r
sysadm_u        sysadm_r
system_u        system_r
user_u          user_r

Add a SELinux identity

In addition to specifying the roles for an identity, a prefix must also be specified. This prefix should match a role, for example staff or sysadm, and it is used for home directory entries. So if staff is used for the prefix, linux users that are mapped to this identity will have their home directory labeled staff_home_dir_t.

To add the test_u identity with the roles staff_r and sysadm_r with the prefix staff:

# semanage user -a -R 'staff_r sysadm_r' -P staff test_u

Remove a SELinux user identity

To remove the test_u SELinux identity:

# semanage user -d test_u