I am adding these man pages to the policy file to attempt to describe how users might manipulate policy.

The goal was to describe Booleans and File Context that a user might want to manipulate. Please review the man pages. (IE translate them from dwalsh to English :^) )

I also attached the latest policy file that includes all changes including the previous patch I submitted. The main new stuff is around trying to get telnet, rlogin, and rshd to work. We pretty much figured out that SELinux is not going to offer much protection with targeted policy since these apps need to either transition directly to unconfined_t or to transition to login which will transition to unconfined_t.

Looks like we will need to split up the apps via Priv-Separation in order to make this of much use.

Dan

.TH "ftpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ftpd Selinux Policy documentation"
.SH "NAME"

ftpd_selinux \- Security Enhanced Linux Policy for the ftp daemon
.SH "DESCRIPTION"
Security-Enhanced Linux secures the ftpd server via flexible mandatory access control.
.SH FILE_CONTEXTS

SELinux requires files to have an extended attributes to define the file type. Policy governs the access daemons have to these files. If you want to share files anonymously you must label the files and directories ftpd_anon_t. So if you created a special directory /var/ftp, you would need to label the directory with the chcon tool.
.TP

chcon -t ftpd_anon_t /var/ftp
.TP

If you want to make this permanant IE, survive a relabel you must add an entry to the file_contexts.local file.
.TP

/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
.br

/var/ftp(/.*)? system_u:object_r:ftpd_anon_t

.SH BOOLEANS

SELinux ftp daemon policy is customizable based on least access required. So by default SElinux does not allow users to login and read their home directories.
.br

If you are setting up this machine as a ftpd server and wish to allow users to access their home directorories you need to set the ftp_home_dir boolean.
.TP

setsebool -P ftp_home_dir 1
.TP

ftpd can run either as a standalone daemon or as part of the xinetd domain. If you want to run ftpd as a daemon you must set the ftpd_is_daemon boolean.
.TP

setsebool -P ftpd_is_daemon 1
.TP

You can disable SELinux protection for the ftpd daemon by executing:
.TP

setsebool -P ftpd_disable_trans 1
.br

system vsftpd restart
.TP

system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
.SH AUTHOR

This manual page was written by Dan Walsh <dwalsh@redhat.com>.

.SH "SEE ALSO"

selinux(8), ftpd(8), chcon(1), setsebool(8)

.TH "httpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "httpd Selinux Policy documentation"
.SH "NAME"

httpd_selinux \- Security Enhanced Linux Policy for the httpd daemon
.SH "DESCRIPTION"
Security-Enhanced Linux secures the httpd server via flexible mandatory access control.
.SH FILE_CONTEXTS

SELinux requires files to have an extended attributes to define the file type. Policy governs the access daemons have to these files. SELinux httpd policy is very flexible allowing users to setup their web services in as secure a method as possible.
.TP

The following file contexts types are defined for httpd:
.br

httpd_sys_content_t
.br

- Set files with httpd_sys_content_t for content which is available from all httpd scripts and the daemon.
.br

httpd_sys_script_exec_t
.br

- Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types.
.br

httpd_sys_script_ro_t
.br

- Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t scripts to read the data, and disallow other sys scripts from access.
.br

httpd_sys_script_rw_t
.br

- Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t scripts to read/write the data, and disallow other non sys scripts from access.
.br

httpd_sys_script_ra_t
.br

- Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t scripts to read/append to the file, and disallow other non sys scripts from access.
.SH NOTE
With certain policies you can define addional file contexts based off of roles like user or staff. httpd_user_script_exec_t can be defined, where it would only have access to "user" contexts.

.SH BOOLEANS

SELinux policy is customizable based on least access required. So by default SElinux prevents certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
.TP

httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this
.br

setsebool -P httpd_enable_cgi 1

.TP

httpd by default is not allowed to access users home directories. If you want to allow access to users home directories you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir.
.br

setsebool -P httpd_enable_homedirs 1
.br

chcon -R -t httpd_sys_content_t ~user/public_html

.TP

httpd by default is not allowed access to the controling terminal. In most cases this is prefered, because an intruder might be able to use the access to the terminal to gain priveledges. But in certain situations, httpd needs to prompt for a password to open a certificate file, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access.
.br

setsebool -P httpd_tty_comm 1

.TP

httpd can be configured to not differentiate file conteols based on context. IE, all files labeled as httpd context can be read/write/execute. Setting this context to false allows you to setup security policy such that one httpd service can not interfere with another.
.br

setsebool -P httpd_unified 0

.TP

You can disable SELinux protection for the httpd daemon by executing:
.br

setsebool -P httpd_disable_trans 1
.br

system httpd restart

.TP

system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
.SH AUTHOR

This manual page was written by Dan Walsh <dwalsh@redhat.com>.

.SH "SEE ALSO"

selinux(8), httpd(8), chcon(1), setsebool(8)

.TH "kerberos_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "kerberos Selinux Policy documentation"
.SH "NAME"

kerberos_selinux \- Security Enhanced Linux Policy for Kerberos.
.SH "DESCRIPTION"
Security-Enhanced Linux secures the system via flexible mandatory access control. By default Kerberos access is not allowed, since it requires daemons to be allowed greater access to certain secure files and addtional access to the network.
.SH BOOLEANS
.TP

You must set the allow_kerberos boolean to allow your system to work properly in a Kerberos environment.
.TP

setsebool -P allow_kerberos 1
.TP

If you are running Kerberos daemons kadmind or krb5kdc you can disable the SELinux protection on these daemons by setting the krb5kdc_disable_trans and kadmind_disable_trans booleans.
.br

setsebool -P krb5kdc_disable_trans 1
.br

system krb5kdc restart
.br

setsebool -P kadmind_disable_trans booleans 1
.br

system kadmind restart

.TP

system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
.SH AUTHOR

This manual page was written by Dan Walsh <dwalsh@redhat.com>.

.SH "SEE ALSO"

selinux(8), kerberos(1), chcon(1), setsebool(8)

.TH "named_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "named Selinux Policy documentation"
.SH "NAME"

named_selinux \- Security Enhanced Linux Policy for the Internet Name server (named) daemon
.SH "DESCRIPTION"
Security-Enhanced Linux secures the named server via flexible mandatory access control.
.SH BOOLEANS

SELinux policy is customizable based on least access required. So by default SElinux policy does not allow named to write master zone files. If you want to have this named update the master zone files you need to set the named_write_master_zones boolean.
.TP
.br

setsebool -P named_write_master_zones 1

.TP

You can disable SELinux protection for the named daemon by executing:
.TP

setsebool -P named_disable_trans 1
.br

system named restart
.TP

system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
.SH AUTHOR

This manual page was written by Dan Walsh <dwalsh@redhat.com>.

.SH "SEE ALSO"

selinux(8), named(8), chcon(1), setsebool(8)

.TH "nfs_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "nfs Selinux Policy documentation"
.SH "NAME"

nfs_selinux \- Security Enhanced Linux Policy for NFS
.SH "DESCRIPTION"
Security-Enhanced Linux secures the nfs server via flexible mandatory access control.
.SH BOOLEANS

SELinux policy is customizable based on least access required. So by default SElinux policy does not allow nfs to share files. If you want to setup this machine to share nfs partitions read only you must set the boolean nfs_export_all_ro boolean.

.TP

setsebool -P nfs_export_all_ro 1
.TP

If you want to share files read/write you must set the nfs_export_all_rw boolean.
.TP

setsebool -P nfs_export_all_rw 1

.TP

If you want to use a remote NFS server for the home directories on this machine you must set the use_nfs_home_dir boolean.
.TP

setsebool -P use_nfs_home_dirs 1
.TP

system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
.SH AUTHOR

This manual page was written by Dan Walsh <dwalsh@redhat.com>.

.SH "SEE ALSpppO"

selinux(8), chcon(1), setsebool(8)

.so man8/ypbind_selinux.8

.TH "rsync_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "rsync Selinux Policy documentation"
.SH "NAME"

rsync_selinux \- Security Enhanced Linux Policy for the rsync daemon
.SH "DESCRIPTION"
Security-Enhanced Linux secures the rsync server via flexible mandatory access control.
.SH FILE_CONTEXTS

SELinux requires files to have an extended attributes to define the file type. Policy governs the access daemons have to these files. If you want to share files using the rsync daemon you must label the files and directories ftpd_anon_t. So if you created a special directory /var/rsync, you would need to label the directory with the chcon tool.
.TP

chcon -t ftpd_anon_t /var/rsync
.TP

If you want to make this permanant IE, survive a relabel you must add an entry to the file_contexts.local file.
.TP

/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
.br

/var/rsync(/.*)? system_u:object_r:ftpd_anon_t

.SH BOOLEANS
.TP

You can disable SELinux protection for the rsync daemon by executing:
.TP

setsebool -P rsync_disable_trans 1
.br

system xinetd restart
.TP

system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
.SH AUTHOR

This manual page was written by Dan Walsh <dwalsh@redhat.com>.

.SH "SEE ALSO"

selinux(8), rsync(1), chcon(1), setsebool(8)

.TH "samba_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "Samba Selinux Policy documentation"
.SH "NAME"

samba_selinux \- Security Enhanced Linux Policy for Samba
.SH "DESCRIPTION"
Security-Enhanced Linux secures the Samba server via flexible mandatory access control.
.SH FILE_CONTEXTS

SELinux requires files to have an extended attributes to define the file type. Policy governs the access daemons have to these files. If you want to share files other than home directories, those files must be labeled samba_share_t. So if you created a special directory /var/eng, you would need to label the directory with the chcon tool.
.TP

chcon -t samba_share_t /var/eng
.TP

If you want to make this permanant IE, survive a relabel you must add an entry to the file_contexts.local file.
.TP

/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
.br

/var/eng(/.*)? system_u:object_r:samba_share_t

.SH BOOLEANS
.br

SELinux policy is customizable based on least access required. So by default SElinux policy turns off SELinux sharing of Home directories and the use of Samba shares from a remote machine as a home directory.
.TP

If you are setting up this machine as a Samba server and wish to share the homedirectories you need to set the samba_enable_home_dirs boolean.
.br

setsebool -P samba_enable_home_dirs 1
.TP

If you want to use a remote Samba server for the home directories on this machine you must set the use_samba_home_dirs boolean.
.br

setsebool -P use_samba_home_dirs 1
.TP

You can disable SELinux protection for the samba daemon by executing:
.br

setsebool -P smbd_disable_trans 1
.br

system smb restart
.TP

system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
.SH AUTHOR

This manual page was written by Dan Walsh <dwalsh@redhat.com>.

.SH "SEE ALSO"

selinux(8), samba(7), chcon(1), setsebool(8)

.TH "ypbind_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ypbind Selinux Policy documentation"
.SH "NAME"

ypbind_selinux \- Security Enhanced Linux Policy for NIS.
.SH "DESCRIPTION"
Security-Enhanced Linux secures the system via flexible mandatory access control. By default NIS is not allowed, since it requires daemons to be allowed greater access to the network.
.SH BOOLEANS
.TP

You must set the allow_ypbind boolean to allow your system to work properly in a NIS environment.
.TP

setsebool -P allow_ypbind 1
.TP

system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
.SH AUTHOR

This manual page was written by Dan Walsh <dwalsh@redhat.com>.

.SH "SEE ALSO"

selinux(8), ypbind(8), chcon(1), setsebool(8)

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.



text/x-patch attachment: policy-20050120.patch