Sl

Howto get working SeLinux AltLinux policy

Install policy

Install package selinux-policy-altlinux

Update Grub config

Update configuration GRUB's file: /etc/sysconfig/grub2:

GRUB_CMDLINE_LINUX_DEFAULT='panic=30 quiet splash security=selinux selinux=1'

It is also possible to add:

• enforcing=1
• log_buf_len=1M

grub-mkconfig  > /boot/grub/grub.cfg

PAM configuration

• Add to /etc/pam.d/newrole before pam_namespace.so module

session        required pam_exec.so debug /etc/security/alt.newrole/helper /etc/security/alt.newrole/config

• Add to /etc/pam.d/common-login:

# The first `session' module
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close

# The last `session' module
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open verbose

ALT Linux aspects

newrole modifications

Add patch for policycoreutils-newrole has patch, that adds to Linux capabilities: CAP_SETGID & CAP_AUDIT_WRITE. For more info look up at: http://git.altlinux.org/gears/p/policycoreutils.git

Users

When system's users login the __default__ rule takes action. This rule says that:

• all system users are mapped to generic_u SeLinux user.
• all OS users has access only to s0 level.

# semanage login -l
Login Name                SELinux User              MLS/MCS Range            
__default__               generic_u                 s0                       
root                      officer_u                 s0-s5:c0.c15       

Add for specfic user:

# semanage login -a -s generic_u -r s0-s3:c2.c14 stanv

Policy's internals

systemd

systemd-journald - выполняется в домене trusted_t. Это обусловленно тем, что ему необходимо читать статус процессов из /proc/<PID>. В свою очередь, proc-файлы для каждого процесса имеют контекст процесса.