Re: Revisiting SELinux

Trevor · ‎12-15-2023

I was doing a little reading to see what new things, regarding SELinux
might be a part of RHEL 9.x. Early in my reading, I came across
something that I know I've seen before, but didn't bother to explore
it.

What I read was the following:

RHEL 9 provides the following packages for working with SELinux:

policies:
- selinux-policy-targeted
- selinux-policy-mls

tools:
- policycoreutils
- policycoreutils-gui
- libselinux-utils
- policycoreutils-python-utils
- setools-console
- checkpolicy

Nothing high level, but that curios/inquisitive side of my brain
couldn't resist taking a look at the content of those packages,
More specifically, I wanted to see what binary files were contained
in each package. Thought I'd share what I saw.

Starting with the two packages that contain SELinux policy-related
files:

selinux-policy-targeted
- 1760 files; not a single binary/executable file

selinux-policy-mls
- 2222 files, not a single binary/executable file

As I expected, and I'm sure you would also, the packages that
contained SELinux tools definitely contained some binary/executable
files. Here they are:

checkpolicy
/usr/bin/checkmodule
/usr/bin/checkpolicy
/usr/bin/sedismod
/usr/bin/sedispol

setools-console
/usr/bin/sechecker
/usr/bin/sediff
/usr/bin/seinfo
/usr/bin/sesearch

policycoreutils
/usr/bin/secon
/usr/bin/semodule_expand
/usr/bin/semodule_link
/usr/bin/semodule_package
/usr/bin/semodule_unpackage
/usr/bin/sestatus
/usr/sbin/fixfiles
/usr/sbin/genhomedircon
/usr/sbin/load_policy
/usr/sbin/restorecon
/usr/sbin/restorecon_xattr
/usr/sbin/semodule
/usr/sbin/sestatus
/usr/sbin/setfiles
/usr/sbin/setsebool

policycoreutils-gui
/usr/bin/selinux-polgengui
/usr/bin/system-config-selinux

libselinux-utils
/usr/bin/selinux-polgengui
/usr/bin/system-config-selinux

policycoreutils-python-utils
/usr/bin/audit2allow
/usr/bin/audit2why
/usr/bin/chcat
/usr/sbin/semanage

Again, nothing earth-shattering here. I just have this childlike
habit of looking under the hood Oh, and I'm not done!!!

Trevor "Red Hat Evangelist" Chandler

shashi01 · ‎12-18-2023

@Trevor

Your thorough analysis of SELinux packages in RHEL 9 is commendable and shows your dedication to understanding SELinux's complexities. By exploring each package in detail, you're not only enriching your knowledge but also offering useful insights for others interested in this field. This detailed approach is crucial in Linux, as comprehending the subtleties of security systems like SELinux is key for effective system administration and security.

Your approach to separating policy packages like selinux-policy-targeted and selinux-policy-mls from tool packages, and noting their contents, especially the absence or presence of binary/executable files, shows a methodical and thoughtful process. It's clear that you're not just skimming the surface but diving deep into the architecture and functionality of these packages.

Keep up this excellent work. Your willingness to explore, learn, and share is a valuable trait in the ever-evolving world of technology.

Chetan_Tiwary_ · ‎12-18-2023

@Trevor Thanks for this summary. Here is some info for important packages in SELinux operations :

*Man pages are listed by the man -k _selinux command when the selinux-policy-doc package is installed.

*The selinux-policy-targeted, libselinux-utils, and policycoreutils packages which are installed on your system helps you to set the SELinux policy as Permissive or Enforced.

*The setroubleshoot-server package enhances AVC logging by providing more detailed information about the denied access, including file paths, processes involved, and the specific policy rule that triggered the denial.

*The seinfo command (used to display a vast amount of information about your currently loaded SELinux policy ) is provided by the setools-console package, which is not installed by default.

*The selinux-policy-devel package gives you semanage boolean -l command which can be used as root to see the SELinux booleans and their current state ( for sharing NFS/ CIFS volumes ).

*The policycoreutils-python-utils package helps in managing security contexts which allows changing the SELinux security context of files and directories, useful for troubleshooting unexpected access restrictions or customizing context labeling.

*The default SELinux policy provided by the selinux-policy packages contains rules for applications and daemons that are parts of Red Hat Enterprise Linux 9.

Wasim_Raja · ‎12-19-2023

@Trevor @Chetan_Tiwary_ That's some really useful info thanks for sharing.

Chetan_Tiwary_ · ‎12-19-2023

@Wasim_Raja Pleasure!