Trevor
Starfighter Starfighter
Starfighter
  • 442 Views

Revisiting SELinux

I was doing a little reading to see what new things, regarding SELinux
might be a part of RHEL 9.x.  Early in my reading, I came across 
something that I know I've seen before, but didn't bother to explore
it. 

What I read was the following:

RHEL 9 provides the following packages for working with SELinux:

policies:
- selinux-policy-targeted
- selinux-policy-mls

tools:
- policycoreutils
- policycoreutils-gui
- libselinux-utils
- policycoreutils-python-utils
- setools-console
- checkpolicy


Nothing high level, but that curios/inquisitive side of my brain
couldn't resist taking a look at the content of those packages,
More specifically, I wanted to see what binary files were contained
in each package.  Thought I'd share what I saw.


Starting with the two packages that contain SELinux policy-related
files:

selinux-policy-targeted
- 1760 files; not a single binary/executable file

selinux-policy-mls

- 2222 files, not a single binary/executable file

 

As I expected, and I'm sure you would also, the packages that
contained SELinux tools definitely contained some binary/executable
files.  Here they are:

checkpolicy
/usr/bin/checkmodule
/usr/bin/checkpolicy
/usr/bin/sedismod
/usr/bin/sedispol

setools-console
/usr/bin/sechecker
/usr/bin/sediff
/usr/bin/seinfo
/usr/bin/sesearch

policycoreutils
/usr/bin/secon
/usr/bin/semodule_expand
/usr/bin/semodule_link
/usr/bin/semodule_package
/usr/bin/semodule_unpackage
/usr/bin/sestatus
/usr/sbin/fixfiles
/usr/sbin/genhomedircon
/usr/sbin/load_policy
/usr/sbin/restorecon
/usr/sbin/restorecon_xattr
/usr/sbin/semodule
/usr/sbin/sestatus
/usr/sbin/setfiles
/usr/sbin/setsebool

policycoreutils-gui
/usr/bin/selinux-polgengui
/usr/bin/system-config-selinux

libselinux-utils
/usr/bin/selinux-polgengui
/usr/bin/system-config-selinux

policycoreutils-python-utils
/usr/bin/audit2allow
/usr/bin/audit2why
/usr/bin/chcat
/usr/sbin/semanage

 

Again, nothing earth-shattering here.  I just have this childlike
habit of looking under the hood    Oh, and I'm not done!!!

 

Trevor "Red Hat Evangelist" Chandler
4 Replies
shashi01
Moderator
Moderator
  • 388 Views

@Trevor 

Your thorough analysis of SELinux packages in RHEL 9 is commendable and shows your dedication to understanding SELinux's complexities. By exploring each package in detail, you're not only enriching your knowledge but also offering useful insights for others interested in this field. This detailed approach is crucial in Linux, as comprehending the subtleties of security systems like SELinux is key for effective system administration and security.

Your approach to separating policy packages like selinux-policy-targeted and selinux-policy-mls from tool packages, and noting their contents, especially the absence or presence of binary/executable files, shows a methodical and thoughtful process. It's clear that you're not just skimming the surface but diving deep into the architecture and functionality of these packages.

Keep up this excellent work. Your willingness to explore, learn, and share is a valuable trait in the ever-evolving world of technology.

0 Kudos
Chetan_Tiwary_
Moderator
Moderator
  • 383 Views

@Trevor Thanks for this summary. Here is some  info for important packages in SELinux operations :

*Man pages are listed by the man -k _selinux command when the selinux-policy-doc package is installed.

*The selinux-policy-targeted, libselinux-utils, and policycoreutils packages which are installed on your system helps you to set the SELinux policy as Permissive or Enforced.

*The setroubleshoot-server package enhances AVC logging by providing more detailed information about the denied access, including file paths, processes involved, and the specific policy rule that triggered the denial. 

*The seinfo command (used to display a vast amount of information about your currently loaded SELinux policy ) is provided by the setools-console package, which is not installed by default.

*The selinux-policy-devel package gives you semanage boolean -l command which can be used as root to see the SELinux booleans and their current state ( for sharing NFS/ CIFS volumes ).


*The policycoreutils-python-utils package helps in managing security contexts which allows changing the SELinux security context of files and directories, useful for troubleshooting unexpected access restrictions or customizing context labeling.

 

*The default SELinux policy provided by the selinux-policy packages contains rules for applications and daemons that are parts of Red Hat Enterprise Linux 9.

Wasim_Raja
Moderator
Moderator
  • 310 Views

@Trevor @Chetan_Tiwary_ That's some really useful info thanks for sharing.

Chetan_Tiwary_
Moderator
Moderator
  • 272 Views

@Wasim_Raja Pleasure!

0 Kudos
Join the discussion
You must log in to join this conversation.