<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>SELinux — Bcfg2 1.3.0 documentation</title>
<link rel="stylesheet" href="../_static/default.css" type="text/css" />
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: '../',
VERSION: '1.3.0',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true
};
</script>
<script type="text/javascript" src="../_static/jquery.js"></script>
<script type="text/javascript" src="../_static/underscore.js"></script>
<script type="text/javascript" src="../_static/doctools.js"></script>
<script type="text/javascript" src="../_static/sidebar.js"></script>
<link rel="shortcut icon" href="../_static/favicon.ico"/>
<link rel="top" title="Bcfg2 1.3.0 documentation" href="../index.html" />
<link rel="up" title="The Bcfg2 Server" href="index.html" />
<link rel="next" title="Server Configuration" href="configuration.html" />
<link rel="prev" title="Using bcfg2-info" href="bcfg2-info.html" />
<link rel="stylesheet" href="../_static/bcfg2.css" type=""/>
</head>
<body>
<div style="text-align: left; padding: 10px 10px 15px 15px">
<a href="../index.html"><img src="../_static/bcfg2_logo.png" border="0" alt="sampledoc"/></a>
</div>
<div class="related">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="../genindex.html" title="General Index"
accesskey="I">index</a></li>
<li class="right" >
<a href="../py-modindex.html" title="Python Module Index"
>modules</a> |</li>
<li class="right" >
<a href="configuration.html" title="Server Configuration"
accesskey="N">next</a> |</li>
<li class="right" >
<a href="bcfg2-info.html" title="Using bcfg2-info"
accesskey="P">previous</a> |</li>
<li><a href="../index.html">home</a> | </li>
<!--<li><a href="../search.html">search</a> | </li>-->
<li><a href="../help/index.html">help</a> | </li>
<li><a href="../contents.html">documentation </a> »</li>
<li><a href="../contents.html" >Bcfg2 documentation 1.3.0</a> »</li>
<li><a href="index.html" accesskey="U">The Bcfg2 Server</a> »</li>
</ul>
</div>
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body">
<div class="section" id="selinux">
<span id="server-selinux"></span><h1>SELinux<a class="headerlink" href="#selinux" title="Permalink to this headline">¶</a></h1>
<p>This document describes two related but somewhat disparate concepts:
First, how to run Bcfg2 under SELinux; and secondly, how to use Bcfg2
to manage SELinux.</p>
<div class="section" id="running-bcfg2-under-selinux">
<span id="server-selinux-policy"></span><h2>Running Bcfg2 under SELinux<a class="headerlink" href="#running-bcfg2-under-selinux" title="Permalink to this headline">¶</a></h2>
<p class="versionadded">
<span class="versionmodified">New in version 1.3.0.</span></p>
<p>Bcfg2 now ships with an SELinux policy that can be used to run both
the client and server in enforcing mode. (Most of the helper tools,
like <tt class="docutils literal"><span class="pre">bcfg2-info</span></tt> and <tt class="docutils literal"><span class="pre">bcfg2-admin</span></tt>, will still need to be run
unconfined.)</p>
<p>It defines the following booleans:</p>
<table border="1" class="docutils">
<colgroup>
<col width="26%" />
<col width="28%" />
<col width="40%" />
<col width="6%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Boolean Name</th>
<th class="head">Description</th>
<th class="head">Plugins Affected</th>
<th class="head">Default</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td>bcfg2_server_exec_scripts</td>
<td>Allow the Bcfg2 server to execute
scripts in <tt class="docutils literal"><span class="pre">unconfined_t</span></tt>. This
ability is limited to scripts in the
<tt class="docutils literal"><span class="pre">bcfg2_server_script_exec_t</span></tt> context.
If this boolean is off, then external
server-side scripts will be run in
<tt class="docutils literal"><span class="pre">bcfg2_server_t</span></tt>, which is a fairly
limited context.</td>
<td><a class="reference internal" href="plugins/misc/trigger.html#server-plugins-misc-trigger"><em>Trigger</em></a> and
<a class="reference internal" href="plugins/connectors/puppetenc.html#server-plugins-connectors-puppetenc"><em>PuppetENC</em></a>,
and Cfg
<a class="reference internal" href="plugins/generators/cfg.html#server-plugins-generators-cfg-validation"><em>Content Validation</em></a></td>
<td>off</td>
</tr>
<tr class="row-odd"><td>bcfg2_server_can_network_connect_db</td>
<td>Allow the Bcfg2 server to connect to
databases (e.g., MySQL and PostgreSQL)</td>
<td><a class="reference internal" href="plugins/statistics/reporting.html#server-plugins-statistics-reporting"><em>Reporting</em></a>, the
<a class="reference internal" href="plugins/grouping/metadata.html#server-plugins-grouping-metadata-clients-database"><em>Clients Database</em></a>
feature of Metadata, and the database
<a class="reference internal" href="plugins/probes/index.html#server-plugins-probes-data-storage"><em>Data Storage</em></a>
feature of Probes</td>
<td>off</td>
</tr>
</tbody>
</table>
<p>It also defines the following SELinux types:</p>
<table border="1" class="docutils">
<colgroup>
<col width="36%" />
<col width="64%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Type Name</th>
<th class="head">Description</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td>bcfg2_t</td>
<td>The context the Bcfg2 client runs in</td>
</tr>
<tr class="row-odd"><td>bcfg2_exec_t</td>
<td>The context of the Bcfg2 client script itself</td>
</tr>
<tr class="row-even"><td>bcfg2_server_t</td>
<td>The context the Bcfg2 server runs in</td>
</tr>
<tr class="row-odd"><td>bcfg2_server_exec_t</td>
<td>The context of the Bcfg2 server script itself</td>
</tr>
<tr class="row-even"><td>bcfg2_initrc_exec_t</td>
<td>The context of the Bcfg2 client init script</td>
</tr>
<tr class="row-odd"><td>bcfg2_server_initrc_exec_t</td>
<td>The context of the Bcfg2 server init script</td>
</tr>
<tr class="row-even"><td>bcfg2_var_lib_t</td>
<td>The context of most Bcfg2 specification data,
with the exception of the executable scripts in
<tt class="docutils literal"><span class="pre">bcfg2_server_script_exec_t</span></tt></td>
</tr>
<tr class="row-odd"><td>bcfg2_server_script_t</td>
<td>The context server-side scripts run in. This
type is unconfined if the
<tt class="docutils literal"><span class="pre">bcfg2_server_exec_scripts</span></tt> is on.</td>
</tr>
<tr class="row-even"><td>bcfg2_server_script_exec_t</td>
<td>The context of the server-side scripts in the
Bcfg2 specification</td>
</tr>
<tr class="row-odd"><td>bcfg2_yum_helper_exec_t</td>
<td>The context of the bcfg2-yum-helper script</td>
</tr>
<tr class="row-even"><td>bcfg2_var_run_t</td>
<td>The context of the server pidfile</td>
</tr>
<tr class="row-odd"><td>bcfg2_lock_t</td>
<td>The context of the client lock file</td>
</tr>
<tr class="row-even"><td>bcfg2_conf_t</td>
<td>The context of bcfg2.conf</td>
</tr>
<tr class="row-odd"><td>bcfg2_tmp_t</td>
<td>The context of temp files created by the Bcfg2
server</td>
</tr>
</tbody>
</table>
<p>If you do run your server in enforcing mode, it is highly recommend
that you run <tt class="docutils literal"><span class="pre">restorecon</span> <span class="pre">-R</span> <span class="pre">/var/lib/bcfg2</span></tt> every time you update
the content in that directory, particularly if you are using plugins
that execute arbitrary scripts.</p>
</div>
<div class="section" id="managing-selinux-entries">
<span id="server-selinux-entries"></span><h2>Managing SELinux Entries<a class="headerlink" href="#managing-selinux-entries" title="Permalink to this headline">¶</a></h2>
<p class="versionadded">
<span class="versionmodified">New in version 1.3.0.</span></p>
<p>Bcfg2 has the ability to handle the majority of SELinux entries with
the <tt class="docutils literal"><span class="pre">SELinux</span></tt> entry type, which handles modules (with the
<a class="reference internal" href="plugins/generators/semodules.html#server-plugins-generators-semodules"><em>SEModules</em></a> plugin), file contexts,
users and user mappings, permissive domains, nodes, and interfaces.
In addition, <tt class="docutils literal"><span class="pre">info.xml</span></tt> files and most types of the <tt class="docutils literal"><span class="pre">Path</span></tt> tag can
accept an <tt class="docutils literal"><span class="pre">secontext</span></tt> attribute to set the context of that entry.
The full semantics of each configuration entry is documented with the
<a class="reference internal" href="plugins/generators/rules.html#server-plugins-generators-rules"><em>Rules</em></a> plugin.</p>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">The <tt class="docutils literal"><span class="pre">secontext</span></tt> attribute takes a <em>full</em> context,
e.g., “<tt class="docutils literal"><span class="pre">system_u:object_r:etc_t:s0</span></tt>”; the <tt class="docutils literal"><span class="pre">selinuxtype</span></tt>
attribute always takes <em>only</em> an SELinux type, e.g.,
“<tt class="docutils literal"><span class="pre">etc_t</span></tt>”. <tt class="docutils literal"><span class="pre">secontext</span></tt> (but not <tt class="docutils literal"><span class="pre">selinuxtype</span></tt>) can
also accept the special value “<tt class="docutils literal"><span class="pre">__default__</span></tt>”, which will
restore the context on the Path entry in question to the
default supplied by the SELinux policy.</p>
</div>
<p>In its current version, the SELinux support in Bcfg2 is not sufficient
to manage MCS/MLS policies.</p>
<div class="section" id="extra-entries">
<h3>Extra Entries<a class="headerlink" href="#extra-entries" title="Permalink to this headline">¶</a></h3>
<p>As it can be very tedious to create a baseline of all existing SELinux
entries, you can use <tt class="docutils literal"><span class="pre">selinux_baseline.py</span></tt> located in the <tt class="docutils literal"><span class="pre">tools/</span></tt>
directory to do that for you.</p>
<p>The actual definition of an “extra” entry actually depends on the
version of SELinux available; the SELinux APIs have been extremely
fluid, so many features available in newer versions are not available
in older versions. Newer SELinux versions (e.g., in recent versions
of Fedora) can be queried for only entries that have been locally
modified; on these versions of SELinux, only locally modified entries
will be considered extra. On older SELinux versions (e.g., on RHEL
5), however, that functionality is missing, so <em>all</em> SELinux entries
will be considered extra, making <tt class="docutils literal"><span class="pre">selinux_baseline.py</span></tt> quite
necessary.</p>
<p><tt class="docutils literal"><span class="pre">selinux_baseline.py</span></tt> writes a bundle to stdout that contains
<tt class="docutils literal"><span class="pre">BoundSELinux</span></tt> entries for the appropriate SELinux entities.</p>
</div>
<div class="section" id="duplicate-entries">
<span id="server-selinux-duplicate-entries"></span><h3>Duplicate Entries<a class="headerlink" href="#duplicate-entries" title="Permalink to this headline">¶</a></h3>
<p>It may be necessary to use <cite>BoundSELinux</cite> tags if a single fcontext
needs two different SELinux types depending on whether it’s a symlink
or a plain file. For instance:</p>
<div class="highlight-xml"><div class="highlight"><pre><span class="nt"><BoundSELinux</span> <span class="na">type=</span><span class="s">"fcontext"</span> <span class="na">filetype=</span><span class="s">"symlink"</span>
<span class="na">name=</span><span class="s">"/etc/localtime"</span> <span class="na">selinuxtype=</span><span class="s">"etc_t"</span><span class="nt">/></span>
<span class="nt"><BoundSELinux</span> <span class="na">type=</span><span class="s">"fcontext"</span> <span class="na">filetype=</span><span class="s">"regular"</span>
<span class="na">name=</span><span class="s">"/etc/localtime"</span> <span class="na">selinuxtype=</span><span class="s">"locale_t"</span><span class="nt">/></span>
</pre></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="sphinxsidebar">
<div class="sphinxsidebarwrapper">
<h3><a href="../index.html">Table Of Contents</a></h3>
<ul>
<li><a class="reference internal" href="#">SELinux</a><ul>
<li><a class="reference internal" href="#running-bcfg2-under-selinux">Running Bcfg2 under SELinux</a></li>
<li><a class="reference internal" href="#managing-selinux-entries">Managing SELinux Entries</a><ul>
<li><a class="reference internal" href="#extra-entries">Extra Entries</a></li>
<li><a class="reference internal" href="#duplicate-entries">Duplicate Entries</a></li>
</ul>
</li>
</ul>
</li>
</ul>
<h4>Previous topic</h4>
<p class="topless"><a href="bcfg2-info.html"
title="previous chapter">Using bcfg2-info</a></p>
<h4>Next topic</h4>
<p class="topless"><a href="configuration.html"
title="next chapter">Server Configuration</a></p>
<h3>This Page</h3>
<ul class="this-page-menu">
<li><a href="../_sources/server/selinux.txt"
rel="nofollow">Show Source</a></li>
</ul>
<div id="searchbox" style="display: none">
<h3>Quick search</h3>
<form class="search" action="../search.html" method="get">
<input type="text" name="q" />
<input type="submit" value="Go" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
<p class="searchtip" style="font-size: 90%">
Enter search terms or a module, class or function name.
</p>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="related">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="../genindex.html" title="General Index"
>index</a></li>
<li class="right" >
<a href="../py-modindex.html" title="Python Module Index"
>modules</a> |</li>
<li class="right" >
<a href="configuration.html" title="Server Configuration"
>next</a> |</li>
<li class="right" >
<a href="bcfg2-info.html" title="Using bcfg2-info"
>previous</a> |</li>
<li><a href="../index.html">home</a> | </li>
<!--<li><a href="../search.html">search</a> | </li>-->
<li><a href="../help/index.html">help</a> | </li>
<li><a href="../contents.html">documentation </a> »</li>
<li><a href="../contents.html" >Bcfg2 documentation 1.3.0</a> »</li>
<li><a href="index.html" >The Bcfg2 Server</a> »</li>
</ul>
</div>
<div class="footer">
© Copyright 2009-2013, Narayan Desai.
Last updated on Mar 20, 2013.
Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> 1.1.3.
</div>
</body>
</html>
distrib
>
Fedora
>
17
>
i386
>
media
>
updates
>
by-pkgid
>
b50d8ee6d7871fcc13c0677a9364ed59
>
files
>
517
