SELinux Policy
-
-
#wiki Hashtagging this for addition to the wiki.
-
I had to find my Makefile on Fedora 21 server. It’s funny because it just worked on Fedora 23 server, literally copy/paste.
find / | grep Makefile | grep -i selinux
/usr/share/selinux/devel/include/Makefile /usr/share/selinux/devel/Makefile # <--- that's the one.
make -f /usr/share/selinux/devel/Makefile fog.pp
Compiling targeted fog module /usr/bin/checkmodule: loading policy configuration from tmp/fog.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 17) to tmp/fog.mod Creating targeted fog.pp policy package rm tmp/fog.mod tmp/fog.mod.fc
semodule -i fog.pp
-
-
No luck compiling for me on Centos 6.7
[root@centtest SELinux]# make -f /usr/share/selinux/devel/Makefile fog.pp Compiling targeted fog module /usr/bin/checkmodule: loading policy configuration from tmp/fog.tmp fog.te":50:ERROR 'unknown class service used in rule' at token ';' on line 3260: allow unconfined_t init_t:service enable; #============= unconfined_t ============== /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/fog.mod] Error 1
-
@george1421 Centos 6 appears to be missing some of the modules I require. I’ve been trying to hunt down the exact dependencies I’d need, or if need be, a new policy with different rules / modules.
-
@Jbob said:
@george1421 Centos 6 appears to be missing some of the modules I require. I’ve been trying to hunt down the exact dependencies I’d need, or if need be, a new policy with different rules / modules.
That’s why we are going through this. No worries on my part. We’ll get them worked out.
-
This installed fine on Fedora 23.
the SELinux stuff works fine on Fedora 23 Server so far.
I’ve tried this setup on a virtualized Fedora 23 FOG server. I’ve imaged 2 computers so far with this setup. One of them, I tried out WOL just to confirm that still works - it does.
-
Holding off on adding this to the WiKi - It is my hopes that enough people will try this out that it can be added to Trunk by the @Developers and implimented in FOG 1.3.0.
-
@Jbob As far as I can tell, in Fedora 23 Server Minimal, The SELinux module breaks the FOG_FTP_IMAGE_SIZE feature.
-
There’s also this issue. I’m just going to tag the link and description here.
* Restarting Apache2 for fog vhost............................Failed!
https://forums.fogproject.org/topic/6251/fedora-23-svn-4455-restarting-apache2-for-fog-vhost-failed
-
Another problem that needs addressed with the SELinux setup:
https://forums.fogproject.org/topic/6278/can-t-delete-images -
@Jbob I really want to see SELinux incorporated into fog. I know it’s finals time, and many a aspiring young adult is quite busy making a future for themselves. That’s fine. I just don’t want this swept under the rug.
I’ve noticed that no changes have been made to the SELinux stuff.
[root@fog-server trunk]# cd SELinux [root@fog-server SELinux]# ls fog.fc fog.if fog.pp fog.te tmp [root@fog-server SELinux]# make -f /usr/share/selinux/devel/Makefile fog.pp make: 'fog.pp' is up to date.
That’s fine - but if anyone wants me to run some tests, I’m up for it.
-
Added a link to this thread here: https://wiki.fogproject.org/wiki/index.php/FOG_security#Other_issues
-
@Developers Apologies for spamming this thread to death… but I’d like to see a fully functional SELinux policy for FOG 1.3.0 for at least the CentOS 7 platform. Has any progress been made with the below problems by anyone?
-
I’m learning about these:
yum install setroubleshoot setroubleshoot-server -y
Apparently those two packages will help you analyze and tune a SELinux policy for anything.
Another amazing resource (just watched the whole thing):
https://www.youtube.com/watch?v=MxjenQ31b70I feel a lot better about Security Enhanced Linux now (SELinux), and I’ll definitely be creating my own modules for it. Luckily for me I’ve run a production fog server in Permissive mode for a HOT minute now, so all the information I would need to create a module is already there.
-
@Wayne-Workman I’ll update the policy hopefully within the week.
-
Bumping this - it would be so nice to have SELinux enabled as a standard configuration.