SELinux Policy
-
Below are instructions to test my SELinux policy for FOG. This should allow your server to operate while SELinux is still enabled. If you encounter any issues while using the policy, please state exactly what you were doing when you encountered the issue.
To get the files you need, update your fogproject trunk (git pull or svn up).
Installation
yum install -y selinux-policy-devel gcc make cd ../fogproject/SELinux make -f /usr/share/selinux/devel/Makefile fog.pp semodule -i fog.ppRemoval
semodule -r fogTroubleshooting
If you get an error like the one below
make: /usr/share/selinux/devel/Makefile: No such file or directory make: *** No rule to make target `/usr/share/selinux/devel/Makefile'. Stop.You should:
- Ensure you installed SELinux development tools
- Locate your SELinux Makefile. The installation command will look for it under /usr/share/selinux.
-
-
#wiki Hashtagging this for addition to the wiki.
-
I had to find my Makefile on Fedora 21 server. It’s funny because it just worked on Fedora 23 server, literally copy/paste.
find / | grep Makefile | grep -i selinux/usr/share/selinux/devel/include/Makefile /usr/share/selinux/devel/Makefile # <--- that's the one.make -f /usr/share/selinux/devel/Makefile fog.ppCompiling targeted fog module /usr/bin/checkmodule: loading policy configuration from tmp/fog.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 17) to tmp/fog.mod Creating targeted fog.pp policy package rm tmp/fog.mod tmp/fog.mod.fcsemodule -i fog.pp -
-
No luck compiling for me on Centos 6.7
[root@centtest SELinux]# make -f /usr/share/selinux/devel/Makefile fog.pp Compiling targeted fog module /usr/bin/checkmodule: loading policy configuration from tmp/fog.tmp fog.te":50:ERROR 'unknown class service used in rule' at token ';' on line 3260: allow unconfined_t init_t:service enable; #============= unconfined_t ============== /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/fog.mod] Error 1 -
@george1421 Centos 6 appears to be missing some of the modules I require. I’ve been trying to hunt down the exact dependencies I’d need, or if need be, a new policy with different rules / modules.
Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.
-
@Jbob said:
@george1421 Centos 6 appears to be missing some of the modules I require. I’ve been trying to hunt down the exact dependencies I’d need, or if need be, a new policy with different rules / modules.
That’s why we are going through this.
No worries on my part. We’ll get them worked out. -
This installed fine on Fedora 23.
the SELinux stuff works fine on Fedora 23 Server so far.
I’ve tried this setup on a virtualized Fedora 23 FOG server. I’ve imaged 2 computers so far with this setup. One of them, I tried out WOL just to confirm that still works - it does.
-
Holding off on adding this to the WiKi - It is my hopes that enough people will try this out that it can be added to Trunk by the @Developers and implimented in FOG 1.3.0.
-
@Jbob As far as I can tell, in Fedora 23 Server Minimal, The SELinux module breaks the FOG_FTP_IMAGE_SIZE feature.
-
There’s also this issue. I’m just going to tag the link and description here.
* Restarting Apache2 for fog vhost............................Failed!https://forums.fogproject.org/topic/6251/fedora-23-svn-4455-restarting-apache2-for-fog-vhost-failed
-
Another problem that needs addressed with the SELinux setup:
https://forums.fogproject.org/topic/6278/can-t-delete-images -
@Jbob I really want to see SELinux incorporated into fog. I know it’s finals time, and many a aspiring young adult is quite busy making a future for themselves. That’s fine. I just don’t want this swept under the rug.
I’ve noticed that no changes have been made to the SELinux stuff.
[root@fog-server trunk]# cd SELinux [root@fog-server SELinux]# ls fog.fc fog.if fog.pp fog.te tmp [root@fog-server SELinux]# make -f /usr/share/selinux/devel/Makefile fog.pp make: 'fog.pp' is up to date.That’s fine - but if anyone wants me to run some tests, I’m up for it.
-
Added a link to this thread here: https://wiki.fogproject.org/wiki/index.php/FOG_security#Other_issues
-
@Developers Apologies for spamming this thread to death… but I’d like to see a fully functional SELinux policy for FOG 1.3.0 for at least the CentOS 7 platform. Has any progress been made with the below problems by anyone?
-
I’m learning about these:
yum install setroubleshoot setroubleshoot-server -yApparently those two packages will help you analyze and tune a SELinux policy for anything.
Another amazing resource (just watched the whole thing):
https://www.youtube.com/watch?v=MxjenQ31b70I feel a lot better about Security Enhanced Linux now (SELinux), and I’ll definitely be creating my own modules for it. Luckily for me I’ve run a production fog server in Permissive mode for a HOT minute now, so all the information I would need to create a module is already there.
-
@Wayne-Workman I’ll update the policy hopefully within the week.
-
Bumping this - it would be so nice to have SELinux enabled as a standard configuration.
