That scary Red Hat Exam Topic: SELinux (It's not as difficult as you think)
Yes, SELinux is a published objective for both the RHCSA and RHCE exams. It's also an excellent subject to master as a Linux administrator.
With the help of the US National Security Agency (NSA), SELinux enhances RHEL 6's reputation as a secure operating system. While you can do a lot more with SELinux, the following objectives are cited for the RHCSA: (edited I think at unSpawn's request). I've added my comments on these objectives in italics. But due to the nature of these topics, I can't give a complete answer w/r/t these objectives without citing long passages from my book.
************************
-Set enforcing and permissive modes for SELinux
While that's easy enough to do with commands like setenforce, it can be configured on a permanent basis in the /etc/sysconfig/selinux file.
************************
**************************
-List and identify SELinux file and process context
Run the ls -Z command on your systems (that's a capital -Z). If SELinux is enabled, you'll see output such as
drwxr-xr-x. root root system_u: object_r :httpd_sys_content_t:s0 html
The file context for the html/ directory shown is that of a system user (system_u), associated with content for HTTP servers (httpd_sys_content_t).
In contrast, to find the SELinux context of a process, run a variation of the ps -Z command. When I run the ps -Zaxl command, isolated on the vsftpd service, I get the following output:
unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 5 0 6597 1 20 0 51976 704 inet_c Ss ? 0:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
which shows how the vsFTP daemon is connected to the vsftpd.conf configuration file with the ftpd_t domain.
************************
************************
-Restore default file contexts
This process is trickier. While the restorecon command is straightforward, it changes contexts based on the configuration shown in various files of the /etc/selinux/targeted/contexts/files directory.
************************
************************
-Use boolean settings to modify system SELinux settings
The booleans are shown in the /selinux/booleans directory; as shown in Chapter 4
"These settings can be read with the getsebool and modified with the setsebool commands. For example, the following output from the getsebool allow_user_exec_content command confirms that SELinux allows users to execute scripts in either their home directories or from the /tmp directory:
allow_user_exec_content --> on"
Of course, that boolean can be disabled, but as I state later in the chapter, "the -P is required to make the change to the boolean setting survive a system reboot".
****************************
****************************
-Diagnose and address routine SELinux policy violations
One place to start is with the audit.log file in the /var/log/audit directory. It includes information on each SELinux violation. An excellent way to search through this log is with the following command:
sealert -a /var/log/audit/audit.log
***************************
For the RHCE, you'll want to know how to
-Configure SELinux to support
every service listed in the RHCE objectives.
While I'd love to detail that process here, that would require an explanation of many of the nearly 180 booleans shown in the /selinux/booleans directory. One example is the ftp_home_dir boolean, which must be active if you want to configure vsFTP to allow access to user home directories.
Since SELinux is integral to the Red Hat distribution, I describe how you can meet these objectives in detail in many (most?) chapters of my RHCSA/RHCE Red Hat Linux Certification Study Guide (Exams EX200 & EX300), 6th Edition. Of course, there are sections in Chapters 4 and 11 that are dedicated to the process. If you can master the SELinux tasks described in the objectives, you can keep systems in the real-world more secure.
In addition, there are certain things you need to do to make sure that SELinux configuration changes survive a "relabel". Otherwise, the changes you make could disappear if someone disables and then re-enables SELinux on the system.
Last edited by mike_rhce; 07-02-2011 at 11:08 AM.
|