Administrators often criticize Security Enhanced Linux (SELinux) policies for being too complex, and they have a point. Mandatory access control-based administration is tedious and easy to misconfigure. It can be tough to handle the extended security attributes across a range of users, processes and files or directories that encompass more than one server. Novell addresses this problem in its enterprise-class server offerings with the AppArmor suite of policy management applications, but nothing comparable exists yet for systems management in Red Hat enterprise servers (or CentOS derivatives).
Although it's not included in the RHEL distribution, the SELinux Policy Editor (seedit), originally developed by Hitachi Software, fills that void. Seedit offers a suite of native front-end administration utilities. Even a seasoned SELinux system administrator will find seedit useful in daily use, especially in cases when a single policy oversees operations of multiple systems. Seedit provides a control panel with icons that correspond to status, management, policy generation, policy editing and policy application or re-labeling actions.
Seedit has its roots in the simplified policy description language (SPDL). SPDL is simplified in that it works with a subset of SELinux permissions devoid of any properties except those related to security. Overlapping properties (such as read permissions) on objects are generalized into distinct domains of functionality. Policy files are created for file names or port numbers and include role-based access controls (RBAC) that are somewhat similar to what's used in xinetd or Apache configuration files. Through seedit-load, all simplified policies may be compiled into true SELinux policies, which can then be made effective on the target system (presumably a RHEL server).
By using the seedit status application, administrators can view the full scope of domains in effect over a given system. This tool permits administrators to visualize the working processes and active connections for a target system and to readily identify each one by an associated process ID or network port and security domain(s).
If an application or connection fails to start, it can be set to the permissive unconfined_t label, under which an entire domain can be created to oversee all unconfined types. Otherwise, the policy governing a restricted application can be modified to permit the functionality necessary for proper operation. All of this can be handled through the seedit domain/role manager interface. The policy generator assists administrators in establishing, defining and reconfiguring SELinux policies for any application. The generator traces through these programs and gleans detailed information on their behavior as it applies to a SELinux policy. It then produces either default permissions or -- at the administrator's option -- a more secure (and restrictive) policy.
Viewed from any angle, the seedit suite of applications simplifies daily management of SELinux-governed systems. It can quickly create templates for, categorize, relabel, visualize and reconfigure effective policy in a way that even any administrator can understand.
Justin Korelc is a longtime Linux hacker and system administrator who concentrates on hardware and software security, virtualization and high-performance Linux systems. Ed Tittel is a full-time freelance writer based in Austin, Tex., who specializes in markup languages, information security, networking and IT certification. Justin and Ed have contributed to books on Home Theater PCs and the Linux-based MythTV environment and write regularly about Linux for various TomsHardware sites.
This was first published in August 2006