UNIX / Linux command-line interface.

Upgrading Red Hat Enterprise Linux / CentOS

RHEL/CentOS 5–6–7 Migration:
Security-Enhanced Linux

Security-Enhanced Linux (or NSA SELinux) itself hasn't changed much in ways that the typical administrator will notice, but Red Hat is making much better use of it. SELinux has gone from "Just turn it off to avoid trouble," to "It may work if you don't do very much, try it in permissive mode as an experiment," to working much better with the release of RHEL/CentOS 7. The improvements come through much more complete (and complex) policies.

Previous: Kernel, Clusters

The previous page described the changes in kernel configuration and clusters.

12 — Security-Enhanced Linux

Red Hat has become more ambitious in their use of the NSA Security-Enhanced Linux mechanisms as they progress from one distribution to the next. If you install their product and use it as they direct, it works fine.

Remember that the design philosophy of SELinux is that the policy is always correct. So it is always appropriate to relabel your entire file system:

# restorecon -r -v -e /cgroup /dev /proc /selinux /srv /sys /

    --- or ---

# find / -fstype ext3 -o -fstype ext4 -o -fstype xfs -exec restorecon -v {} \;

On RHEL 6 the policy caused problems when you moved Apache configuration files around, you needed to relabel everything under /etc/httpd and possibly /var/www/html. That got better with RHEL 7.

Below are the results of running seinfo on some CentOS and RHEL examples.

From CentOS 5.6:

Statistics for policy file: /etc/selinux/targeted/policy/policy.21
Policy Version & Type: v.21 (binary, MLS)

   Classes:            61    Permissions:       220
   Types:            1868    Attributes:        217
   Users:               3    Roles:               6
   Booleans:          271    Cond. Expr.:       254
   Sensitivities:       1    Categories:       1024
   Allow:          130713    Neverallow:          0
   Auditallow:         42    Dontaudit:        7348
   Role allow:          5    Role trans:          0
   Type_trans:       2309    Type_change:         0
   Type_member:         0    Range_trans:       578
   Constraints:        47    Validatetrans:       0
   Fs_use:             19    Genfscon:           74
   Portcon:           337    Netifcon:            0
   Nodecon:             8    Initial SIDs:       27 

From RHEL 6:

Statistics for policy file: /etc/selinux/targeted/policy/policy.24
Policy Version & Type: v.24 (binary, mls)

   Classes:            77    Permissions:       229
   Sensitivities:       1    Categories:       1024
   Types:            3073    Attributes:        250
   Users:               9    Roles:              13
   Booleans:          168    Cond. Expr.:       203
   Allow:          269649    Neverallow:          0
   Auditallow:         44    Dontaudit:      162489
   Type_trans:      10914    Type_change:        38
   Type_member:        44    Role allow:         20
   Role_trans:        241    Range_trans:      2590
   Constraints:        64    Validatetrans:       0
   Initial SIDs:       27    Fs_use:             22
   Genfscon:           82    Portcon:           378
   Netifcon:            0    Nodecon:             0
   Permissives:        21    Polcap:              2 

From RHEL 7:

Statistics for policy file: /sys/fs/selinux/policy
Policy Version & Type: v.28 (binary, mls)

   Classes:            83    Permissions:       255
   Sensitivities:       1    Categories:       1024
   Types:            4263    Attributes:        349
   Users:               8    Roles:              14
   Booleans:          261    Cond. Expr.:       306
   Allow:           92722    Neverallow:          0
   Auditallow:        120    Dontaudit:        7645
   Type_trans:      14717    Type_change:        74
   Type_member:        27    Role allow:         29
   Role_trans:        734    Range_trans:      5006
   Constraints:        98    Validatetrans:       0
   Initial SIDs:       27    Fs_use:             26
   Genfscon:           91    Portcon:           528
   Netifcon:            0    Nodecon:             0
   Permissives:         0    Polcap:              2 

Finally, you will find that the output of ls -l began to look a little different with the version included with RHEL 6. There is now a "." after the permission mask, indicating that an SELinux security context exists for the object:

# ls -l /etc/rsyslog.conf /sbin/rsyslogd
-rw-r--r--. 1 root root   2741 May 20 2009 /etc/rsyslog.conf
-rwxr-xr-x. 1 root root 344528 Jun  8 2010 /sbin/rsyslogd 

Meanwhile, a "+" in that position indicates that getfacl would show you an ACL with more than the three required entries.