-
Notifications
You must be signed in to change notification settings - Fork 378
Userspace Packages
While the kernel changes to Linux are the basis of SELinux, there are a few userspace packages that are specific to SELinux and there are a few system applications that must be modified to properly set SELinux security contexts. A number of additional applications can provide additional security or help maintain a SELinux system if modified to take advantage of the SELinux kernel features.
The userspace packages that are specific to SELinux are included in the userspace SELinux releases.
-
libsepol is the binary policy manipulation library. It doesn't depend upon or use any of the other components.
-
checkpolicy is the SELinux policy compiler (for the original SELinux policy.conf language). It uses libsepol to generate the binary policy. checkpolicy uses the static libsepol since it deals with low level details of the policy that have not been encapsulated/abstracted by a proper shared library interface.
-
secilc is the SELinux Common Intermediate Language (CIL) compiler. Like checkpolicy, it uses libsepol to generate the binary policy, but unlike checkpolicy, it can use the shared library.
-
libselinux is the runtime SELinux library that provides interfaces (e.g. library functions for the SELinux kernel APIs like getcon(), other support functions like getseuserbyname()) to SELinux-aware applications. libselinux may use the shared libsepol to manipulate the binary policy if necessary (e.g. to downgrade the policy format to an older version supported by the kernel) when loading policy.
-
libsemanage is the policy management library. It uses libsepol for binary policy manipulation and libselinux for interacting with the SELinux system. It also exec's helper programs for loading policy and for checking whether the file_contexts configuration is valid (load_policy and setfiles, respectively, from policycoreutils).
-
sepolgen is a python module/library that forms the core of the audit2allow and sepolicy programs.
-
policycoreutils is a collection of policy utilities (originally the "core" set of utilities needed to use SELinux, although it has grown a bit over time), which have different dependencies. sestatus, secon, run_init, and newrole only use libselinux. load_policy and setfiles only use libselinux and libsepol. semodule and semanage use libsemanage (and thus bring in dependencies on libsepol and libselinux as well). setsebool uses libselinux to make non-persistent boolean changes (via the kernel interface) and uses libsemanage to make persistent boolean changes.
-
The python-based modules and utilities deemed non-essential to base SELinux operation were later migrated from policycoreutils to a separate selinux-python package upstream, with some distributions like Fedora instead splitting them up into python3-policycoreutils, policycoreutils-python-utils, and policycoreutils-devel depending on the particular component.
-
The set of semodule utility programs that are only required on development systems were likewise later migrated to a separate semodule-utils package upstream, with some distributions like Fedora leaving them in policycoreutils.
-
mcstrans is a label translation daemon to support MLS systems, originally contributed by Joe Nall. It links with the static libsepol in order to leverage private data structures and functions for efficient mapping of category sets. mcstrans is only required when one needs to translate between the internal SELinux MCS/MLS labels and human-readable labels.
-
selinux-gui provides a GUI for managing SELinux, originally contributed by Red Hat. This is generally unnecessary since one can use semanage and other command-line utilities or can use cockpit-selinux for management. Fedora packages this as policycoreutils-gui.
-
selinux-dbus provides a D-Bus-based service and configuration for managing SELinux, likewise originally contributed by Red Hat. This is also generally unnecessary. Fedora packages this as policycoreutils-dbus.
-
selinux-sandbox provides a SELinux-based sandbox originally contributed by Red Hat. This is optional. Fedora packages this as policycoreutils-sandbox.
You can use your favorite package manager to query for all the packages that depend on libselinux as an approximation of which ones have been modified for SELinux. For example, on Fedora, you can run the following command:
sudo dnf repoquery --disablerepo=\* --enablerepo=fedora --whatrequires='libselinux.so.1()(64bit)' --qf '%{sourcerpm}\n'
A historical list of userspace packages modified for SELinux is below, but this list is quite out of date so it mostly serves to document why specific programs were modified for SELinux originally. Use a command like the one above to check for an up-to-date list.
- SysVinit, systemd, or other init programs - load initial policy, set enforcing mode
- pam - set security context for user sessions, check SELinux permissions for privileged operations
- util-linux - preserve security contexts on /etc/shadow, check SELinux permissions
- openssh - set security context for user sessions
- cron - set security context for cron jobs, check SELinux permissions
- sudo - set security context
- shadow-utils - preserve security context on /etc/shadow
- libuser - preserve security context on /etc/shadow, check permission
- passwd - preserve security context on /etc/shadow, check permission
- logrotate - preserve security context on logs
- coreutils - get and set process and file security contexts
- findutils - find files with specific security contexts or display them
- procps - display process contexts
- psmisc - display process contexts