SELinux

This document describes two related but somewhat disparate concepts: First, how to run Bcfg2 under SELinux; and secondly, how to use Bcfg2 to manage SELinux.

Running Bcfg2 under SELinux

New in version 1.3.0.

Bcfg2 now ships with an SELinux policy that can be used to run both the client and server in enforcing mode. (Most of the helper tools, like bcfg2-info and bcfg2-admin, will still need to be run unconfined.)

It defines the following booleans:

Boolean Name Description Plugins Affected Default
bcfg2_server_exec_scripts Allow the Bcfg2 server to execute scripts in unconfined_t. This ability is limited to scripts in the bcfg2_server_script_exec_t context. If this boolean is off, then external server-side scripts will be run in bcfg2_server_t, which is a fairly limited context. Trigger and PuppetENC, and Cfg Content Validation off
bcfg2_server_can_network_connect_db Allow the Bcfg2 server to connect to databases (e.g., MySQL and PostgreSQL) Reporting, the Clients Database feature of Metadata, and the database Data Storage feature of Probes off

It also defines the following SELinux types:

Type Name Description
bcfg2_t The context the Bcfg2 client runs in
bcfg2_exec_t The context of the Bcfg2 client script itself
bcfg2_server_t The context the Bcfg2 server runs in
bcfg2_server_exec_t The context of the Bcfg2 server script itself
bcfg2_initrc_exec_t The context of the Bcfg2 client init script
bcfg2_server_initrc_exec_t The context of the Bcfg2 server init script
bcfg2_var_lib_t The context of most Bcfg2 specification data, with the exception of the executable scripts in bcfg2_server_script_exec_t
bcfg2_server_script_t The context server-side scripts run in. This type is unconfined if the bcfg2_server_exec_scripts is on.
bcfg2_server_script_exec_t The context of the server-side scripts in the Bcfg2 specification
bcfg2_yum_helper_exec_t The context of the bcfg2-yum-helper script
bcfg2_var_run_t The context of the server pidfile
bcfg2_lock_t The context of the client lock file
bcfg2_conf_t The context of bcfg2.conf
bcfg2_tmp_t The context of temp files created by the Bcfg2 server

If you do run your server in enforcing mode, it is highly recommend that you run restorecon -R /var/lib/bcfg2 every time you update the content in that directory, particularly if you are using plugins that execute arbitrary scripts.

Managing SELinux Entries

New in version 1.3.0.

Bcfg2 has the ability to handle the majority of SELinux entries with the SELinux entry type, which handles modules (with the SEModules plugin), file contexts, users and user mappings, permissive domains, nodes, and interfaces. In addition, info.xml files and most types of the Path tag can accept an secontext attribute to set the context of that entry. The full semantics of each configuration entry is documented with the Rules plugin.

Note

The secontext attribute takes a full context, e.g., “system_u:object_r:etc_t:s0”; the selinuxtype attribute always takes only an SELinux type, e.g., “etc_t”. secontext (but not selinuxtype) can also accept the special value “__default__”, which will restore the context on the Path entry in question to the default supplied by the SELinux policy.

In its current version, the SELinux support in Bcfg2 is not sufficient to manage MCS/MLS policies.

Extra Entries

As it can be very tedious to create a baseline of all existing SELinux entries, you can use selinux_baseline.py located in the tools/ directory to do that for you.

The actual definition of an “extra” entry actually depends on the version of SELinux available; the SELinux APIs have been extremely fluid, so many features available in newer versions are not available in older versions. Newer SELinux versions (e.g., in recent versions of Fedora) can be queried for only entries that have been locally modified; on these versions of SELinux, only locally modified entries will be considered extra. On older SELinux versions (e.g., on RHEL 5), however, that functionality is missing, so all SELinux entries will be considered extra, making selinux_baseline.py quite necessary.

selinux_baseline.py writes a bundle to stdout that contains BoundSELinux entries for the appropriate SELinux entities.

Duplicate Entries

It may be necessary to use BoundSEFcontext tags if a single fcontext needs two different SELinux types depending on whether it’s a symlink or a plain file. For instance:

<BoundSEFcontext filetype="symlink"
                 name="/etc/localtime" selinuxtype="etc_t"/>
<BoundSEFcontext filetype="regular"
                 name="/etc/localtime" selinuxtype="locale_t"/>