Ask Your Question
2

How to enable SELinux 'strict' or 'mls' policies on workstation?

asked 2013-11-21 23:59:22 -0600

abyss gravatar image

updated 2014-04-11 17:11:17 -0600

remjg gravatar image

AFAIK, only 'targeted' policy is applied by default on a freshly installed Fedora. How can I enable 'strict' or 'mls' policies? Do they work out-of-the-box?

Are they even maintained?

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
0

answered 2013-11-22 01:52:38 -0600

lzap gravatar image

Hello, they are fully maintained. May I know the reason why you want to enable them? Because it does not make much sense to enable them on a workstation, they are intended for multi-user or server environments. There is some good documentation out there, for example:

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/pdf/Security-Enhanced_Linux/Red_Hat_Enterprise_Linux-6-Security-Enhanced_Linux-en-US.pdf

There you can read more about MLS or STRICT modes, how to enable them and work with them. But it is likely that STRICT policy will stop your workstation from working and MLS policy will make no change until you define first level. But I am not an expert, read the docs :-D

edit flag offensive delete link more
1

answered 2013-11-22 07:03:07 -0600

domg472 gravatar image

updated 2013-11-22 07:15:19 -0600

The strict policy model no longer exists. These days the strict policy model is merged into the targeted policy model.

This means that the targeted policy model can be tuned to (roughly) the equivalent of the old strict policy model.

In a nutshell this can be done by associating your Linux identities with SELinux identities that are associated with roles that are associated with strict types (LOL)

After that you would disable both the unconfined, as well as the unconfineduser policy modules (in permissive mode), relabel the file system (restorecon -R -v -F /), and then reboot

As for the MLS policy model: I sincerely doubt that this policy model works on Fedora currently due to systemd. The security policy probably needs to be adjusted to the new system/session manager.

I do have some videos about MLS policy in RHEL6 (not so much on enabling it, but more on how to use it):

https://www.youtube.com/watch?v=HRMC2gKCax4

https://www.youtube.com/watch?v=qeJUC753wg0

edit flag offensive delete link more

Question Tools

Stats

Asked: 2013-11-21 23:59:22 -0600

Seen: 721 times

Last updated: Nov 22 '13