Pages

Sunday, February 2, 2020

Fedora 31 : Can be better? part 005.

Today we have once again dealt with this topic on the possibilities of improving the Fedora distro.
This time the adventure turned to the Selinux system switching to SELinux MLS.
Let's test the SELinux Fedora 31 from default targeted to mls.
First let's see the users:
[root@desk mythcat]# semanage user -l

                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

guest_u         user       s0         s0                             guest_r
root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
system_u        user       s0         s0-s0:c0.c1023                 system_r unconfined_r
unconfined_u    user       s0         s0-s0:c0.c1023                 system_r unconfined_r
user_u          user       s0         s0                             user_r
xguest_u        user       s0         s0                             xguest_r
To use the MLS you need to change this file:
[root@desk mythcat]# vim /etc/selinux/config


# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
The changes are:

#SELINUX=enforcing
SELINUX=permissive
...
#SELINUXTYPE=targeted
SELINUXTYPE=mls
Is need to install these packages:
[root@desk mythcat]# dnf search mls | grep selinux
Last metadata expiration check: 2:45:09 ago on Sun 02 Feb 2020 01:28:54 PM EET.
selinux-policy-mls.noarch : SELinux mls base policy
[root@desk mythcat]# dnf install selinux-policy-mls.noarch
...
Installed:
  mcstrans-2.9-2.fc31.x86_64                                                    
  policycoreutils-newrole-2.9-5.fc31.x86_64                                     
  selinux-policy-mls-3.14.4-45.fc31.noarch                                      

Complete!
These commands will relabel and start the MLS.
[mythcat@desk ~]$ setenforce 0
[mythcat@desk ~]$ getenforce
Permissive
...
[root@desk mythcat]# touch /.autorelabel
[root@desk mythcat]# reboot
If you have problems on boot the add selinux=0 on boot kernel.
After I boot and relabel all files I got errors about Gtk-Messages.
I remove my old Cinnamon with this command:
[root@desk mythcat]# dnf groupremove -y "Cinnnamon"
I list all my group with dnf tool:
[root@desk mythcat]# dnf grouplist -v 
I install the MATE environment:
dnf groupinstall -y "MATE Desktop" --allowerasing
After that the only way to start the environement is this command:
[mythcat@desk ~]$ sudo systemctl restart lightdm.service
Another issue comes from SELinux Alert Browser, where I get multiple alerts and these need to fix manually.
First, these alerts are more than 250.
After I fix some of these now I see only 50.
I think this problem with changing the SELinux type can be improved.