Currently only Fedora Core supports SELinux by providing it as an integral component that is installed without special effort on the part of the installing user. However, Red Hat has announced that Red Hat Enterprise Linux 4 (RHEL 4) will support SELinux. The RHEL 4 implementation of SELinux is expected to closely resemble the one in Fedora Core 2.
Fedora Core is a Linux distribution sponsored—but not supported—by Red Hat that uses the distribution as a test bed for new technologies being considered for incorporation in Red Hat’s supported distributions, such as Red Hat Enterprise Linux. Fedora Core is freely available at http://fedora.redhat.com. Unlike Red Hat Enterprise Linux, which contains proprietary components, Fedora Core is fully redistributable under the terms of the GNU GPL.
Fedora Core 2 presents the most convenient implementation of SELinux
available to date. To install SELinux, you must respond
selinux
to the boot prompt that appears after
booting from the installation media.[6] During the installation procedure, the
Firewalls screen (see Figure 3-1) provides the user with the opportunity to
choose from three levels of SELinux support:
Disables SELinux.
Enables SELinux to log, but not prevent, attempted violations of the SELinux policy.
Enables SELinux to fully enforce its policy.
When the system boots after installation, SELinux immediately assumes
the mode specified during installation—no further configuration
is necessary. Of course, the system administrator can reconfigure the
system to operate in a different SELinux mode by modifying the boot
configuration (/boot/grub/grub.conf
) or the
SELinux configuration (/etc/sysconfig/selinux
),
either manually or by using the GUI Security Level tool.
Moreover, the RPM package manager included in Fedora Core is SELinux-aware. It automatically labels files and directories when new packages are installed. Thus, running SELinux under Fedora Core may involve relatively little ongoing administration.
The default SELinux policy implemented by Fedora Core is termed a
“relaxed policy,” meaning that it
seeks to protect potentially vulnerable services and daemons without
strictly imposing the principle of least privilege on every user
action. Thus, the policy represents a compromise between ease of use
and security that is appropriate for many users. The system
administrator, of course, is free to tailor the SELinux policy to
better suit local needs. In particular, the system administrator may
find it necessary to do so if the system hosts binaries other than
those distributed as part of Fedora Core, or if the system
administrator wants to restrict the privileges available to scripts
such as cron
jobs.
Chapter 5 and
Chapter 8
of this book
explain the procedures for doing
so.