Skip to content
Corey Garst edited this page Jun 9, 2014 · 1 revision

While the kernel changes to Linux are the basis of SELinux, there are a few userspace packages that are specific to SELinux and there are a few system applications (primarily authentication applications such as login and ssh) that must be modified to properly set SELinux security contexts. A number of additional applications can provide additional security or help maintain a SELinux system if modified to take advantage of the SELinux kernel features.

The userspace packages that are specific to SELinux are included in the userspace SELinux releases.

##Userland Packages Specific to SELinux

  • libsepol is the binary policy manipulation library. It doesn't depend upon or use any of the other components.

  • checkpolicy is the policy compiler. It uses libsepol to generate the binary policy. checkpolicy uses the static libsepol since it deals with low level details of the policy that have not been encapsulated/abstracted by a proper shared library interface.

  • libselinux is the runtime SELinux library that provides interfaces (e.g. library functions for the SELinux kernel APIs like getcon(), other support functions like getseuserbyname()) to SELinux-aware applications. libselinux may use the shared libsepol to manipulate the binary policy if necessary (e.g. to downgrade the policy format to an older version supported by the kernel) when loading policy.

  • libsemanage is the policy management library. It uses libsepol for binary policy manipulation and libselinux for interacting with the SELinux system. It also exec's helper programs for loading policy and for checking whether the file_contexts configuration is valid (load_policy and setfiles from policycoreutils) presently, although this may change at least for the bootstrapping case (for rpm).

  • sepolgen is a python module/library that forms the core of the modern audit2allow (a rewrite).

  • policycoreutils is a collection of policy utilities (originally the "core" set of utilities needed to use SELinux, although it has grown a bit over time), which have different dependencies. sestatus, secon, run_init, and newrole only use libselinux. load_policy and setfiles only use libselinux and libsepol. semodule and semanage use libsemanage (and thus bring in dependencies on libsepol and libselinux as well). setsebool uses libselinux to make non-persistent boolean changes (via the kernel interface) and uses libsemanage to make persistent boolean changes.

##Userspace Packages with modifications for SELinux

  • SysVinit - load initial policy
  • pam - set security context for user sessions, preserve security context on /etc/shadow, check SELinux permissions
  • util-linux - preserve security contexts on /etc/shadow, check SELinux permissions
  • openssh - set security context for user sessions
  • vixie-cron - set security context for cron jobs, check permission
  • at - similar to vixie-cron
  • sudo - set security context
  • shadow-utils - preserve security context on /etc/shadow
  • libuser - preserve security context on /etc/shadow, check permission
  • passwd - preserve security context on /etc/shadow, check permission
  • logrotate - preserve security context on logs
  • coreutils - get and set process and file security contexts
  • findutils - find files with specific security contexts or display them
  • procps - display process contexts
  • psmisc - display process contexts
Clone this wiki locally