SELinux Policy Management and Distribution Prototype

Overview

The SELinux Policy Management and Distribution (PMD) prototype can be broken down into three major components, the server, the agents, and the management console. The PMD server is a daemon which is the central point for management and distribution of the network policy. Each machine in the network which will have its policy under control of the PMD server will have an agent running on it, which is also a daemon. The management console is an application executed on an administrator's machine, which connects to the server to perform various policy administration functions. The policy changes in this prototype are not constrained. In the future, policy access control will be integrated for constraining policy changes.

PMD Server

The PMD server is the authoritative source for policy on the network. The current efforts on the prototype have been concentrating on the management portions of PMD. The prototype leverages ssh as a distribution mechanism for policy. In the future the system will be integrated with a management infrastructure, such as FreeIPA, which will handle distribution of policy and other administrative aspects.

The current available functionality of the PMD server consists of:

• centralized, authoritative policy source
• hierarchical grouping of managed systems: supports multi-tiered networks
• intelligent distribution of policy: only systems needing update will be updated
• audit log aggregation
• basic policy revision control

PMD Agent

The PMD agent runs on each managed system. Its primary function is to receive policy updates from PMD server, and apply them to the system. In addition, it also sends audit logs and other status information back to the PMD server.

The current available functionality of the PMD agent consists of:

• reception and application of policy updates from the PMD server
• periodic transmission of audit logs to the PMD server
• status information sent to the PMD server (enforcing/permissive, Boolean settings)
• disconnected operation: transient systems such as notebooks are handled; changes are tracked for transmission to the server on reconnect
• local policy customizations

PMD Management Console

The PMD Management Console is the user interface for the PMD infrastructure. It allows administrators to manage the policy, review audit logs, and get system status information. The console has not been a focus of the current effort, and thus is very basic command line tool.

The current available functionality of the PMD management console consists of:

• manage system grouping
• manage policy (group or system level)
• basic audit log queries
• query Boolean and enforcing status

Installation

The tarball is available on the Downloads page. PMD has the following dependencies:

• python 2.4, or newer
• libsepol 2.0.11, or newer
• libselinux 2.0.37, or newer, including python bindings (libselinux-python on Fedora)
• setools 3.3.2, or newer, including python bindings (setools-libs-python on Fedora)
• openssh client and server

Installation is handled by the python setup support:

# python setup.py install

This will install the programs and supporting libraries into the appropriate directories. Then ssh keys for the PMD server need to be added to any systems that have PMD agents.

Starting the PMD Server

To run the server, simply execute the server program as root.

# sepmdserver &

Starting the PMD Agents

Before starting the agent, the PMD server's SSH key must be installed on the system. The ssh server must also be started, with ssh key authentication enabled. See the ssh(1) man page for further information on placing the server key and enabling key authentication. Then to start the agent, run the agent program with the server address specified on the commandline. This should be run as root since the agent applies policy changes.

# sepmdagent HOSTNAME &

Using the Management Console

The management console configuration file must first be updated to specify the address of the PMD server. The /etc/selinux/sepmdmanager.conf file has a single option, and "localhost" should be replaced with the PMD server address. The following sections describe usage for managing the network policy using the console.

Manage groups

• Add a new group

  # sepmdmanager group add GROUPNAME
  

• Remove a group (it must be empty)

  # sepmdmanager group remove GROUPNAME
  

• List all groups

  # sepmdmanager list groups
  

• Add a system to a specific group

  # sepmdmanager classify SYSTEMNAME GROUPNAME
  

• List all systems in a group

  # sepmdmanager list clients in GROUPNAME
  

List systems

• All systems

  # sepmdmanager list clients all
  

• Systems currently connected to the server

  # sepmdmanager list clients reachable
  

• Systems in need of an update

  # sepmdmanager list clients update
  

Manage Policy

• Add one or more modules to a group

  # sepmdmanager add GROUPNAME FILE [FILE...]
  

• Remove one or more modules from a group

  # sepmdmanager remove GROUPNAME FILE [FILE...]
  

Force updates to specified agents

• All systems

  # sepmdmanager update all
  

• A specific group

  # sepmdmanager update group GROUPNAME
  

• A specific system

  # sepmdmanager update client SYSTEMNAME [SYSTEMNAME...]
  

Display enforcing/permissive status

• All systems in a specific groups

  # sepmdmanager status group GROUPNAME [GROUPNAME...]
  

• Specific systems

  # sepmdmanager status client SYSTEMNAME [SYSTEMNAME...]
  

Configure Booleans

• Get the values of booleans for a system

  # sepmdmanager bools client SYSTEMNAME [SYSTEMNAME...]
  

• Get the values of booleans for all systems in a group

  # sepmdmanager bools group GROUPNAME [GROUPNAME...]
  

Displaying audit log messages

• All messages for a specific machine

  # sepmdmanager log all client SYSTEMNAME [SYSTEMNAME...]
  

• All messages for all machines in a group

  # sepmdmanager log all group GROUPNAME