add sections for selinux userland utils

1 files changed, 99 insertions, 0 deletions

diff --git a/blog/access-control.org b/blog/access-control.org
index cd84a34..65b95a2 100644
--- a/blog/access-control.org
+++ b/blog/access-control.org
@@ -189,6 +189,105 @@ Unlike apparmor, Selinux is inode based rather than path based, so hardlinks can
 
 The first part of the label is the *user*, the second is the *role* and the third is the *type*. Mostly we are going to ignore users and roles and focus on types for this.
 
+*** Commands & Utils
+The Selinux userland comes with many utilites and figuring out what they do and why you would want them is not easy to figure out.
+
+**** sestatus
+~sestatus~ is a simple command that tells you whether SELinux is currently active, and whether it's in permissive or enforcing mode. There isn't much more to it, but it's handy to detect if SELinux is currently active.
+
+**** restorecon
+~restorecon~ applies *filecon* rules to your files. *filecon* is an expression in policy like this:
+
+#+BEGIN_SRC
+  (filecon "/home/john/.*")
+#+END_SRC
+
+These expressions are compiled and the end result is a file called ~file_contexts~, and normally installed into the policy config (e.g ~/etc/selinux/${SELINUXTYPE}~).
+
+The modular policy system also keeps track of *filecon* expressions, so you don't need to change the policy config files everytime you want to update the rules.
+
+Using ~restorecon~:
+#+BEGIN_SRC
+  # recursivly apply file contexts to the entire filesystem
+  restorecon -Rv /
+
+  # restore a single file
+  restorecon -v /home/john/foo.txt
+#+END_SRC
+
+**** setfiles
+~setfiles~ uses the ~file_contexts~ file mentioned before to label mountpoints. The default context for files is inherited from the mountpoint (afaik this is how it works?).
+
+When using ~setfiles~, you probably want to bind mount your root filesystem somewhere, like ~/mnt/gentoo~. Otherwise you may not apply the contexts to the mount points themselves.
+
+Hint: BTRFS subvolumes also count as mount points, and nested subvolumes can be a little confusing
+
+This is how I used setfiles for my system:
+
+#+BEGIN_SRC
+setfiles -v \
+  -r /mnt/gentoo \
+  /etc/selinux/${SELINUXTYPE:-dssp5}/contexts/files/file_contexts \
+  /mnt/gentoo/{,dev,proc,run,sys,tmp,boot,efi,etc,var,home} \
+  /mnt/gentoo/mnt/subvolumes/var/{cache,tmp} \
+  /mnt/gentoo/mnt/subvolumes/home/notroot \
+#+END_SRC
+
+I have the following subvolumes:
+
+#+BEGIN_SRC
+  /mnt/subvolumes/etc
+  /mnt/subvolumes/var
+  /mnt/subvolumes/var.cache
+  /mnt/subvolumes/var.tmp
+  /mnt/subvolumes/home
+  /mnt/subvolumes/home.notroot  
+#+END_SRC
+
+Some of the subvolumes end up mounted on top of each other, like ~/mnt/subvolumes/home~ is mounted at ~/home~, and ~/mnt/subvolumes/home.notroot~ is mounted at ~/home/notroot~, so this means the "raw mount point" is actually ~/mnt/gentoo/mnt/subvolumes/home/notroot~ *not* ~/mnt/gentoo/home/notroot~. This is pretty confusing and easy to get wrong.
+
+**** getpathcon and matchpatchon
+~matchpathcon~ reads your ~file_contexts~ and shows you the default label for the paths provided.
+
+#+BEGIN_SRC
+  matchpathcon /home/john
+  matchpathcon '/var/log/.*'
+#+END_SRC
+
+~getpathcon~ just gets the current context for a file.
+
+#+BEGIN_SRC
+  getpathcon /home/john
+#+END_SRC
+
+**** semodule
+SELinux can load policy in two different ways. "monolithic" and "modular". Monolithic loading is mostly designed for embedded systems and can be ignored for now.
+
+~semodule~ is an interface to the "modular" SELinux policy store. You can load modules at runtime, dynamically, and even version control modules.
+
+You can load cil files directly with ~semodule~, each cil file corresponds to a single module. Modules loaded with with ~semodule~ are stored at ~/var/lib/selinux/${SELINUXTYPE}/active/modules/~.
+
+Hint: you can't have two cil files with the same name even if they are in different directories without
+clobbering your modules.
+
+List all currently install modules:
+
+#+BEGIN_SRC
+  semodule -l
+#+END_SRC
+
+Load modules:
+
+#+BEGIN_SRC
+  semodule -i foo.cil bar.cil baz.cil
+#+END_SRC
+
+Remove modules:
+
+#+BEGIN_SRC
+  semodule --remove foo bar baz 
+#+END_SRC
+
 *** Dssp5
 This post is going to assume we are basing our policy [[https://salsa.debian.org/dgrift/dssp5/][dssp5]], a minimal and modular base policy that we create our own types on top of. [[https://salsa.debian.org/dgrift/dssp5/][dssp5]] provides the core types.