SELinux

Security Enhanced Linux or SELinux is an advanced access control mechanism built into most modern Linux distributions. It was initially developed by the US National Security Agency to protect computer systems from malicious intrusion and tampering. Over time, SELinux was released in the public domain and various distributions have since incorporated it in their code.

Access Control Mechanisms (ACMs)

ACMs provide a means for system administrators to control which users and processes can access different files, devices, interfaces, etc., in a computer system. This is a primary consideration when securing a computer system or network of any size. SELinux provides support for threw different ACM's

  • Access Control Mechanisms (ACMs) ACMs provide a means for system administrators to control which users and processes can access different files, devices, interfaces, etc., in a computer system. This is a primary consideration when securing a computer system or network of any size.
  • Discretionary Access Control (DAC) - access is generally at the discretion of the owner of the object (file, directory, device, etc.). Access Control Lists (ACLs)
  • Mandatory Access Control (MAC) - restricts the level of control that users (subjects) have over the objects that they create. MAC adds labels, or categories, to all file system objects. Users and processes must have the appropriate access to these categories before they can interact with these objects.

Some SELinux Commands

getenforce - get the current mode of SELinux. Response may be Enforcing, Permissive, Disabled

setenforce - modify the mode SELinux is running in. Runtime only

sestatus - used to get the status of a system running SELinux. It displays data about whether SELinux is enabled, disabled, the loaded policy and whether it is in enforcing or permissive mode. It can also be used to display the security context of files and processes listed in the /etc/sestatus.conf file.

ls -Z- list files and directories showing SELinux specific attributes

semanage - used to configure SELinux Policy.

semanage fcontext.

restorecon - used to restore file(s) default SELinux security contexts.



Rule 1: Don't lock yourself out

SELinux is serious security tool and can easily lock yourself out of your system, especially when you reboot, so don't lock yourself out. However if you do find yourself locked out, you want to reboot from console and turn off SELinux at the grub screen.

To install SELinux

SELinux should be installed by default in recent versions of Red Hat and Centos .

If not installed, you can use yum to install packages

yum install selinux-policy-targeted, selinux-policy, libselinux, libselinux-python, libselinux-utils, policycoreutils, policycoreutils-python, setroubleshoot, setroubleshoot-server, setroubleshoot-plugins

To Determine if SELinux is running

# getenforce 
Response may be
  • Enforcing - the SELinux policy is in effect and controlling permissions
  • Permissive - SELinux is running and logging but not controlling permissions
  • Disabled - the SELinux is turned off. You probably don't want to do this because it will make it harder to move to enforcing later

Two ways to enable/disable SELinux temporarily

to enable (set to enforcing)

> setenforce 1

or

> echo 1 > /selinux/enforce

# file may be located at /sys/fs/selinux/enforce
> echo 1 > /sys/fs/selinux/enforce

to disabled (set to permissive)

> echo 0 > /selinux/enforce

or

> echo 0 > /sys/fs/selinux/enforce
> setenforce 0


sestatus - Check SELinux status

The sestatus command is used to get the status of a system running SELinux. It displays data about whether SELinux is enabled, disabled, the loaded policy and whether it is in enforcing or permissive mode. It can also be used to display the security context of files and processes listed in the /etc/sestatus.conf file.

> sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 24
Policy from config file:        targeted

sestatus - Check SELinux status - verbose - Report process and file contexts

sestatus configuration file is located in /etc/sestatus.conf

sestatus -v
Process contexts:
Current context:                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Init context:                   system_u:system_r:init_t:s0
/sbin/mingetty                  system_u:system_r:init_t:s0
/usr/sbin/sshd                  system_u:system_r:sshd_t:s0-s0:c0.c1023

File contexts:
Controlling term:               unconfined_u:object_r:user_devpts_t:s0
/etc/passwd                     system_u:object_r:file_t:s0
/etc/shadow                     system_u:object_r:file_t:s0
/bin/bash                       system_u:object_r:file_t:s0
/bin/login                      system_u:object_r:file_t:s0
/bin/sh                         system_u:object_r:bin_t:s0 -> system_u:object_r:file_t:s0
/sbin/agetty                    system_u:object_r:file_t:s0
/sbin/init                      system_u:object_r:init_exec_t:s0
/sbin/mingetty                  system_u:object_r:file_t:s0
/usr/sbin/sshd                  system_u:object_r:sshd_exec_t:s0

The SELinux configuration file

Selinux configuration file is located in:

> vi /etc/selinux/config

This file is used to determine if SELinux is enabled at reboot and what mode is enforced. Note that setting SELinux to enforcing can cause you to lock yourself out on next reboot. Setting to permissive is much better idea if you do not whow what you are doing.

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX=permissive
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=targeted


There are two directives in this file.

The SELINUX directive dictates the SELinux mode and it can have three possible values as we discussed before.

  • enforcing - the SELinux policy is in effect and controlling permissions
  • permissive - SELinux is running and logging but not controlling permissions
  • disabled - the SELinux is turned off. You probably don't want to do this because it will make it harder to move to enforcing later

The SELINUXTYPE directive determines the policy that will be used.

  • targeted - allows you to customize and fine tune access control permissions.
  • strict - Full SELinux protection.


List files with SELinux attributes

Use the -Z switch on many commands that display processes or files to show SELinux atttributes.

> ls -Z
drwxr-xr-x. root root   system_u:object_r:abrt_etc_t:s0  abrt
drwxr-xr-x. root root   system_u:object_r:etc_t:s0       acpi
-rw-r--r--. root root   system_u:object_r:adjtime_t:s0   adjtime
-rw-r--r--. root root   system_u:object_r:etc_aliases_t:s0 aliases
-rw-r--r--. root root   system_u:object_r:etc_aliases_t:s0 aliases.db
> ls index.html -Z
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html

SELinux Operations

semanage and restorecon to change context types

semanage is the SELinux Policy Management tool. semanage is used to configure certain elements of SELinux policy without requiring modification or recompilation from policy sources. This includes the mapping from Linux usernames to SELinux user identities as well as security context mappings for various kinds of objects, such as network ports, interfaces, and nodes (hosts) as well as the file context mapping.

semanage syntax:

semanage {login|user|port|interface|fcontext|translation} -l [-n]
semanage login -{a|d|m} [-sr] login_name
semanage user -{a|d|m} [-LrRP] selinux_name
semanage port -{a|d|m} [-tr] [-p protocol] port | port_range
semanage interface -{a|d|m} [-tr] interface_spec
semanage fcontext -{a|d|m} [-frst] file_spec
semanage translation -{a|d|m} [-T] level

positional arguments:

import - Import local customizations

export - Output local customizations

login - Manage login mappings between linux users and SELinux confined users

user - Manage SELinux confined users (Roles and levels for an SELinux user)

port - Manage network port type definitions

interface - Manage network interface type definitions

module - Manage SELinux policy modules

node - Manage network node type definitions

fcontext - Manage file context mapping definitions

boolean - Manage booleans to selectively enable functionality

permissive - Manage process type enforcement mode

dontaudit

restorecon command

The semanage command is primarily used to reset the security context (type) (extended attributes) on one or more files. It can be run at any time to correct errors, to add support for new policy, or with the -n option it can just check whether the file contexts are all as you expect. If a file object does not have a context, restorecon will write the default context to the file object's extended attributes. If a file object has a context, restorecon will only modify the type portion of the security context. The -F option will force a replacement of the entire context.



List all

semanage fcontext -l


Typical use case

Here is a typical use case. Here we have a new index.html page does not display in our browser

1. to set up this example

First let's tag our index.html page with the wrong type

semanage fcontext -a -t lib_t "/var/www/html/index.html"
restorecon -v "/var/www/html/index.html"

2. check type:

# ls -Z /var/www/html
  -rw-r--r--.  apache apache  unconfirmed_u:object_r:default_t:s0 index.html

2. Discover that index.html has type default_t. It should have type httpd_sys_content_t

check audit.log to identify what failed

cat /var/log/audit/audit.log | grep avc

3. Change type with semanege command. Make sure to specify full path otherwise it will not work.

semanage fcontext -a -t httpd_sys_content_t "/var/www/html/index.html"

4. Apply changes using restorecon

restorecon -v "/var/www/html/index.html"

These can be combined into a single statement

semanage fcontext -a -t httpd_sys_content_t "/var/www/html/index.html"  &&  restorecon -v "/var/www/html/index.html"


Booleans

Allows parts of SELinux policy to be changed at runtime without any knowledge of SELinix policy code. This allows changes such as allowing services to access NSF volumes without reloading or recompiling SELinux policy.

List all booleans indicating if state and default state

semanage boolean -l
getsebool -a

Quick fix - restorecon

The 'restorecon' command may be used to restore file(s) default SELinux security contexts.

To restore just the index.html file, we would use:

# restorecon -v /var/www/html/index.html 

or to recursively restore the default security contexts for the whole directory:

# restorecon -Rv /var/www/html 

Additionally, if we simply wanted to examine the security contexts of the /var/www/html directory to see if any files needed their security contexts restored, we can use restorecon with the -n switch to prevent any relabelling occurring:

# restorecon -Rv -n /var/www/html 

SELinux Trouble shooting module

setroubleshoot provides tools to help diagnose SELinux problems.

yum install setroubleshoot setools

Then ask for report

sealert -a /var/log/audit/audit.log