Security Enhanced Linux or SELinux is an advanced access control mechanism built into most modern Linux distributions. It was initially developed by the US National Security Agency to protect computer systems from malicious intrusion and tampering. Over time, SELinux was released in the public domain and various distributions have since incorporated it in their code.
ACMs provide a means for system administrators to control which users and processes can access different files, devices, interfaces, etc., in a computer system. This is a primary consideration when securing a computer system or network of any size. SELinux provides support for threw different ACM's
getenforce - get the current mode of SELinux. Response may be Enforcing, Permissive, Disabled
setenforce - modify the mode SELinux is running in. Runtime only
sestatus - used to get the status of a system running SELinux. It displays data about whether SELinux is enabled, disabled, the loaded policy and whether it is in enforcing or permissive mode. It can also be used to display the security context of files and processes listed in the /etc/sestatus.conf file.
ls -Z- list files and directories showing SELinux specific attributes
semanage - used to configure SELinux Policy.
semanage fcontext.restorecon - used to restore file(s) default SELinux security contexts.
SELinux should be installed by default in recent versions of Red Hat and Centos .
If not installed, you can use yum to install packages
yum install selinux-policy-targeted, selinux-policy, libselinux, libselinux-python, libselinux-utils, policycoreutils, policycoreutils-python, setroubleshoot, setroubleshoot-server, setroubleshoot-plugins
# getenforceResponse may be
to enable (set to enforcing)
> setenforce 1
or
> echo 1 > /selinux/enforce # file may be located at /sys/fs/selinux/enforce > echo 1 > /sys/fs/selinux/enforce
to disabled (set to permissive)
> echo 0 > /selinux/enforce
or
> echo 0 > /sys/fs/selinux/enforce
> setenforce 0
The sestatus command is used to get the status of a system running SELinux. It displays data about whether SELinux is enabled, disabled, the loaded policy and whether it is in enforcing or permissive mode. It can also be used to display the security context of files and processes listed in the /etc/sestatus.conf file.
> sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 24 Policy from config file: targeted
sestatus configuration file is located in /etc/sestatus.conf
sestatus -v Process contexts: Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Init context: system_u:system_r:init_t:s0 /sbin/mingetty system_u:system_r:init_t:s0 /usr/sbin/sshd system_u:system_r:sshd_t:s0-s0:c0.c1023 File contexts: Controlling term: unconfined_u:object_r:user_devpts_t:s0 /etc/passwd system_u:object_r:file_t:s0 /etc/shadow system_u:object_r:file_t:s0 /bin/bash system_u:object_r:file_t:s0 /bin/login system_u:object_r:file_t:s0 /bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:file_t:s0 /sbin/agetty system_u:object_r:file_t:s0 /sbin/init system_u:object_r:init_exec_t:s0 /sbin/mingetty system_u:object_r:file_t:s0 /usr/sbin/sshd system_u:object_r:sshd_exec_t:s0
Selinux configuration file is located in:
> vi /etc/selinux/config
This file is used to determine if SELinux is enabled at reboot and what mode is enforced. Note that setting SELinux to enforcing can cause you to lock yourself out on next reboot. Setting to permissive is much better idea if you do not whow what you are doing.
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=permissive # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted
There are two directives in this file.
The SELINUX directive dictates the SELinux mode and it can have three possible values as we discussed before.
The SELINUXTYPE directive determines the policy that will be used.
Use the -Z switch on many commands that display processes or files to show SELinux atttributes.
> ls -Z drwxr-xr-x. root root system_u:object_r:abrt_etc_t:s0 abrt drwxr-xr-x. root root system_u:object_r:etc_t:s0 acpi -rw-r--r--. root root system_u:object_r:adjtime_t:s0 adjtime -rw-r--r--. root root system_u:object_r:etc_aliases_t:s0 aliases -rw-r--r--. root root system_u:object_r:etc_aliases_t:s0 aliases.db
> ls index.html -Z -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html
semanage is the SELinux Policy Management tool. semanage is used to configure certain elements of SELinux policy without requiring modification or recompilation from policy sources. This includes the mapping from Linux usernames to SELinux user identities as well as security context mappings for various kinds of objects, such as network ports, interfaces, and nodes (hosts) as well as the file context mapping.
semanage syntax:
semanage {login|user|port|interface|fcontext|translation} -l [-n] semanage login -{a|d|m} [-sr] login_name semanage user -{a|d|m} [-LrRP] selinux_name semanage port -{a|d|m} [-tr] [-p protocol] port | port_range semanage interface -{a|d|m} [-tr] interface_spec semanage fcontext -{a|d|m} [-frst] file_spec semanage translation -{a|d|m} [-T] level
positional arguments:
import - Import local customizations
export - Output local customizations
login - Manage login mappings between linux users and SELinux confined users
user - Manage SELinux confined users (Roles and levels for an SELinux user)
port - Manage network port type definitions
interface - Manage network interface type definitions
module - Manage SELinux policy modules
node - Manage network node type definitions
fcontext - Manage file context mapping definitions
boolean - Manage booleans to selectively enable functionality
permissive - Manage process type enforcement mode
dontaudit
The semanage command is primarily used to reset the security context (type) (extended attributes) on one or more files. It can be run at any time to correct errors, to add support for new policy, or with the -n option it can just check whether the file contexts are all as you expect. If a file object does not have a context, restorecon will write the default context to the file object's extended attributes. If a file object has a context, restorecon will only modify the type portion of the security context. The -F option will force a replacement of the entire context.
semanage fcontext -l
Here is a typical use case. Here we have a new index.html page does not display in our browser
1. to set up this example
First let's tag our index.html page with the wrong type
semanage fcontext -a -t lib_t "/var/www/html/index.html" restorecon -v "/var/www/html/index.html"
2. check type:
# ls -Z /var/www/html -rw-r--r--. apache apache unconfirmed_u:object_r:default_t:s0 index.html
2. Discover that index.html has type default_t. It should have type httpd_sys_content_t
check audit.log to identify what failed
cat /var/log/audit/audit.log | grep avc
3. Change type with semanege command. Make sure to specify full path otherwise it will not work.
semanage fcontext -a -t httpd_sys_content_t "/var/www/html/index.html"
4. Apply changes using restorecon
restorecon -v "/var/www/html/index.html"
These can be combined into a single statement
semanage fcontext -a -t httpd_sys_content_t "/var/www/html/index.html" && restorecon -v "/var/www/html/index.html"
List all booleans indicating if state and default state
semanage boolean -l
getsebool -a
To restore just the index.html file, we would use:
# restorecon -v /var/www/html/index.html
or to recursively restore the default security contexts for the whole directory:
# restorecon -Rv /var/www/html
Additionally, if we simply wanted to examine the security contexts of the /var/www/html directory to see if any files needed their security contexts restored, we can use restorecon with the -n switch to prevent any relabelling occurring:
# restorecon -Rv -n /var/www/html
setroubleshoot provides tools to help diagnose SELinux problems.
yum install setroubleshoot setools
Then ask for report
sealert -a /var/log/audit/audit.log