$ getenforce
Enforcing
$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
$ ls -l /etc/sysconfig/selinux
lrwxrwxrwx. 1 root root 17 May 12 18:52 /etc/sysconfig/selinux -> ../selinux/config
$ cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
SELinux is a labeling system
- Every file
- Every process
- Policy enforces rules between these labels
SELinux leverages Mandatory Access Controls (MAC) in addition to the Linux Discretionary Access Controls (DAC). File permissions fall under discretionary controls.
-
What we will look at today
- Type Enforcement (TE): Type Enforcement is the primary mechanism of access control used in the targeted policy
-
Left as an exercize for the student
- Role-Based Access Control (RBAC): Based around SELinux users (not necessarily the same as the Linux user), but not used in the default configuration of the targeted policy
- Multi-Level Security (MLS): Not commonly used and often hidden in the default targeted policy.
- Multi-Category Security(MCS): An extension of Multi-Level Security, used in the targeted policy to implement compartmentalization of virtual machines and containers through
SELinux user:role:type:level
$ ls -Z file1
-rwxrw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
Commands with SELinux Context Support (Capital Z
flag)
ls -laZ
ps auxfZ
netstat -anZ
semanage port -l
mv -Z
journalctl
/var/log/audit/audit.log
/var/log/messages
SELinux 4 things
- You have something wrong with your labels
- You changed the system defaults but did not tell SELinux about it
- Applications of SELinux have bugs that have not been fixed yet
- You could be COMPROMIZED!!!
Things to look for
- Wrong Subject Context
- Wrong Object Context
- Correct Subject & Object contexts, but no access
- Intrusion attempt
yum install selinux-policy \
policycoreutils-python \
setroubleshoot-server
# Man pages
yum install selinux-policy-doc && mandb
man -k selinux
In permissive mode, SELinux policy is not enforced, but denials are still logged for actions that would have been denied if running in enforcing mode.
$ getenforce
Enforcing
# Change mode to permissive
$ setenforce 0
$ getenforce
Permissive
$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
# Set mode back to enforcing
$ setenforce 1
$ semanage permissive -l
# Make httpd domain permissive
$ semanage permissive -a httpd_t
$ semanage permissive -l
Customized Permissive Types
httpd_t
Builtin Permissive Types
# Set httpd domain back to enforcing
$ semanage permissive -d httpd_t
Temporary
# Temporarily change the file, only recommended for testing
$ chcon -t httpd_sys_content_t '/usr/share/nginx/new_site(/.*)?'
Permanent
# Permanently set this
# Set the labels on a different html directory
$ semanage fcontext -a -t httpd_sys_content_t '/usr/share/nginx/new_site(/.*)?'
# Can create an equivalency rule for this new directory, as well as any
# rules that would be more specific within that directory
# This is very useful for things like home directories which vary greatly
$ semanage fcontext -a -e /usr/share/nginx/html /usr/share/nginx/new_site
# View these new rules
$ semanage fcontext -l | grep new_site
/usr/share/nginx/new_site(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
/usr/share/nginx/new_site = /usr/share/nginx/html
# Relabel files based on these rules
restorecon -vR /Users
Important: mv
preserves labels, Unless you run mv -Z
# List the booleans, their current and default settings
$ semanage boolean -l
# View the httpd_selinux man page
# Requires the installation of selinux-policy-doc and regeneration of the mandb
$ man httpd_selinux
# Set the boolean until the next boot
$ setsebool httpd_can_connect_ldap on
# Permanently across reboots
$ setsebool -P httpd_can_connect_ldap on
semanage port -a -t http_port_t -p tcp 8080
Not covered in depth here, but is implemented in a policy through process transition rules.
e.g. process labeled us_t
executes a file labeled them_exec_t
kernel executes the process as them_t
.
Illustrated well by running ps auxfZ
Let journalctl
take you by the hand. It contains extremely helpful output and suggested commands.
Generally try to avoid creating a policy, but if needed, these tools are available
sealert
Shows detailed information about the alertausearch
Searches the audit daemon logsaudit2allow
Creates rules from audit logsaudit2why
oraudit2allow -w
Describes why access was denied- Suggests one or more solutions, along with the confidence it has in that solution
Always inspect the policy created by audit2allow
. Usually SELinux guesses correctly, but not always
-
Tech Talks