SELinux

From Leo's Notes
Last edited on 18 August 2023, at 22:30.

SELinux (Security Enhanced Linux) is a Linux kernel security module which allows the system to enforce access controls.

Introduction[edit | edit source]

?[edit | edit source]

id -Z

Contains 4 fields.

  1. user
  2. role
  3. type
  4. ?

User and role have little impact on access control policy for Type Enforcement.

Type Enforcement[edit | edit source]

Everything (such as users, files, sockets) has a type. We can define rules governing what types can do what on another type.

For instance, if we have a user with the type user_t and a file with a type bin_t, to allow the user to read or execute the files labeled bin_t, we can create a rule similar to: 

allow user_t bin_t : file {read execute getattr};



Targeted Policy[edit | edit source]

By default, a RHEL install has SELinux set to permissive with the default policy set to targeted. Targeted is a set of policies made by RedHat that 'targets' a set number of existing services (such as apache, bind, etc) while leaving everything else unconfined.



Getting Started[edit | edit source]

Prerequisites[edit | edit source]

Ensure that you have SELinux enabled. To check on SELinux's status, run sestatus 

[root@websix ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 24
Policy from config file:        targeted

If your status is disabled, enable SELinux by editing /etc/selinux/config and change the line SELINUX=disabled to SELINUX=permissive. You do not want to set SELINUX to enforcing yet! (because your filesystem might not be labeled, which can cause your system to not boot at all).

You will also want to start the auditd daemon. By default, all SELinux messages go directly to /var/log/messages with the avc tag. With the auditd daemon running, log messages will be parsed and logged to /var/log/audit/audit.log. 

# service auditd start

You may change the auditd daemon configuration by editing the configuration file located at /etc/audit/auditd.conf.

You will also want to install the setroubleshoot and setroubleshoot-plugins package. This package installs the sealert program which makes it easier to understand any SELinux errors by generating readable reports and providing instructions on what to do to fix a particular issue. 

# yum -y install setroubleshoot setroubleshoot-plugins

Poking Around[edit | edit source]

With the prerequisites set, you should begin to see SELinux information logged to both /var/log/messages and /var/log/audit/audit.log. 


root@websix:/var/log/httpd# tail  /var/log/audit/audit.log
type=USER_START msg=audit(1391976302.289:32577): user pid=2735 uid=0 auid=99 ses=31 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="nobody" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1391976302.487:32578): user pid=2735 uid=99 auid=99 ses=31 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="nobody" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1391976302.489:32579): user pid=2735 uid=99 auid=99 ses=31 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="nobody" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

root@websix:/var/log/httpd# tail  /var/log/messages
Feb  9 12:51:32 websix setroubleshoot: SELinux is preventing /usr/sbin/httpd from write access on the directory files. For complete SELinux messages. run sealert -l 632cb11e-5f5e-4968-83a2-7d97168d3e40
Feb  9 12:55:16 websix ntpd[1435]: synchronized to 136.159.5.75, stratum 2
Feb  9 13:03:59 websix setroubleshoot: SELinux is preventing /usr/sbin/httpd from open access on the file .htaccess. For complete SELinux messages. run sealert -l 1e5c1358-4093-4f06-ad85-8c3a88a1a3ec
Feb  9 13:04:03 websix setroubleshoot: SELinux is preventing /usr/sbin/httpd from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l 4520345e-fe81-4b01-8807-47c2239c7a1b
Feb  9 13:06:20 websix ntpd[1435]: synchronized to 136.159.10.81, stratum 2

With setroubleshoot, we can see each individual report from sealert by running the command given.


Relabeling your Filesystem[edit | edit source]

To relabel your entire filesystem, create a .autorelabel file in / and then reboot.

Common Tasks[edit | edit source]

Changing SELinux Mode[edit | edit source]

# setenforce [ Enforcing or 1 | Permissive or 0 ]

You cannot disable SELinux using setenforce. Instead, see [#Disabling SELinux]

Listing security contexts[edit | edit source]

Use the -Z option. This works for a few utilities including:

  • ls
  • netstat
  • ps

Example: 

[root@websix ~]# ls -Z
-rw-------. root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfg
-rw-r--r--. root root system_u:object_r:admin_home_t:s0 install.log
-rw-r--r--. root root system_u:object_r:admin_home_t:s0 install.log.syslog

Disabling SELinux[edit | edit source]

See: How to disable SELinux

To temporarily disable SELinux: 

## Use the setenforce command
# setenforce 0

## or, on older kernels:
# echo 0 > /selinux/enforce

## or, on newer kernels (the /selinux fs has been moved to /sys/fs/selinux)
# echo 0 > /sys/fs/selinux/enforce

To permanently disable SELinux: 

# sed -i --follow-symlinks 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux
## or manually set SELINUX=disabled 
# vi /etc/selinux/config

Other Settings[edit | edit source]

On file servers, you may want to set: 

# setsebool -P use_nfs_home_dirs 1
# setsebool -P samba_export_all_rw 1

SSH Authorized Keys[edit | edit source]

If your authorized keys file is not being read and key based authentication is failing, make the ~/.ssh directory unconfined: 

# chcon -R unconfined_u:object_r:user_home_t:s0 /localhome/username/.ssh/
Various Linux Notes
Linux Tools and Utilites
Package Management
Linux Distributions
Networking
Containers