Search

SELinux

Updated: Dec 7, 2020

What is SELinux:

SELinux(Security-Enhanced Linux) is a part of the Linux security that allows administrators to have more control over who can access the system.

Terminology:

Subject: application or process

Object: File


Working of SELinux:

SELinux defines access controls for the applications, processes, and files on a system. It uses security policies, which are a set of rules that tell SELinux what can or can’t be accessed, to enforce the access allowed by a policy.



When an application or process, known as a subject, makes a request to access an object, like a file, SELinux checks with an access vector cache (AVC), where permissions are cached for subjects and objects.


If SELinux is unable to make a decision about access based on the cached permissions, it sends the request to the security server.


The security server checks for the security context of the app or process and the file. Security context is applied from the SELinux policy database. Permission is then granted or denied.


Configuring SELinux:

We can tell whether SELinux is enabled on our machine or not by checking the /etc/sysconfig/selinux file.

Following is the example selinux conf file and SELinux is configured currently.

[root@ip-***-**-**-**~]# cat /etc/sysconfig/selinux
 
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected. 
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
 
 
[root@ip-***-**-**-**~]# 

We can use the getenforce or sestatus commands to check in which mode SELinux is running. The getenforce command returns Enforcing, Permissive, or Disabled

[root@ip-***-**-**-**~]# sestatus
SELinux status: enabled
SELinuxfs mount:  /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31
[root@ip-***-**-**-**~]#
[root@ip-***-**-**-**~]# getenforce
Enforcing
[root@ip-***-**-**-**~]# 

SELinux modes :

Enforcing: SELinux policy is enforced. SELinux denies access based on SELinux policy rules.

Permissive: SELinux policy is not enforced. SELinux does not deny access, but denials are logged for actions that would have been denied if running in enforcing mode.

Disabled: SELinux is disabled. Only DAC rules are used.


Adding a rule to SELinux:

The SELinux policy describes the access permissions for all users, programs, processes, files, and devices they act upon. SELinux implements one of two different policies:

Targeted: This default policy applies access controls to certain (targeted) processes.

MLS: Multi-Level Security

Use the setenforce utility to change between enforcing and permissive mode. Changes made with setenforce do not persist across reboots. To change to enforcing mode, enter the setenforce 1 command as the Linux root user. To change to permissive mode, enter the setenforce 0 command. Use the getenforce utility to view the current SELinux mode:

[root@ip-***-**-**-*** ~]# getenforce
Enforcing
[[root@ip-***-**-**-*** ~]# setenforce 0
[root@ip-***-**-**-*** ~]# getenforce
Permissive
[root@ip-***-**-**-*** ~]# 
#TheCloud #Linux #2020

In the following example i am adding a rule to allow permissions for /web directory to read contents :


Prerequisites :

Install the below packages

whatprovides */sepolicy

Policycoreutils-devel

[root@ip-***-**-**-*** www]# yum whatprovides */sepolicy
[root@ip-***-**-**-*** www]# yum -y install policycoreutils-devel

We can get all the sepolicy and their usage using below commands

root@ip-***-**-**-*** www]# sepolicy --help
[root@ip-***-**-**-*** www]# cd /usr/share/man
[root@ip-***-**-**-*** man]# sepolicy manpage -a -p   /usr/share/man/man8

Following are some of the man pages for sepolicy

[root@ip-***-**-**-*** ~]# sepolicy manpage -a -p   /usr/share/man/man8
/usr/share/man/man8/NetworkManager_selinux.8
/usr/share/man/man8/NetworkManager_ssh_selinux.8
/usr/share/man/man8/abrt_selinux.8
/usr/share/man/man8/abrt_dump_oops_selinux.8
/usr/share/man/man8/abrt_handle_event_selinux.8
/usr/share/man/man8/abrt_helper_selinux.8
/usr/share/man/man8/abrt_retrace_coredump_selinux.8
/usr/share/man/man8/abrt_retrace_worker_selinux.8
/usr/share/man/man8/abrt_upload_watch_selinux.8
/usr/share/man/man8/abrt_watch_log_selinux.8
/usr/share/man/man8/accountsd_selinux.8
/usr/share/man/man8/acct_selinux.8
/usr/share/man/man8/admin_crontab_selinux.8
/usr/share/man/man8/afs_selinux.8
/usr/share/man/man8/afs_bosserver_selinux.8
/usr/share/man/man8/afs_fsserver_selinux.8
/usr/share/man/man8/afs_kaserver_selinux.8
/usr/share/man/man8/afs_ptserver_selinux.8
/usr/share/man/man8/afs_vlserver_selinux.8
/usr/share/man/man8/aiccu_selinux.8
/usr/share/man/man8/aide_selinux.8
/usr/share/man/man8/ajaxterm_selinux.8
/usr/share/man/man8/ajaxterm_ssh_selinux.8
/usr/share/man/man8/alsa_selinux.8
/usr/share/man/man8/amanda_selinux.8
/usr/share/man/man8/amanda_recover_selinux.8 

Following is the man pages for httpd_selinux

[root@ip-***-**-**-*** ~]# man httpd_selinux


Install httpd on your server and add some text to index.html which is created under /web directory

[root@ip-***-**-**-*** man]# mkdir /web
[root@ip-***-**-**-*** man]# vi /web/index.html

Edit the the httpd conf file to add /web as a root directory

[root@ip-***-**-**-*** ~]# vi /etc/httpd/conf/httpd.conf

<Directory "/web">
 AllowOverride None
 # Allow open access:
 Require all granted
 </Directory>

Restart httpd service

[root@ip-***-**-**-*** ~]# sudo service httpd restart
Redirecting to /bin/systemctl restart httpd.service
[root@ip-***-**-**-*** ~]# 

Try to access the page

[root@ip-***-**-**-*** man]# elinks http://localhost

I am not able to see any contents of the webpage. It is just showing me the configuration page as i have enabled selinux on my server.



Now if you see the audit logs(last line). we can observe that se linux is preventing access on /web/index.html" file

[root@ip-***-**-**-*** man]# grep AVC /var/log/audit/audit.log
type=USER_AVC msg=audit(1597681631.346:494): pid=749 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=2) exe=2F7573722F62696E2F646275732D6461656D6F6E202864656C6574656429 sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
type=USER_AVC msg=audit(1597761729.770:3443): pid=749 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received setenforce notice (enforcing=0) exe=2F7573722F62696E2F646275732D6461656D6F6E202864656C6574656429 sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
type=AVC msg=audit(1597763594.856:3528): avc: denied { getattr } for pid=56007 comm="httpd" path="/web/index.html" dev="xvda2" ino=4985268 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=1
type=AVC msg=audit(1597763594.856:3529): avc: denied { read } for pid=56007 comm="httpd" name="index.html" dev="xvda2" ino=4985268 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=1
type=AVC msg=audit(1597763594.856:3529): avc: denied { open } for pid=56007 comm="httpd" path="/web/index.html" dev="xvda2" ino=4985268 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=1
type=AVC msg=audit(1597763594.856:3530): avc: denied { map } for pid=56007 comm="httpd" path="/web/index.html" dev="xvda2" ino=4985268 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=1
[root@ip-***-**-**-*** man]#

To give access to the index.html file. We can use the following selinux rule to allow access.

[root@ip-***-**-**-*** man]# semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
[root@ip-***-**-**-*** man]#


Above command set the changed only in the policy

To apply changes to the file system we have to execute below command

[root@ip-***-**-**-*** man]# restorecon -R -v /web
Relabeled /web from unconfined_u:object_r:default_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0
Relabeled /web/index.html from unconfined_u:object_r:default_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0
[root@ip-***-**-**-*** man]#

If you try to access the website now you can able to see the content of the website


Commands used frequently and their use :

getenforce: To see the current status of SELinux, run the “getenforce” command.

setenforce: The current SELinux status can also be changed with the “setenforce”

chcon: Applies SELinux label to files and directories. If you want to change the settings of a file or directory, you can use the "chcon" command.

The permissions of a standard directory can be viewed by using “ls –Z” command.

restorecon: Sets the security context of one or more files by marking the extended attributes with the appropriate file or security context.

getsebool: get SELinux boolean value(s)

76 views0 comments

Recent Posts

See All