Understanding the Need for SELinux

Linux security is built on UNIX security, which consists of different solutions that were never developed with current IT security needs in mind

SELinux provides a complete and mandatory security solution

Its principle is that if it isn’t specifically allowed, it will be denied

As a result, unknown services will always need additional configuration to enable them in an environment where SELinux is enabled

Managing SELinux Modes

SELinux can either be enabled or disabled

Since this is controlled by the kernel, a reboot is necessary to switch between the two states

While enabled, SELinux can be set to enforcing or permissive

While enforcing, SELinux is fully operational and will block according to rules

In permissive, it will continue to log but will not block

setenforce [enforce|permissve]: Will either set SELinux to enforcing or permissive

getenforce: Will print the current SELinux state

/etc/sysconfig/selinux: Defines the default state of SELinux

To set the default state to disabled, change the value of SELINUX=:

vim /etc/sysconfig/selinux

...
SELINUX-=disabled
...

Understanding SELinux Context Labels and Booleans

Every object is labeled with a context label

user: user specific context

role: role specific context

type: flags which type of operation is allowed on the object

Booleans are used to enabled or disable specific categories of functionality

Many commands support a -Z option to print an object’s current context information

ps auxZ | grep ssh

system_u:system_r:sshd_t...

system_u is the user

system_r is the role

sshd_t is the type

getsebool -a: Prints all available SELinux booleans

setsebool -P [boolean] [state]: Changes a boolean’s state:

setsebool -P httpd_enable_homedirs on

getsebool -a | grep httpd_enable homedirs
httpd_enable_homedirs --> on

Using File Context Labels

semanage fcontext: Sets a file’s context label

Will write the context to the SELinux Policy

To enforce the policy setting on a filesystem, restorecon must be executed

Alternatively, touch /.autorelabel can be used to relabel all files to the context that is specified in the policy. This will affect the entire filesystem and a reboot will be necessary

man semanage-fcontext includes documentation and examples on SELinux contexts

To allow httpd to serve content from the /web directory via SELinux:

semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"

restorecon -Rv /web
Relabeled /web from unconfined_u:object_r:default_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0
Relabeled /web/index.html from unconfined_u:object_r:default_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0

Analyzing SELinux Log Messages

SELinux uses auditd to write log messages to the audit log, /var/log/audit/audit.log

sealert interprets messages from the audit log, applies SELinux AI, and writes meaningful messages to /var/log/messages

To view a specific error in the audit log:

grep AVC /var/log/audit/audit.log
...
type=AVC msg=audit(1615829996.967:206): avc:  denied  { getattr } for  pid=17357 comm="httpd" path="/web/index.html" dev="dm-0" ino=917508 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=1
...

avc: denied { get attr }: SELinux denied get attribute

pid=17357 comm="httpd": Process ID and Command

path="/web/index.html": The file the error pertains to

scontext=system_u:system_r:httpd_t:s0: The context of the process taking the action

tcontext=unconfined_u:object_r:default_t:s0: The file’s context

journalctl also logs SELinux alerts, and includes the command that should be ran to view the error in sealert:

journalctl | grep sealert
...
Mar 15 12:40:09 localhost.localdomain setroubleshoot[17896]: SELinux is preventing /usr/sbin/httpd from map access on the file /web/index.html. For complete SELinux messages run: sealert -l e11b54bb-f95f-4191-a437-6fb84a639a95

Pipe the recommended command into less to view all of its contents

Leave a Reply

Your email address will not be published.