Understanding the Need for SELinux
Linux security is built on UNIX security, which consists of different solutions that were never developed with current IT security needs in mind
SELinux provides a complete and mandatory security solution
Its principle is that if it isn’t specifically allowed, it will be denied
As a result, unknown services will always need additional configuration to enable them in an environment where SELinux is enabled
Managing SELinux Modes
SELinux can either be enabled or disabled
Since this is controlled by the kernel, a reboot is necessary to switch between the two states
While enabled, SELinux can be set to enforcing or permissive
While enforcing, SELinux is fully operational and will block according to rules
In permissive, it will continue to log but will not block
setenforce [enforce|permissve]: Will either set SELinux to enforcing or permissive
getenforce: Will print the current SELinux state
/etc/sysconfig/selinux: Defines the default state of SELinux
To set the default state to disabled, change the value of SELINUX=:
vim /etc/sysconfig/selinux
...
SELINUX-=disabled
...
Understanding SELinux Context Labels and Booleans
Every object is labeled with a context label
user: user specific context
role: role specific context
type: flags which type of operation is allowed on the object
Booleans are used to enabled or disable specific categories of functionality
Many commands support a -Z option to print an object’s current context information
ps auxZ | grep ssh
system_u:system_r:sshd_t...
system_u is the user
system_r is the role
sshd_t is the type
getsebool -a: Prints all available SELinux booleans
setsebool -P [boolean] [state]: Changes a boolean’s state:
setsebool -P httpd_enable_homedirs on
getsebool -a | grep httpd_enable homedirs
httpd_enable_homedirs --> on
Using File Context Labels
semanage fcontext: Sets a file’s context label
Will write the context to the SELinux Policy
To enforce the policy setting on a filesystem, restorecon must be executed
Alternatively, touch /.autorelabel can be used to relabel all files to the context that is specified in the policy. This will affect the entire filesystem and a reboot will be necessary
man semanage-fcontext includes documentation and examples on SELinux contexts
To allow httpd to serve content from the /web directory via SELinux:
semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
restorecon -Rv /web
Relabeled /web from unconfined_u:object_r:default_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0
Relabeled /web/index.html from unconfined_u:object_r:default_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0
Analyzing SELinux Log Messages
SELinux uses auditd to write log messages to the audit log, /var/log/audit/audit.log
sealert interprets messages from the audit log, applies SELinux AI, and writes meaningful messages to /var/log/messages
To view a specific error in the audit log:
grep AVC /var/log/audit/audit.log
...
type=AVC msg=audit(1615829996.967:206): avc: denied { getattr } for pid=17357 comm="httpd" path="/web/index.html" dev="dm-0" ino=917508 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=1
...
avc: denied { get attr }: SELinux denied get attribute
pid=17357 comm="httpd": Process ID and Command
path="/web/index.html": The file the error pertains to
scontext=system_u:system_r:httpd_t:s0: The context of the process taking the action
tcontext=unconfined_u:object_r:default_t:s0: The file’s context
journalctl also logs SELinux alerts, and includes the command that should be ran to view the error in sealert:
journalctl | grep sealert
...
Mar 15 12:40:09 localhost.localdomain setroubleshoot[17896]: SELinux is preventing /usr/sbin/httpd from map access on the file /web/index.html. For complete SELinux messages run: sealert -l e11b54bb-f95f-4191-a437-6fb84a639a95
Pipe the recommended command into less to view all of its contents