Scribd
Upload
38 views10 pages

SELinux System Administration Guide

SELinux (Security-Enhanced Linux) is a mandatory access control mechanism integrated into the Linux kernel that restricts access by users and processes to files, enhancing security through mandatory access controls (MACs). It operates in three modes: enforcing, permissive, and disabled, with configuration managed via the /etc/selinux/config file. SELinux provides tools for managing policies, contexts, and booleans, allowing administrators to control and audit system interactions effectively.

Uploaded by

abhisheksafeeka
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
38 views10 pages

SELinux System Administration Guide

SELinux (Security-Enhanced Linux) is a mandatory access control mechanism integrated into the Linux kernel that restricts access by users and processes to files, enhancing security through mandatory access controls (MACs). It operates in three modes: enforcing, permissive, and disabled, with configuration managed via the /etc/selinux/config file. SELinux provides tools for managing policies, contexts, and booleans, allowing administrators to control and audit system interactions effectively.

Uploaded by

abhisheksafeeka
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

SELinux

SELinux Overview

Security-enhanced Linux(SELinux) is an implementation of a mandatory


access control mechanism. This mechanism is in the Linux Kernel,
checking for allowing operations after standard Linux discretionary
access controls are checked .

Features
Restricts access by subjects(users and/or processes) to objects(files)
Provides Mandatory Access Controls(MACs)
MACs extends Discretionary Access Controls (DACs (Standard Linux
permission))
Stores MAC permissions in extended attributes of file systems
SELinux provides a way to seperate: users, processes(subjects),object
via labeling and monitors/controls their interaction
SELinux is integrated into the Linux Kernel
Implements sandboxes for subjects and objects
Default RHS implementation creates sandboxes(domains)for 'targeted'
daemons and one sandbox(unconfined_t) for everything else
SELinux is implemented/enabled by RHS, by default
Operates in the following modes:
Permissive-permission is always granted, but denials are
logged in:/var/log/messages
Enforcing-Strictly enforces 'targeted' policy rules
Disabled-Only DACS are applied
Operating modes can be applied upon startup or while the system is
running

Config file -/etc/selinux/config


sestatus - displays current SELinux status, including:
Policy name 'targeted'
Policy version'21'
Current mode
SELinux operates in three modes
Enforcing - SELinux is enabled and will try to enforce the
SELinux policies strictly
Permissive - SELinux prints warning when any SELinux policy
setting is breathed
Disabled - This will totally disbale SELinux policies
SELinux Config files & Tools

To View SELinux configuration file

[root@server ~]# cat /etc/selinux/config

# This file controls the state of SELinux on the system.


# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected
processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted

To know the SELinux status


Command:sestatus
Command:sestatus -v

[root@server ~]# sestatus -v


SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28

Process contexts:
Current context:
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Init context: system_u:system_r:init_t:s0
/usr/sbin/sshd system_u:system_r:sshd_t:s0-
s0:c0.c1023

File contexts:
Controlling terminal:
unconfined_u:object_r:user_devpts_t:s0/etc/passwd
system_u:object_r:passwd_file_t:s0
/etc/shadow system_u:object_r:shadow_t:s0
/sbin/agetty system_u:object_r:getty_exec_t:s0
/sbin/init system_u:object_r:bin_t:s0 ->
/usr/sbin/sshd system_u:object_r:sshd_exec_t:s0
To displays the current state of booleans
Command :sestatus -b
The -b displays the current state of booleans

[root@server ~]# sestatus -b | grep on


Mode from config file: enforcing
Max kernel policy version: 28
abrt_anon_write off
abrt_upload_watch_anon_write on
auditadm_exec_content on
boinc_execmem on
cdrecord_read_content off
cluster_can_network_connect off
cobbler_anon_write off
cobbler_can_network_connect off
collectd_tcp_network_connect off
condor_tcp_network_connect off
conman_can_network off
container_connect_any off
cron_can_relabel off
cron_system_cronjob_use_shares off
cron_userdomain_transition on
daemons_dump_core off
daemons_enable_cluster_mode off
daemons_use_tcp_wrapper off

To list all SELinux policy modules

[root@server ~]# semodule -l


abrt 1.4.1
accountsd 1.1.0
acct 1.6.0
afs 1.9.0
aiccu 1.1.0
aide 1.7.1
ajaxterm 1.0.0
alsa 1.12.2
amanda 1.15.0
amtu 1.3.0
To Enable/Disbale SELinux
Command: vi /etc/selinux/config

To verify SELinux status

[root@server ~]# getenforce


Enforcing

The following is an example showing SELinux context


Command:ls -Z selinux_example

[root@server agoutam]# ls -Z selinux_example


-rw-r--r--. root root unconfined_u:object_r:user_home_t:s0
selinux_example

To change the files selinux_example context to httpd_sys_content_t


Command:chcon -t httpd_sys_content_t selinux_example
the -t option only changes the type

[root@server agoutam]# chcon -t httpd_sys_content_t selinux_example


[root@server agoutam]# ls -Z selinux_example
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0
selinux_example

To change the type of the /web directory (and its contents)


Run the chcon -R -t httpd_sys_content_t /web command to
httpd_sys_content_t:

[root@server /]# chcon -R -t httpd_sys_content_t /web


[root@server /]# ls -Zd /web
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0
/web

To list all booleans


Command:getsebool -a
The getsebool -a command lists Booleans whether they are on or off

[root@server /]# getsebool -a


abrt_anon_write --> off
abrt_handle_event --> off
antivirus_use_jit --> off
auditadm_exec_content --> on
authlogin_nsswitch_use_ldap --> off
authlogin_radius --> off
authlogin_yubikey --> off
awstats_purge_apache_log_files --> off

Let's check the boolean for ftp_home_dir


Command:getsebool ftp_home_dir

To temporarily enable ftp_home_dir


Command:setsebool ftp_home_dir

[root@server /]# yum install -y setroubleshoot-server selinux-policy-


devel
Loaded plugins: fastestmirror, langpacks
base
| 2.9 kB [Link]
Loading mirror speeds from cached hostfile
Package setroubleshoot-server-3.2.28-3.el7.x86_64 already installed
and latest version
Resolving Dependencies
--> Running transaction check
---> Package [Link] 0:3.13.1-166.el7 will be
installed
--> Processing Dependency: policycoreutils-devel >= 2.5 for package:
[Link]
--> Processing Dependency: m4 for package: selinux-policy-devel-
[Link]
--> Running transaction check
---> Package m4.x86_64 0:1.4.16-10.el7 will be installed
---> Package policycoreutils-devel.x86_64 0:2.5-17.1.el7 will be
installed
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================
Package Arch
Version Repository
Size
=============================================================
Installing:
selinux-policy-devel noarch
3.13.1-166.el7 base
1.6 M
Installing for dependencies:
m4 x86_64
1.4.16-10.el7 base
256 k
policycoreutils-devel x86_64
2.5-17.1.el7 base
331 k

Transaction Summary
=============================================================
Install 1 Package (+2 Dependent packages)

Total download size: 2.2 M


Installed size: 24 M
Downloading packages:
(1/3): m4-1.4.16-10.el7.x86_64.rpm
| 256 kB [Link]
(2/3): policycoreutils-devel-2.5-17.1.el7.x86_64.rpm
| 331 kB [Link]
(3/3): [Link]
| 1.6 MB [Link]
-------------------------------------------------------------

Total
3.4 MB/s | 2.2 MB [Link]
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : m4-1.4.16-10.el7.x86_64
Installing : policycoreutils-devel-2.5-17.1.el7.x86_64
Installing : [Link]
Verifying : m4-1.4.16-10.el7.x86_64
Verifying : policycoreutils-devel-2.5-17.1.el7.x86_64
Verifying : [Link]

Installed:
[Link] 0:3.13.1-166.el7

Dependency Installed:
m4.x86_64 0:1.4.16-10.el7
policycoreutils-devel.x86_64 0:2.5-17.1.el7

Complete!
[root@server /]#
To List all restricted ports
semanange port -l

[root@server /]# semanage port -l


SELinux Port Type Proto Port Number

afs3_callback_port_t tcp 7001


afs3_callback_port_t udp 7001
afs_bos_port_t udp 7007
afs_fs_port_t tcp 2040
afs_fs_port_t udp 7000, 7005
udp 7003
agentx_port_t tcp 705
agentx_port_t udp 705
amanda_port_t tcp 10080-10083
amavisd_recv_port_t tcp 10024
amqp_port_t tcp 15672, 5671-5672
amqp_port_t udp 5671-5672
aol_port_t tcp 5190-5193
aol_port_t udp 5190-5193
apc_port_t tcp 3052

To Verify Known ports of http service:


semanage port -l|grep -w http_port_t

[root@server /]# semanage port -l|grep -w http_port_t


http_port_t tcp 80, 81, 443, 488, 8008, 8009,
8443, 9000
[root@server /]#

To Verify port availability


sepolicy network -p <port>

[root@server /]# sepolicy network -p 8001


8001: tcp unreserved_port_t 1024-32767
8001: udp unreserved_port_t 1024-32767

To Add non-standard port to http process


semanage port -a -t http_port_t -p tcp 8001

[root@server /]# semanage port -a -t http_port_t -p tcp 8001


[root@server /]# semanage port -l|grep -w http_port_t
http_port_t tcp 8001, 80, 81, 443, 488,
8008,
EXAMPLE 1: Changing the default port for the http daemon

That changing the default port where http listens on is one of the
first security measures to secure your server against external
attacks. Let’s edit the /etc/httpd/conf/[Link] file and set the
port to 53:

[root@server ~]# cat /etc/httpd/conf/[Link] | grep 53


Listen 53

Save the changes, and restart httpd:

[root@server ~]# systemctl restart httpd


Job for [Link] failed because the control process exited with
error code.
See "systemctl status [Link]" and "journalctl -xe" for
details.[root@server ~]# journalctl -xe
Oct 25 [Link] server kill[1941]: kill: cannot find process ""
Oct 25 [Link] server systemd[1]: [Link]: control process
exited, code=exited status=1
Oct 25 [Link] server systemd[1]: Failed to start The Apache HTTP
Server.
-- Subject: Unit [Link] has failed
-- Defined-By: systemd
-- Support: [Link]
devel
--
-- Unit [Link] has failed.
--
-- The result is failed.
Oct 25 [Link] server systemd[1]: Unit [Link] entered failed
state.
Oct 25 [Link] server systemd[1]: [Link] failed.
Oct 25 [Link] server python[1948]: SELinux is preventing
/usr/sbin/httpd from name_bind access on the tcp_socket port 53.

As you can see, http has failed to start.

A quick inspection of /var/log/audit/[Link] indicates that http has


been denied permissions to start on port 53 (SELinux log messages
include the word “AVC” so that they might be easily identified from
other messages) because that is a reserved port for the DNS:

At this point you could disable SELinux (but don’t!) as explained


earlier and try to start http again, and it should work. However, the
semanage utility can tell us what we need to change in order for us to
be able to start http in whatever port we choose without issues.
Diagnose SELinux Policy Violations

Diagnose SELinux Policies:

When SELinux is enabled,it will not allow you to run service from non-
default folders

EX:Default document root folder for http service is /var/www/[Link]


this is changed in [Link] file,You would see similar errors in
audit log

Fix policy violations:


The error says /web is used as document root

Fix policy violations:


Set SELinux context to policy and also filesystem using the given
commands
semanage fcontext -a -t httpd_sys_context_t "/web(/.*)"
restorecon -r -v /web

EXAMPLE 2: Serving a website from a directory other than the default


one

Suppose you are serving a website using a different directory than


the default one (/var/www/html), say /web

a) Create an [Link] file inside /web with the following contents:

<html>
<h2>SELinux test</h2>
</html>

[root@server /]# ls -Zd /web


drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /web
[root@server /]#

you will see that the [Link] file has been labeled with the
default SELinux type, which Apache can’t access:

b) Change the DocumentRoot directive in /etc/httpd/conf/[Link]


to /web and don’t forget to update the corresponding Directory block.
Then, restart Apache.

[root@server /]# cat /etc/httpd/conf/[Link] |grep DocumentRoot


# DocumentRoot: The directory out of which you will serve your
DocumentRoot "/web"

c) Browse to [Link] and you should get a 503 Forbidden


HTTP response.
d). Next, change the label of /web, recursively, to the
httpd_sys_content_t type in order to grant Apache read-only access to
that directory and its contents:

[root@server /]# semanage fcontext -a -t httpd_sys_content_t


"/web(/.*)?"

[root@server selinux]# ls -lZ /web/[Link]


-rwxrwxrwx. root root unconfined_u:object_r:httpd_sys_content_t:s0
/web/[Link]
e). Finally, apply the SELinux policy created in d):

[root@server /]# restorecon -R -v /web


restorecon reset /web context unconfined_u:object_r:default_t:s0-
>unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /web1/[Link] context
unconfined_u:object_r:default_t:s0-
>unconfined_u:object_r:httpd_sys_content_t:s0
[root@server /]#

Now restart Apache and browse to [Link] again and you will
see the html file displayed correctly:

Common questions

Powered by AI

SELinux enforces policy by requiring services to use the correct context for directories, preventing unauthorized access and maintaining security. When a service operates out of a non-default directory, it won't have the right permissions unless that directory is labeled with the correct SELinux context. The `semanage fcontext` command assigns this context, and `restorecon` applies it, ensuring that SELinux policies are upheld, thus reducing the risk of unauthorized access or privilege escalation .

SELinux policies can be monitored using several tools and methods. The `sestatus` command is used to check the current status and policy mode of SELinux. Violations are logged to `/var/log/messages` in permissive mode or they prevent operations in enforcing mode. The audit logs, particularly `/var/log/audit/audit.log`, contain detailed information about policy violations. The `semanage` and `chcon` commands can be used to adjust policies and contexts to rectify violations .

SELinux logs, found in `/var/log/audit/audit.log`, are critical for diagnosing service failures caused by policy violations. When a service like HTTP fails to start due to SELinux restrictions, the logs will contain Audit messages indicating which policies were breached. These messages often include the AVC status and the context of both the process and the file it attempted to access. Reviewing these logs allows administrators to adjust contexts or policy settings using commands like `restorecon` or `semanage` to align service operations with the security policy .

To configure SELinux to allow a web server to use a non-default directory like `/web`, you need to first edit the DocumentRoot directive in the Apache configuration file to point to the new directory. Then, use the `semanage fcontext` command to set the SELinux context of the directory and its contents to `httpd_sys_content_t`, followed by `restorecon -R -v /web` to apply the changes. This setup ensures the web server has the appropriate read permissions, but administrators must ensure that files in the directory do not inadvertently expose sensitive information .

In an SELinux-enabled system, changing the context of a file or directory modifies its security label, which can affect access permissions by determining which processes can interact with it based on their own context labels and the policy rules. This ensures that processes only access files they are explicitly allowed to interact with, enforcing a strict security model. Tools like `chcon` and `restorecon` help in setting and restoring these contexts appropriately .

SELinux booleans allow for flexible tuning of SELinux policies without the need to modify policy files directly. They enable or disable specific rule sets in the policies, providing a way to quickly adjust security settings for specific applications or scenarios. This allows administrators to configure system behavior through command-line tools such as `setsebool` and `getsebool`, which list and toggle these boolean settings .

SELinux extends the traditional discretionary access controls (DACs) by implementing mandatory access controls (MACs). While DACs allow resource owners to set permissions, MACs enforce security policies that restrict access regardless of user ownership. SELinux uses labels to classify all resources, and policies define the allowed interactions between these labeled domains .

The `semanage` command is used to manage various SELinux policy elements, including port access. It allows the configuration of SELinux policy to include specific TCP/UDP ports for labeled types, thereby controlling which services can bind to certain ports. For example, it can add non-standard ports for services, ensuring proper access control in line with custom policy needs, like adding a new HTTP port to broaden server capability while maintaining policy compliance .

SELinux operates in three primary modes: enforcing, permissive, and disabled. In enforcing mode, SELinux enforces the security policy strictly and logs any violations. In permissive mode, SELinux does not enforce policy violations but logs them, which can be useful for troubleshooting. In disabled mode, SELinux is completely turned off, and only discretionary access controls (DACs) are applied .

During troubleshooting, an administrator might choose to keep SELinux in permissive mode to allow operations to proceed while logging policy violations. This helps in identifying and addressing incorrect policy constraints without affecting system functionality. However, the risk is that running in permissive mode could expose the system to potential security breaches since all permissions are granted during this period, albeit logged for future action .

You might also like