Translation of the article prepared for students of the course
SELinux or Security Enhanced Linux is an enhanced access control mechanism developed by the US National Security Agency (US NSA) to prevent malicious intrusions. It implements a mandatory (or mandatory) access control model (eng. Mandatory Access Control, MAC) on top of the existing discretionary (or selective) model (eng. Discretionary Access Control, DAC), that is, permissions to read, write, execute.
SELinux has three modes:
- Enforcing — Denying access based on policy rules.
- permissive - keeping a log of actions that violate the policy, which would be prohibited in the enforcing mode.
- Disabled - complete disabling of SELinux.
The default settings are in /etc/selinux/config
Changing SELinux Modes
To find out the current mode, run
$ getenforce
To change the mode to permissive, run the following command
$ setenforce 0
or, to change mode with permissive on enforcing, execute
$ setenforce 1
If you need to completely disable SELinux, then this can only be done through the configuration file
$ vi /etc/selinux/config
To disable, change the SELINUX parameter as follows:
SELINUX=disabled
Setting up SELinux
Each file and process is tagged with an SELinux context that contains additional information such as user, role, type, and so on. If you are enabling SELinux for the first time, you will first need to set up the context and labels. The process of assigning labels and context is known as labeling. To start marking, in the configuration file, change the mode to permissive.
$ vi /etc/selinux/config
SELINUX=permissive
After setting the mode permissive, create an empty hidden file at the root with the name autorelabel
$ touch /.autorelabel
and restart the computer
$ init 6
Note: we use the mode permissive for marking, since the use of the mode enforcing may crash the system during a reboot.
Don't worry if the download gets stuck on some file, marking takes some time. After marking and booting your system, you can go to the configuration file and set the mode enforcingand also run:
$ setenforce 1
You have now successfully enabled SELinux on your computer.
Monitor logs
You may have encountered some errors during marking or during system operation. To check if your SELinux is working properly and not blocking access to any port, application, etc., you need to look at the logs. The SELinux log is in /var/log/audit/audit.log
, but you don't have to read it in its entirety to find errors. You can use the audit2why utility to find errors. Run the following command:
$ audit2why < /var/log/audit/audit.log
As a result, you will get a list of errors. If there were no errors in the log, then no messages will be displayed.
Configuring the SELinux Policy
An SELinux policy is a set of rules that govern the SELinux security mechanism. A policy defines a set of rules for a particular environment. We will now learn how to set up policies to allow access to prohibited services.
1. Boolean values (switches)
Switches (booleans) allow you to change parts of the policy at runtime, without the need to create new policies. They allow changes to be made without reloading or recompiling SELinux policies.
Example
Suppose we want to share a user's home directory via FTP for reading and writing, and we have already shared it, but when we try to access, we do not see anything. This is because SELinux policy prevents the FTP server from reading and writing to the user's home directory. We need to change the policy so that the FTP server can access home directories. Let's see if there are any switches for this by doing
$ semanage boolean -l
This command will list the available switches with their current state (enabled/on or disabled/off) and description. You can refine your search by adding grep to find ftp-only results:
$ semanage boolean -l | grep ftp
and find the following
ftp_home_dir -> off Allow ftp to read & write file in user home directory
This switch is off, so we will turn it on with setsebool $ setsebool ftp_home_dir on
Now our ftp daemon will be able to access the user's home directory.
Note: You can also get a list of available radio buttons without a description by running getsebool -a
2. Labels and context
This is the most common way to implement SELinux policy. Each file, folder, process, and port is marked with an SELinux context:
- For files and folders, labels are stored as extended attributes in the file system and can be viewed with the following command:
$ ls -Z /etc/httpd
- For processes and ports, the marking is controlled by the kernel, and you can view these marks as follows:
process
$ ps –auxZ | grep httpd
port
$ netstat -anpZ | grep httpd
Example
Now let's look at an example to better understand labels and context. Let's say we have a web server that instead of a directory /var/www/html/ использует /home/dan/html/
. SELinux will consider this a policy violation and you will not be able to view your web pages. This is because we have not set the security context associated with the HTML files. To view the default security context, use the following command:
$ ls –lz /var/www/html
-rw-r—r—. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/
Here we got httpd_sys_content_t
as context for html files. We need to set this security context for our current directory, which currently has the following context:
-rw-r—r—. dan dan system_u:object_r:user_home_t:s0 /home/dan/html/
An alternative command to check the security context of a file or directory:
$ semanage fcontext -l | grep '/var/www'
We will also use semanage to change the context after we find the correct security context. To change the /home/dan/html context, run the following commands:
$ semanage fcontext -a -t httpd_sys_content_t ‘/home/dan/html(/.*)?’
$ semanage fcontext -l | grep ‘/home/dan/html’
/home/dan/html(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
$ restorecon -Rv /home/dan/html
After the context is changed using semanage, the restorecon command will load the default context for files and directories. Our web server will now be able to read files from the folder /home/dan/html
because the security context for this folder has been changed to httpd_sys_content_t
.
3. Create local policies
There may be situations where the above methods are useless for you and you get (avc/denial) errors in the audit.log. When this happens, you need to create a local policy (Local policy). You can find all errors using audit2why as described above.
To resolve errors, you can create a local policy. For example, we get an error related to httpd (apache) or smbd (samba), we grep the errors and create a policy for them:
apache
$ grep httpd_t /var/log/audit/audit.log | audit2allow -M http_policy
samba
$ grep smbd_t /var/log/audit/audit.log | audit2allow -M smb_policy
Here http_policy
и smb_policy
are the names of the local policies that we have created. Now we need to load these created local policies into the current SELinux policy. This can be done like this:
$ semodule –I http_policy.pp
$ semodule –I smb_policy.pp
Our local policies have been loaded and we should no longer receive any avc or denail in the audit.log.
This was my attempt to help you understand SELinux. I hope that after reading this article you will feel more comfortable with SELinux.
Source: habr.com