Translation of the article prepared for students of the course "Linux Security"

SELinux or Security Enhanced Linux is an enhanced access control mechanism developed by the US National Security Agency (US NSA) to prevent malicious intrusions. It implements a mandatory (or mandatory) access control model (eng. Mandatory Access Control, MAC) on top of the existing discretionary (or selective) model (eng. Discretionary Access Control, DAC), that is, permissions to read, write, execute.

SELinux has three modes:

1. Enforcing — Denying access based on policy rules.
2. permissive - keeping a log of actions that violate the policy, which would be prohibited in the enforcing mode.
3. Disabled - complete disabling of SELinux.

The default settings are in /etc/selinux/config

Changing SELinux Modes

To find out the current mode, run

$ getenforce

To change the mode to permissive, run the following command

$ setenforce 0

or, to change mode with permissive on enforcing, execute

$ setenforce 1

If you need to completely disable SELinux, then this can only be done through the configuration file

$ vi /etc/selinux/config

To disable, change the SELINUX parameter as follows:

SELINUX=disabled

Setting up SELinux

Each file and process is tagged with an SELinux context that contains additional information such as user, role, type, and so on. If you are enabling SELinux for the first time, you will first need to set up the context and labels. The process of assigning labels and context is known as labeling. To start marking, in the configuration file, change the mode to permissive.

$ vi /etc/selinux/config
SELINUX=permissive

After setting the mode permissive, create an empty hidden file at the root with the name autorelabel

$ touch /.autorelabel

and restart the computer

$ init 6

Note: we use the mode permissive for marking, since the use of the mode enforcing may crash the system during a reboot.

Don't worry if the download gets stuck on some file, marking takes some time. After marking and booting your system, you can go to the configuration file and set the mode enforcingand also run:

$ setenforce 1

You have now successfully enabled SELinux on your computer.

Monitor logs

You may have encountered some errors during marking or during system operation. To check if your SELinux is working properly and not blocking access to any port, application, etc., you need to look at the logs. The SELinux log is in /var/log/audit/audit.log, but you don't have to read it in its entirety to find errors. You can use the audit2why utility to find errors. Run the following command:

$ audit2why < /var/log/audit/audit.log

As a result, you will get a list of errors. If there were no errors in the log, then no messages will be displayed.

Configuring the SELinux Policy

An SELinux policy is a set of rules that govern the SELinux security mechanism. A policy defines a set of rules for a particular environment. We will now learn how to set up policies to allow access to prohibited services.

1. Boolean values ​​(switches)

Switches (booleans) allow you to change parts of the policy at runtime, without the need to create new policies. They allow changes to be made without reloading or recompiling SELinux policies.

Example
Suppose we want to share a user's home directory via FTP for reading and writing, and we have already shared it, but when we try to access, we do not see anything. This is because SELinux policy prevents the FTP server from reading and writing to the user's home directory. We need to change the policy so that the FTP server can access home directories. Let's see if there are any switches for this by doing

$ semanage boolean -l

This command will list the available switches with their current state (enabled/on or disabled/off) and description. You can refine your search by adding grep to find ftp-only results:

$ semanage boolean -l | grep ftp

and find the following

ftp_home_dir        -> off       Allow ftp to read & write file in user home directory

This switch is off, so we will turn it on with setsebool $ setsebool ftp_home_dir on

Now our ftp daemon will be able to access the user's home directory.
Note: You can also get a list of available radio buttons without a description by running getsebool -a

2. Labels and context

This is the most common way to implement SELinux policy. Each file, folder, process, and port is marked with an SELinux context:

• For files and folders, labels are stored as extended attributes in the file system and can be viewed with the following command:

  $ ls -Z /etc/httpd

• For processes and ports, the marking is controlled by the kernel, and you can view these marks as follows:

process

$ ps –auxZ | grep httpd

port

$ netstat -anpZ | grep httpd

Example
Now let's look at an example to better understand labels and context. Let's say we have a web server that instead of a directory /var/www/html/ использует /home/dan/html/. SELinux will consider this a policy violation and you will not be able to view your web pages. This is because we have not set the security context associated with the HTML files. To view the default security context, use the following command:

$ ls –lz /var/www/html
 -rw-r—r—. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/

Here we got httpd_sys_content_t as context for html files. We need to set this security context for our current directory, which currently has the following context:

-rw-r—r—. dan dan system_u:object_r:user_home_t:s0 /home/dan/html/

An alternative command to check the security context of a file or directory:

$ semanage fcontext -l | grep '/var/www'

We will also use semanage to change the context after we find the correct security context. To change the /home/dan/html context, run the following commands:

$ semanage fcontext -a -t httpd_sys_content_t ‘/home/dan/html(/.*)?’
$ semanage fcontext -l | grep ‘/home/dan/html’
/home/dan/html(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
$ restorecon -Rv /home/dan/html

After the context is changed using semanage, the restorecon command will load the default context for files and directories. Our web server will now be able to read files from the folder /home/dan/htmlbecause the security context for this folder has been changed to httpd_sys_content_t.

3. Create local policies

There may be situations where the above methods are useless for you and you get (avc/denial) errors in the audit.log. When this happens, you need to create a local policy (Local policy). You can find all errors using audit2why as described above.

To resolve errors, you can create a local policy. For example, we get an error related to httpd (apache) or smbd (samba), we grep the errors and create a policy for them:

apache
$ grep httpd_t /var/log/audit/audit.log | audit2allow -M http_policy
samba
$ grep smbd_t /var/log/audit/audit.log | audit2allow -M smb_policy

Here http_policy и smb_policy are the names of the local policies that we have created. Now we need to load these created local policies into the current SELinux policy. This can be done like this:

$ semodule –I http_policy.pp
$ semodule –I smb_policy.pp

Our local policies have been loaded and we should no longer receive any avc or denail in the audit.log.

This was my attempt to help you understand SELinux. I hope that after reading this article you will feel more comfortable with SELinux.

Source: habr.com