SELinux sysadmin cheat sheet: 42 answers to important questions
The translation of the article was prepared specifically for the students of the course "Linux Administrator".
Here you will get answers to important questions about life, the universe and everything in Linux with improved security.
“The important truth that things are not always what they seem is well known…”
-Douglas Adams, Hitchhiker on the Galaxy
Safety. Increasing reliability. Correspondence. Policy. Four Horsemen of the Apocalypse sysadmin. In addition to our daily tasks - monitoring, backing up, implementing, configuring, updating, etc. - we are also responsible for the security of our systems. Even those systems where a third-party provider advises us to disable enhanced security. It looks like work Ethan Hunt from Mission Impossible.
Faced with this dilemma, some system administrators decide to take blue pillbecause they think they will never know the answer to the big question of life and the universe and all that. And as we all know, that answer is 42.
In the spirit of The Hitchhiker's Guide to the Galaxy, here are 42 answers to important questions about managing and using SELinux on your systems.
1. SELinux is a forced access control system, which means that every process has a label. Each file, directory, and system object also has labels. Policy rules govern access between tagged processes and objects. The kernel enforces these rules.
2. The two most important concepts are: labeling - marking (files, processes, ports, etc.) and Type enforcement (which isolates processes from each other based on types).
3. Correct Label Format user:role:type:level (optional).
4. The purpose of providing multi-level security (Multi-Level Security - MLS) is to manage processes (domains) based on the security level of the data they will use. For example, a secret process cannot read top secret data.
5. Ensuring multi-category security (Multi-Category Security - MCS) protects similar processes from each other (for example, virtual machines, OpenShift engines, SELinux sandboxes, containers, etc.).
6. Kernel options for changing SELinux modes at boot:
autorelabel=1 → causes the system to start re-marking
selinux=0 → the kernel does not load the SELinux infrastructure
enforcing=0 → download in permissive mode
7. If you need to relabel the entire system:
# touch /.autorelabel
#reboot
If the system tagging contains a lot of errors, you may need to boot in permissive mode for the retagging to succeed.
8. To check if SELinux is enabled: # getenforce
9. To temporarily enable/disable SELinux: # setenforce [1|0]
10. Checking SELinux status: # sestatus
11. Configuration file: /etc/selinux/config
12. How does SELinux work? Here is a marking example for the Apache web server:
Process running in context httpd_t, can interact with the object with the label httpd_something_t.
13. Many commands take an argument -Z to view, create and modify a context:
ls -Z
id -Z
ps -Z
netstat -Z
cp -Z
mkdir -Z
Contexts are set when files are created based on the context of their parent directory (with some exceptions). RPMs can set up contexts just like during installation.
14. There are four main causes of SELinux errors, which are described in more detail in paragraphs 15-21 below:
Labeling issues
Because of something that SELinux needs to know
Error in SELinux policy/application
Your information may be compromised
15.Labeling problem: if your files are in /srv/myweb labeled incorrectly, access may be denied. Here are some ways to fix it:
If you know the label: # semanage fcontext -a -t httpd_sys_content_t '/srv/myweb(/.*)?'
If you know a file with equivalent marking: # semanage fcontext -a -e /srv/myweb /var/www
Restoring the context (for both cases): # restorecon -vR /srv/myweb
16.Marking issue: if you move the file instead of copying it, the file will retain its original context. To fix this issue:
Change the context command with the label: # chcon -t httpd_system_content_t /var/www/html/index.html
Change the context command with the link label: # chcon --reference /var/www/html/ /var/www/html/index.html
Restore the context (for both cases): # restorecon -vR /var/www/html/
17. If SELinux you need to knowthat HTTPD is listening on port 8585, tell SELinux:
# semanage port -a -t http_port_t -p tcp 8585
18.SELinux you need to know booleans that allow parts of the SELinux policy to be changed at runtime without knowledge of rewriting the SELinux policy. For example, if you want httpd to send email, type: # setsebool -P httpd_can_sendmail 1
19.SELinux you need to know Boolean values for enabling/disabling SELinux settings:
To see all booleans: # getsebool -a
To see a description of each: # semanage boolean -l
To set a boolean value: # setsebool [_boolean_] [1|0]
For a permanent installation, add -P. For example: # setsebool httpd_enable_ftp_server 1 -P
20. SELinux policies/applications may contain bugs, including:
Unusual code paths
Configurations
Redirecting stdout
File descriptor leaks
Executable Memory
Poorly Built Libraries
Open tickets (do not submit a report to Bugzilla; there is no SLA in Bugzilla).
21.Your information may be compromisedif you have restricted domains trying to:
25. When an SELinux error occurs, use the log setroubleshoot offering several possible solutions.
For example, from journalctl:
Jun 14 19:41:07 web1 setroubleshoot: SELinux is preventing httpd from getattr access on the file /var/www/html/index.html. For complete message run: sealert -l 12fd8b04-0119-4077-a710-2d0e0ee5755e
# sealert -l 12fd8b04-0119-4077-a710-2d0e0ee5755e
SELinux is preventing httpd from getattr access on the file /var/www/html/index.html.
***** Plugin restorecon (99.5 confidence) suggests ************************
If you want to fix the label,
/var/www/html/index.html default label should be httpd_syscontent_t.
Then you can restorecon.
Do
# /sbin/restorecon -v /var/www/html/index.html
26. Logging: SELinux logs information in many places: