SELinux sysadmin cheat sheet: 42 answers to important questions

The translation of the article was prepared specifically for the students of the course "Linux Administrator".

Here you will get answers to important questions about life, the universe and everything in Linux with improved security.

“The important truth that things are not always what they seem is well known…”

-Douglas Adams, Hitchhiker on the Galaxy

Safety. Increasing reliability. Correspondence. Policy. Four Horsemen of the Apocalypse sysadmin. In addition to our daily tasks - monitoring, backing up, implementing, configuring, updating, etc. - we are also responsible for the security of our systems. Even those systems where a third-party provider advises us to disable enhanced security. It looks like work Ethan Hunt from Mission Impossible.

Faced with this dilemma, some system administrators decide to take blue pillbecause they think they will never know the answer to the big question of life and the universe and all that. And as we all know, that answer is 42.

In the spirit of The Hitchhiker's Guide to the Galaxy, here are 42 answers to important questions about managing and using SELinux on your systems.

1. SELinux is a forced access control system, which means that every process has a label. Each file, directory, and system object also has labels. Policy rules govern access between tagged processes and objects. The kernel enforces these rules.

2. The two most important concepts are: labeling - marking (files, processes, ports, etc.) and Type enforcement (which isolates processes from each other based on types).

3. Correct Label Format user:role:type:level (optional).

4. The purpose of providing multi-level security (Multi-Level Security - MLS) is to manage processes (domains) based on the security level of the data they will use. For example, a secret process cannot read top secret data.

5. Ensuring multi-category security (Multi-Category Security - MCS) protects similar processes from each other (for example, virtual machines, OpenShift engines, SELinux sandboxes, containers, etc.).

6. Kernel options for changing SELinux modes at boot:

• autorelabel=1 → causes the system to start re-marking
• selinux=0 → the kernel does not load the SELinux infrastructure
• enforcing=0 → download in permissive mode

7. If you need to relabel the entire system:

# touch /.autorelabel
#reboot

If the system tagging contains a lot of errors, you may need to boot in permissive mode for the retagging to succeed.

8. To check if SELinux is enabled: # getenforce

9. To temporarily enable/disable SELinux: # setenforce [1|0]

10. Checking SELinux status: # sestatus

11. Configuration file: /etc/selinux/config

12. How does SELinux work? Here is a marking example for the Apache web server:

• Binary representation: /usr/sbin/httpd→httpd_exec_t
• Configuration directory: /etc/httpd→httpd_config_t
• Log files directory: /var/log/httpd → httpd_log_t
• Content directory: /var/www/html → httpd_sys_content_t
• Launch script: /usr/lib/systemd/system/httpd.service → httpd_unit_file_d
• Process: /usr/sbin/httpd -DFOREGROUND → httpd_t
• Ports: 80/tcp, 443/tcp → httpd_t, http_port_t

Process running in context httpd_t, can interact with the object with the label httpd_something_t.

13. Many commands take an argument -Z to view, create and modify a context:

• ls -Z
• id -Z
• ps -Z
• netstat -Z
• cp -Z
• mkdir -Z

Contexts are set when files are created based on the context of their parent directory (with some exceptions). RPMs can set up contexts just like during installation.

14. There are four main causes of SELinux errors, which are described in more detail in paragraphs 15-21 below:

• Labeling issues
• Because of something that SELinux needs to know
• Error in SELinux policy/application
• Your information may be compromised

15. Labeling problem: if your files are in /srv/myweb labeled incorrectly, access may be denied. Here are some ways to fix it:

• If you know the label:
  # semanage fcontext -a -t httpd_sys_content_t '/srv/myweb(/.*)?'
• If you know a file with equivalent marking:
  # semanage fcontext -a -e /srv/myweb /var/www
• Restoring the context (for both cases):
  # restorecon -vR /srv/myweb

16. Marking issue: if you move the file instead of copying it, the file will retain its original context. To fix this issue:

• Change the context command with the label:
  # chcon -t httpd_system_content_t /var/www/html/index.html
• Change the context command with the link label:
  # chcon --reference /var/www/html/ /var/www/html/index.html
• Restore the context (for both cases): # restorecon -vR /var/www/html/

17. If SELinux you need to knowthat HTTPD is listening on port 8585, tell SELinux:

# semanage port -a -t http_port_t -p tcp 8585

18. SELinux you need to know booleans that allow parts of the SELinux policy to be changed at runtime without knowledge of rewriting the SELinux policy. For example, if you want httpd to send email, type: # setsebool -P httpd_can_sendmail 1

19. SELinux you need to know Boolean values ​​for enabling/disabling SELinux settings:

• To see all booleans: # getsebool -a
• To see a description of each: # semanage boolean -l
• To set a boolean value: # setsebool [_boolean_] [1|0]
• For a permanent installation, add -P. For example: # setsebool httpd_enable_ftp_server 1 -P

20. SELinux policies/applications may contain bugs, including:

• Unusual code paths
• Configurations
• Redirecting stdout
• File descriptor leaks
• Executable Memory
• Poorly Built Libraries

Open tickets (do not submit a report to Bugzilla; there is no SLA in Bugzilla).

21. Your information may be compromisedif you have restricted domains trying to:

• Load kernel modules
• Disable SELinux enforced mode
• write to etc_t/shadow_t
• Change iptables rules

22. SELinux tools for developing policy modules:

# yum -y install setroubleshoot setroubleshoot-server

Reboot or restart auditd after installation.

23. Use

journalctl

to list all logs associated with setroubleshoot:

# journalctl -t setroubleshoot --since=14:20

24. Use journalctl to list all logs associated with a specific SELinux label. For example:

# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0

25. When an SELinux error occurs, use the log setroubleshoot offering several possible solutions.
For example, from journalctl:

Jun 14 19:41:07 web1 setroubleshoot: SELinux is preventing httpd from getattr access on the file /var/www/html/index.html. For complete message run: sealert -l 12fd8b04-0119-4077-a710-2d0e0ee5755e

# sealert -l 12fd8b04-0119-4077-a710-2d0e0ee5755e
SELinux is preventing httpd from getattr access on the file /var/www/html/index.html.

***** Plugin restorecon (99.5 confidence) suggests ************************

If you want to fix the label,
/var/www/html/index.html default label should be httpd_syscontent_t.
Then you can restorecon.
Do
# /sbin/restorecon -v /var/www/html/index.html

26. Logging: SELinux logs information in many places:

• / var / log / messages
• /var/log/audit/audit.log
• /var/lib/setroubleshoot/setroubleshoot_database.xml

27. Logging: looking for SELinux errors in the audit log:

# ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today

28. To find SELinux Access Vector Cache (AVC) messages for a specific service:

# ausearch -m avc -c httpd

29. Utility audit2allow collects information from logs of prohibited operations, and then generates SELinux permission policy rules. For example:

• To create a human-readable description of why access was denied: # audit2allow -w -a
• To view a type enforcement rule that allows denied access: # audit2allow -a
• To create a custom module: # audit2allow -a -M mypolicy
• Option -M creates a type enforcement file (.te) with the specified name and compiles the rule into a policy package (.pp): mypolicy.pp mypolicy.te
• To install a custom module: # semodule -i mypolicy.pp

30. To configure a single process (domain) to run in permissive mode: # semanage permissive -a httpd_t

31. If you no longer want the domain to be permissive: # semanage permissive -d httpd_t

32. To disable all permissive domains: # semodule -d permissivedomains

33. Enabling MLS SELinux policy: # yum install selinux-policy-mls
в /etc/selinux/config:

SELINUX=permissive
SELINUXTYPE=mls

Make sure SELinux is running in permissive mode: # setenforce 0
Use a script fixfilesto ensure that the files are relabeled on the next reboot:

# fixfiles -F onboot # reboot

34. Create a user with a specific MLS range: # useradd -Z staff_u john

Using the command useradd, map the new user to an existing SELinux user (in this case, staff_u).

35. To view the correspondence between SELinux and Linux users: # semanage login -l

36. Define a specific range for the user: # semanage login --modify --range s2:c100 john

37. To fix the label in the user's home directory (if necessary): # chcon -R -l s2:c100 /home/john

38. To view current categories: # chcat -L

39. To change the categories or start creating your own, modify the file as follows:

/etc/selinux/_<selinuxtype>_/setrans.conf

40. To run a command or script in a specific file, role, and user context:

# runcon -t initrc_t -r system_r -u user_u yourcommandhere

• -t file context
• -r role context
• -u user context

41. Containers running with SELinux disabled:

• Podman: # podman run --security-opt label=disable …
• Docker: # docker run --security-opt label=disable …

42. If you need to give a container full access to the system:

• Podman: # podman run --privileged …
• Docker: # docker run --privileged …

And now you already know the answer. So please don't panic and enable SELinux.

Links:

• SELinux by Dan Walsh
• Your visual how-to guide for SELinux policy enforcement also by Dan Walsh
• Security Enhanced Linux for mere mortals by Thomas cameron
• The SELinux Coloring Book by Mairin Duffy
• SELinux User's and Administrator's Guide—Red Hat Enterprise Linux 7

Source: habr.com