Linux_Logo_Photos

Basic SELinux Security Concepts

Overview

“SELinux is a security enhancement to Linux which allows users and administrators more control over access control.” (selinuxproject.org”

Basic SELinux Security Concepts

SELinux runing status

To enable SELinux (mostly enabled by default) use:

setenforce 1

To verify run the command:

getenforce

#Output
Enforcing

To change the default status of SELinux on boot edit the file ‘/etc/selinux/config’ and change the following:

SELINUX=enforcing/permissive/disabled

enforcing = SELinux will block any unauthorized access.
permissive = SELinux will only log unauthorized access but will not block it.
disabled = SELinux disabled completely.

SELinux autorelabel

to relabel the entire file-system at boot create a file ‘/.autorelabel’ and reboot:

touch /.autorelabel

when enabling SELinux for the first time relabel is needed and will be done automatically in the next reboot.

View SELinux context

To view file and Folder contexts add the capital ‘Z’ switch to the ‘ls’ command:

ls -lZ /var/www/html/

Output will be something like this:

drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/

‘httpd_sys_content_t’ is the security context for ‘/var/www/html/’.

Manual change of SELinux context

‘restorecon’ and ‘chcon’ are the commands used to correct SELinux context.

restorecon command

‘restorecon’ restores the context according to the SELinux default policy.
for example restore default ‘/tftpboot’ folder policy:

restorecon -r /tftpboot

chcon command

With ‘chcon’ you can manually set a context not in the default policy,
for example set httpd context on ‘/www’

chcon -v --type=httpd_sys_content_t /www

using ‘chcon’ is no recommended, it is better to add the rule to the policy itself since SELinux autorelable will change any context according to the default policy.

Add a new folder or file permanently to SELinux policy

you can make permanent changes to the SELinux policy using ‘semanage’ command.
for example set ‘/www’ with httpd context:

semanage fcontext -a -t httpd_sys_content_t /www

‘semanage’ doesn’t change the context on ‘/www’ it only changes the policy of ‘/www’ so we still need to run ‘restorecon’:

restorecon -r /www

SELinux log

SELinux log is usually located (in CentOS/Fedora) at ‘/var/log/audit/audit.log’
You will find this log very hard to understand without using ‘sealert’ command from se-troubleshoot package.

the se-troubleshoot package

install se-troubleshoot package

yum install -y setroubleshoot setools

sealert command

sealert is used to analyze and scan the audit.log file for SELinux issues:

sealert -a /var/log/audit/audit.log

each block contains a separate issue and includes a possible solution in the end, for example:

SELinux denied access to /www/ requested by httpd.
/www/ has a context used for sharing by different program. If you
would like to share /www/ from httpd also, you need to change its
file context to public_content_t. If you did not intend to this access, this
could signal a intrusion attempt.

Allowing Access:

You can alter the file context by executing 'chcon -t public_content_t /www/'

Fix Command:

chcon -t public_content_t '/www/'

getsebool and setsebool commands

SELinux has Boolean values we can change within any policy.

getsebool command

for a list of values run

getsebool -a

setsebool command

using setsebool to change httpd SELinux policy to ‘allow_httpd_anon_write’:

setsebool -P allow_httpd_anon_write on

the ‘-P’ switch in ‘setsebool’ command makes the change permanent.

Leave a Reply

Your email address will not be published.


*