ITekBlog The IT resource kit

Basic SELinux Security Concepts

2015-04-25 RaveMaker
linux security centos
Basic SELinux Security Concepts
Contents

Overview

A quick reference for essential SELinux commands and concepts, including enabling and disabling enforcement modes, relabeling filesystems, and managing security contexts for files and ports.

Basic SELinux Security Concepts

SELinux runing status

To enable SELinux (mostly enabled by default) use:

setenforce 1

To verify run the command:

getenforce

#Output
Enforcing

To change the default status of SELinux on boot edit the file /etc/selinux/config and change the following:

SELINUX=enforcing/permissive/disabled

enforcing = SELinux will block any unauthorized access. permissive = SELinux will only log unauthorized access but will not block it. disabled = SELinux disabled completely.

SELinux autorelabel

to relabel the entire file-system at boot create a file /.autorelabel and reboot:

touch /.autorelabel

when enabling SELinux for the first time relabel is needed and will be done automatically in the next reboot.

View SELinux context

To view file and Folder contexts add the capital Z switch to the ls command:

ls -lZ /var/www/html/

Output will be something like this:

drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/

httpd_sys_content_t is the security context for /var/www/html/.

Manual change of SELinux context

restorecon and chcon are the commands used to correct SELinux context.

restorecon command

restorecon restores the context according to the SELinux default policy. for example restore default /tftpboot folder policy:

restorecon -r /tftpboot

chcon command

With chcon you can manually set a context not in the default policy, for example set httpd context on /www

chcon -v --type=httpd_sys_content_t /www

using chcon is no recommended, it is better to add the rule to the policy itself since SELinux autorelable will change any context according to the default policy.

Add a new folder or file permanently to SELinux policy

you can make permanent changes to the SELinux policy using semanage command. for example set /www with httpd context:

semanage fcontext -a -t httpd_sys_content_t /www

semanage doesn’t change the context on /www it only changes the policy of /www so we still need to run restorecon:

restorecon -r /www

SELinux log

SELinux log is usually located (in CentOS/Fedora) at /var/log/audit/audit.log You will find this log very hard to understand without using sealert command from se-troubleshoot package.

the se-troubleshoot package

install se-troubleshoot package

yum install -y setroubleshoot setools

sealert command

sealert is used to analyze and scan the audit.log file for SELinux issues:

sealert -a /var/log/audit/audit.log

each block contains a separate issue and includes a possible solution in the end, for example:

SELinux denied access to /www/ requested by httpd.
/www/ has a context used for sharing by different program. If you
would like to share /www/ from httpd also, you need to change its
file context to public_content_t. If you did not intend to this access, this
could signal a intrusion attempt.

Allowing Access:

You can alter the file context by executing 'chcon -t public_content_t /www/'

Fix Command:

chcon -t public_content_t '/www/'

getsebool and setsebool commands

SELinux has Boolean values we can change within any policy.

getsebool command

for a list of values run

getsebool -a

setsebool command

using setsebool to change httpd SELinux policy to allow_httpd_anon_write:

setsebool -P allow_httpd_anon_write on

the -P switch in setsebool command makes the change permanent.