Secure Your Architecture with SELinux
Introduction
Security-Enhanced Linux, abbreviated as SELinux, is a LSM (Linux security module) that allows defining a MAC (mandatory access control) access policy to elements of a Linux-based system. Initiated by the NSA based on work conducted with SCC and the University of Utah in the USA (DTMach prototypes, DTOS, FLASK project), its architecture separates policy enforcement from its definition. It notably allows classifying applications of a system into different groups with finer access levels. It also allows assigning a confidentiality level for accessing system objects, such as file descriptors, according to an MLS (Multi Level Security) security model. SELinux uses the Bell LaPadula model with SCC Type enforcement for integrity. It is free software, with some parts licensed under GNU GPL or BSD.
In practice, the innovation is based on defining extended attributes in the UNIX filesystem. Beyond the concept of “read, write, execute rights” for a given user, SELinux defines for each file or process:
- A virtual user (or collection of roles);
- A role;
- A security context.
Usage
Defining the Mode
This is where you define the SELinux mode and its type. We’ll use the targeted mode which is single-user mode (no one above root). The mls mode is equivalent to RBAC which allows many more security groups and users (for very large companies):
|
|
Getting the Current Mode and Changing It
First, we need to know in which mode we are:
|
|
Here we see I’m in enforcing mode. If I want to switch to permissive mode, I run this command with argument 0:
|
|
And I set it to 1 to go back to enforcing mode.
We can verify that SELinux is properly enabled by listing processes. The SELinux attributes will display with the ‘Z’ argument:
|
|
We can also do this on folders or files:
|
|
Disable Only One Domain
You also have the option to disable only one domain if desired. Let’s take Apache as an example:
|
|
This service is now in permissive state.
Analyzing Blocks
When SELinux decides to block certain access, there are several ways to analyze and accept certain false positives. First, there’s the ‘audit2allow’ command:
|
|
You also have logs that provide information about blocks in /var/log/audit/audit.log
:
|
|
I can see here that a file named mon_fichier.txt was blocked for httpd_t because the object is not correct.
The Contexts
As you’ve seen, there are some special attributes called contexts. We can display this list of contexts via the ‘semanage’ command which allows us to manage contexts:
|
|
Contexts match regexes and are authorized this way.
Context Modification
Let’s say for my website, I want to create an index file. I’m in /tmp
and create my index. At that moment, when the file is created on disk, SELinux will tag the index file and specify that it belongs to the /tmp
directory.
So when I move it to /var/www
, it will still keep those attributes and the Apache server won’t be able to use this file. To fix the issue, I have 2 choices:
- Restore the rights defined in the context database for the parent directory.
- Reassign the correct rights to the specific file
Context Restoration
To restore contexts, we’ll use the restcon command:
|
|
And now we have reset all SELinux rights in /var/www
.
Context Reassignment
To reassign the correct rights, I need to apply the security policy to this file:
|
|
httpd_sys_content_t: this is the desired context type for the /var/www
directory
To find the right context, use the semanage command as seen above:
|
|
You can see in the last column that the context we’re looking for is “httpd_sys_content_t”.
Adding a Context
This is something you should avoid doing to solve problems, but rather use to improve security or customize it for your needs. Here we’ll add a context to fix the problem with the file listed above that belongs to admin and is located in /var/www/html
. We’ll add a context with the rights of the root directory:
|
|
Then you can verify your changes:
|
|
Now you just need to run “restcon” to fix the permissions.
Port Blocking
SELinux also allows only certain services to run on specific ports. Proof:
|
|
If you want to run Apache on another port, for example, you’ll need to add it to the contexts list:
|
|
I chose port 81 in this example.
Booleans
Booleans are another type of blocking that SELinux implements, typically found on well-known services. To get this list:
|
|
To change a value, simply do:
|
|
You can verify afterwards in two ways:
|
|
or
|
|
FAQ
My System Refuses to Boot Because of SELinux
To fix this problem, at the grub boot, edit the kernel line and add this at the end:
enforcing=0
This will set permissive mode at machine boot so you can fix your problem.
How to Reapply All Security Policies to My System?
If you want to reset all your SELinux security policy on your machine, there are 2 solutions. The first is messier; it consists of checking and reapplying all changes on the fly:
|
|
I told you… it’s ugly! However, another cleaner solution that will correctly reapply all permissions at the next reboot is to create a file at the root:
|
|
I Have a SELinux Problem and Nothing in My Logs
I encountered this with Samba which was causing problems, but neither audit2allow nor logs showed anything. To solve this problem and see the log messages, tell it to log everything:
|
|
Then you just need to check the logs (/var/log/audit/audit.log
and /var/log/messages
).
Resources
Last updated 06 Oct 2011, 12:51 CEST.