zeldor.biz

Linux, programming and more

Mastering SELinux

by Leave a Comment

SecurityEnhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC).

Originally the SELinux implementation was done by a three letters organisation, not IBM..

The NSA, the original primary developer of SELinux, released the first version to the open source development community under the GNU GPL. now. By default SELinux is activated on CentOS and RedHat systems.

States of SELinux

  1. Enforcing – SELinux security policy is enforced.
  2. Permissive – SELinux prints warnings instead of enforcing.
  3. Disabled – No SELinux policy is loaded.

With the command getenforce you can check your current SELinux state.
Also possible to read out from /etc/selinux/config file.

Types of SELinux

  1. targeted – Targeted processes are protected
  2. minimum – Modification of targeted policy. Only selected processes are protected
  3. mls – Multi Level Security protection

Check SELinux Context

The options -Z or –context of the ls command are able to show the security context of any file.

ls -Z /usr/bin/ssh

Output: 
-rwxr-xr-x. root root system_u:object_r:ssh_exec_t:s0  /usr/bin/ssh

Troubleshooting SELinux

Log file for SELinux messages: /var/log/audit/audit.log
To identify the denied actions just start the following tail:

tail -f /var/log/audit/audit.log | grep avc

Any denied action will be logged in the following format:

type=AVC msg=audit(1608772350.006:649): avc: denied { name_bind } for pid=2834 comm=”httpd” src=8081 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:transproxy_port_t:s0 tclass=tcp_socket permissive=0

Allow httpd to use port 8081:

semanage port -m -t http_port_t -p tcp 8081

Check the http_port_t assignment:

semanage port -l | grep http_port_t

If semanage command is missing, then install the package policycoreutils-python

Also you can manage the file context with:

semanage fcontext -l

ausearch can be also very handy to check denied actions:

ausearch -m AVC

Generate a compiled policy from the audit log

audit2allow -M myhttpd < /var/log/audit/audit.log
# Install the myhttpd.pp policy
semodule -i myhttpd.pp

Now httpd.service can run on port 8081 and the policy can be distributed across all your systems, where you need it.

SELinux tools

  1. restorecon
  2. chcon
  3. semanage (from package policycoreutils-python)
  4. ausearch
  5. audit2allow

Conclusion

SELinux is onboard protection tool. It can be used to run programs with minimal privileges, protection from exploits , and protecting user data.

Like any other security mechanism, it required configuration steps and monitoring.

Categories

Archives

Tags

apache2 Apple arduino ARM Automation backup bash Cisco Cluster Corosync Database Debian Debian squeeze DIY DNS Fedora FTP Fun Icinga Ipv6 KVM Linux LVM MAC OS X Monitoring MySQL Nagios Nginx openSUSE OpenVPN PHP Proxy Python python3 qemu RAID rsync Samba security ssh Ubuntu virtualization Windows Windows 7 Wordpress

Leave a Reply

Your email address will not be published. Required fields are marked *