SELinux on CentOS

What is SELinux

Security Enhanced Linux (SELinux) is a Linux Security Module (LSM) that is built into the Linux kernel. SELinux provides an additional layer of system security.

The standard access policy in Linux is based on the user, group, and other permissions. This policy is known as Discretionary Access Control (DAC).

SELinux implements Mandatory Access Control (MAC). With SELinux, every process and system resource has a special security label called an SELinux context (also referred to as SELinux label). It is an identifier which abstracts away the system-level details and focuses on the security properties of the entity. The SELinux policy uses these contexts in a series of rules which define how processes can interact with each other & system resources. By default, the policy does not allow (deny all) any interaction unless a rule explicitly grants access.

MAC rules are checked after DAC rules. If DAC rules deny access first, SELinux policy rules are not used. This means that no SELinux denial is logged if the traditional DAC rules prevent the access.

SELinux contexts have following fields:

  • user
  • role
  • type (most important of all) and
  • security level

Most common MAC rules use SELinux type field and not the full SELinux context. SELinux type context ends with _t. For example the type name for:

  • Apache web server is httpd_t
  • files and directories normally found in /var/www/html/ is httpd_sys_content_t
  • files and directories normally found in /tmp and /var/tmp/ is tmp_t
  • web server ports is http_port_t

There is a default SELinux policy rule that permits Apache (context type httpd_t) to access files & directories found in /var/www/html/ and other web server directories (context httpd_sys_content_t).

There is no allow rule in the policy for files normally found in /tmp and /var/tmp/, so access is not permitted to these files to Apache. With SELinux, even if Apache is compromised, and a malicious script gains access, it is still not able to access the /tmp directory.

SELinux labels are stored as extended attributes of file systems, such as ext4. You can list them using the getfattr utility or a ls -Z command, for example:

Where system_u is an SELinux user, object_r is an example of the SELinux role, and passwd_file_t is an SELinux domain.

What SELinux is not

  • an antivirus software,
  • a replacement for passwords, firewalls, and other security systems
  • an all-in-one security solution

SELinux is designed to enhance existing security solutions, not replace them. Even when running SELinux, it is important to continue to follow good security practices, such as keeping software up-to-date, using hard-to-guess passwords, and firewalls.

SELinux states and modes

SELinux can run in one of three modes:

  1. enforcing
  2. permissive, or
  3. disabled

Enforcing mode is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system.

In permissive mode, the system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development and debugging.

Disabled mode is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future.

Use the setenforce utility to change between enforcing and permissive mode. Changes made with setenforce do not persist across reboots. Use the getenforce utility to view the current SELinux mode.

SELinux config file

SELinux config file is located at /etc/selinux/config.

The sestatus command returns the SELinux status and the SELinux policy being used:

Note:

  • The selinux-policy-targetedlibselinux-utils, and policycoreutils packages are required for SELinux.
  • These can be installed as: sudo dnf install selinux-policy-targeted libselinux-utils policycoreutils

How to create SELinux policies

In scenarios where custom file locations are used by services e.g. if you install MySQL Server that has it’s datadir in non-default location, SELiux in enforcing mode would cause the service not to start. To fix this, follow the guide below:

  1. Put SELinux into permissive mode (as described above by editing the /etc/selinux/config file)
  2. Perform the following two steps
  1. When the system is back online, it will be in SELinux permissive mode and log any policy denials in /var/log/audit/audit.log file or any other location where you have the audit log. Running the command below will show what’s being blocked/denied. If there are entries that correspond to your service, you’ll need to create policy file for SELinux to allow the operation.
  1. Create policies
  • audit2why – parses the audit log and tells you why there was an apparent violation of policy.
  • audit2allow – gathers information from logs of denied operations and then generates SELinux policy allow rules.

Links:

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed

Menu