SELinux on CentOS
What is SELinux
Security Enhanced Linux (SELinux) is a Linux Security Module (LSM) that is built into the Linux kernel. SELinux provides an additional layer of system security.
The standard access policy in Linux is based on the user, group, and other permissions. This policy is known as Discretionary Access Control (DAC).
SELinux implements Mandatory Access Control (MAC). With SELinux, every process and system resource has a special security label called an SELinux context (also referred to as SELinux label). It is an identifier which abstracts away the system-level details and focuses on the security properties of the entity. The SELinux policy uses these contexts in a series of rules which define how processes can interact with each other & system resources. By default, the policy does not allow (deny all) any interaction unless a rule explicitly grants access.
MAC rules are checked after DAC rules. If DAC rules deny access first, SELinux policy rules are not used. This means that no SELinux denial is logged if the traditional DAC rules prevent the access.
SELinux contexts have following fields:
- user
- role
- type (most important of all) and
- security level
Most common MAC rules use SELinux type field and not the full SELinux context. SELinux type context ends with _t
. For example the type name for:
- Apache web server is
httpd_t
- files and directories normally found in
/var/www/html/
ishttpd_sys_content_t
- files and directories normally found in
/tmp
and/var/tmp/
istmp_t
- web server ports is
http_port_t
There is a default SELinux policy rule that permits Apache (context type httpd_t
) to access files & directories found in /var/www/html/
and other web server directories (context httpd_sys_content_t
).
There is no allow rule in the policy for files normally found in /tmp
and /var/tmp/
, so access is not permitted to these files to Apache. With SELinux, even if Apache is compromised, and a malicious script gains access, it is still not able to access the /tmp
directory.
SELinux labels are stored as extended attributes of file systems, such as ext4. You can list them using the getfattr
utility or a ls -Z
command, for example:
1 2 3 4 |
$ ls -Z /etc/passwd system_u:object_r:passwd_file_t:s0 /etc/passwd |
Where system_u
is an SELinux user, object_r
is an example of the SELinux role, and passwd_file_t
is an SELinux domain.
What SELinux is not
- an antivirus software,
- a replacement for passwords, firewalls, and other security systems
- an all-in-one security solution
SELinux is designed to enhance existing security solutions, not replace them. Even when running SELinux, it is important to continue to follow good security practices, such as keeping software up-to-date, using hard-to-guess passwords, and firewalls.
SELinux states and modes
SELinux can run in one of three modes:
- enforcing
- permissive, or
- disabled
Enforcing mode is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system.
In permissive mode, the system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development and debugging.
Disabled mode is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future.
Use the setenforce
utility to change between enforcing and permissive mode. Changes made with setenforce
do not persist across reboots. Use the getenforce
utility to view the current SELinux mode.
1 2 3 4 5 6 7 8 9 10 11 12 13 |
$ getenforce Enforcing $ setenforce 0 $ getenforce Permissive $ setenforce 1 $ getenforce Enforcing |
SELinux config file
SELinux config file is located at /etc/selinux/config
.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
$ cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted |
The sestatus
command returns the SELinux status and the SELinux policy being used:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
$ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 32 |
Note:
- The
selinux-policy-targeted
,libselinux-utils
, andpolicycoreutils
packages are required for SELinux. - These can be installed as:
sudo dnf install selinux-policy-targeted libselinux-utils policycoreutils
How to create SELinux policies
In scenarios where custom file locations are used by services e.g. if you install MySQL Server that has it’s datadir
in non-default location, SELiux in enforcing
mode would cause the service not to start. To fix this, follow the guide below:
- Put SELinux into
permissive
mode (as described above by editing the/etc/selinux/config
file) - Perform the following two steps
1 2 3 4 5 6 7 8 |
# Kick off a full filesystem relabel on boot $ sudo touch /.autorelabel # Reboot the node $ shutdown -r now |
- When the system is back online, it will be in SELinux
permissive
mode and log any policy denials in/var/log/audit/audit.log
file or any other location where you have the audit log. Running the command below will show what’s being blocked/denied. If there are entries that correspond to your service, you’ll need to create policy file for SELinux to allow the operation.
1 2 3 4 |
$ grep "avc: denied" /var/log/audit/audit.log |
- Create policies
audit2why
– parses the audit log and tells you why there was an apparent violation of policy.audit2allow
– gathers information from logs of denied operations and then generates SELinux policy allow rules.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
# Install required packages $ sudo dnf install yum install policycoreutils-python-utils policycoreutils # View policy violations $ audit2why -a # Policy details written to stdout $ audit2allow -a -w # Generate loadable module package (only for required process mysqld) $ grep mysqld /var/log/audit/audit.log | audit2allow -M mysqld ******************** IMPORTANT *********************** To make this policy package active, execute: $ sudo semodule -i mysqld.pp # Generate loadable module package (for all policy errors) $ audit2allow -a -M mypolicy ******************** IMPORTANT *********************** To make this policy package active, execute: $ sudo semodule -i mypolicy.pp |
Links:
Recent Posts
- Enable http/2 in Apache 16th Jan 2021
- MySQL Shell 8.x 16th Jan 2021
- vi/vim tricks 30th Dec 2020
- SELinux on CentOS 29th Dec 2020
- ssh-copy-id (password less ssh login) 26th Dec 2020
- MySQL auto_increment capacity calculation 26th Dec 2020
- Using UUID as a Primary Key 24th Dec 2020
- Keycloak and InnoDB Cluster 29th Nov 2020
- How to create Column in MySQL only if one does not exist? 19th Mar 2019
- Inject empty transactions in MySQL 5.6 GTID based Replication 25th Dec 2018
- Adding a new disk to CentOS 26th Aug 2018
- mysqldump extended inserts 26th Jun 2018
- CentOS Logical Volume Manager (LVM) 26th Oct 2017
- How to prepare SD Card for Raspberry Pi on a MAC 26th Jun 2017
- Convert .dmg file on a MAC to .iso 26th Apr 2017
Categories
- CentOS (4)
- CentOS 8 (2)
- InnoDB cluster (1)
- mysql (7)
- Raspberry Pi (1)
- ssh (1)
- Technical (3)
Tag cloud
Archives
- January 2021 (2)
- December 2020 (5)
- November 2020 (1)
- March 2019 (1)
- December 2018 (1)
- August 2018 (1)
- June 2018 (1)
- October 2017 (1)
- June 2017 (1)
- April 2017 (1)
- February 2016 (1)