· Security Enhanced Linux (SELinux) is another layer of security for the Linux OS.
· Developed by the National Security Agency (NSA)
· It adds protection for different files, applications, processes and so on.
Note:
Instead of turning it off, however, you could use SELinux in “permissive” mode, which allows everything to function normally but logs warnings when action or commands would have been blocked. Running in this mode is good for troubleshooting and gaining an understanding of how SELinux works. For the REDHAT exam, however, you need to know how to work with SELinux enabled and enforcing.
SELinux Required Packages
|
Default Installed Packages
|
|
policycoreutils-2.0.83-19.18.el6.x86_64
selinux-policy-3.7.19-126.el6.noarch
selinux-policy-targeted-3.7.19-126.el6.noarch
libselinux-utils-2.0.94-5.2.el6.x86_64
libselinux-python-2.0.94-5.2.el6.x86_64
libselinux-2.0.94-5.2.el6.x86_64
|
|
Required Installation Packages for advanced SELinux management purpose
|
|
yum install selinux-policy*
yum install setroubleshoot*
yum install setools*
yum install policycoreutils*
yum install mcstrans*
|
There are three available modes for SELinux
1. Disabled – SELinux is turned off and doesn’t restrict anything
2. Permissive – SELinux is turned on, but it logs warnings only when an action normally would have been blocked.
3. Enforcing – SELinux is turned on and blocks actions related to services.
SELinux Management Command
Sestatus – shows the current status of SELinux
Getenforce – shows the enforcing status of SELinux
Setenforce – changes the enforcing status of SELinux
Getsebool – returns the Boolean value of a service option
Setsebool – sets the Boolean value of a service option
Chcon – changes the context of a file, directory, or service
Restorecon – resets the context of an object
System-config-selinux – graphical
Semanage boolean –l – list all boolean
Semanage fcontext –l – list all context
Semanage port –l – list all port number
Sestatus command
-b – displays all Boolean and their statuses
-v – provides verbose output
[root@server1 Desktop]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
[root@server1 Desktop]# getenforce
Enforcing
Configuring SELinux
The main config file is “/etc/selinux/config” and “/etc/sysconfig/selinux”
[root@server1 Desktop]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing – SELinux security policy is enforced.
# permissive – SELinux prints warnings instead of enforcing.
# disabled – No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted – Targeted processes are protected,
# mls – Multi Level Security protection.
SELINUXTYPE=targeted
Setenforce command
When changing the mode in which SELinux runs, you are still required to reboot the system.
setenforce [ Enforcing | Permissive |1|0]
[root@server1 Desktop]# setenforce 0
[root@server1 Desktop]# getenforce
Permissive
[root@server1 Desktop]# setenforce 1
[root@server1 Desktop]# getenforce
Enforcing
[root@server1 Desktop]# reboot
SELinux File contexts
SELinux uses three different contexts to enforce security:
1. User
2. Role
3. Domain (also called “type”)
Now to RHEL6 is the addition of a fourth context known as “Level” (this level represents the sensitivity level of a file or directory).
User:
Unconfined_u Unprotected user
System_u System user
User_u Normal user
Role:
Object_r File
System_r Users and processes
Domain:
Unconfined_r Unprotected file or process
Each file, folder and service has an associated label that contains all three contexts.
For example SSH service
[root@server1 Desktop]# ps -ZC sshd
LABEL PID TTY TIME CMD
system_u:system_r:sshd_t:s0-s0:c0.c1023 2260 ? 00:00:00 sshd
1st field “system_u” -> system user
2ndfieed “system_r” -> users and processes
3rd field “unconfined_t” -> domain
[root@server1 Desktop]# ll -Z /etc/ssh/sshd_config
-rw——-. rootroot system_u:object_r:etc_t:s0 /etc/ssh/sshd_config
“chcon” command
Contexts are important when creating websites because if the site doesn’t have the correct context, it is not accessible by the web server. To change the context of a file or directory, you can use the “chcon” command.
Syntax: chcon [option] context file
Option
-f – Suppresses error message
-u – Sets user context
-r – Sets role context
-t – Sets type context (domain)
-R – Change recursively
-v – provides verbose output
Example
1. Change the user context from normal user to system user:
[root@server1 Desktop]# touchmyfile
[root@server1 Desktop]# ls -Z myfile
-rw-r–r–. rootroot unconfined_u:object_r:admin_home_t:s0 myfile
[root@server1 Desktop]# chcon -vu system_umyfile
changing security context of `myfile’
[root@server1 Desktop]# ls -Z myfile
-rw-r–r–. rootroot system_u:object_r:admin_home_t:s0 myfile
|
Tips
“chcon” command is to reference the context of another file.
This capability is useful when you’re using SELinux to enforce security on websites.
When create a new customer site, you can use the “chcon” command to reference the template site and apply the correct context:
#chcon –vR –reference /var/www/html/default_site /var/www/html/customer_site
|
If you make a mistake or just want to reset the original context of a file or directory, you can use the “restorecon” command.
Syntax: restorecon [options]
Options:
-i ignore files that don’t exit
-p shows progress
-v shows changes as they happen
-F resets context
Reset the context of your file back to its original context:
# restorecon -F myfile
verify the changes was applied correctly
#ls -Z myfile
-rw-r–r– root root root:object_r:admin_home_t:s0 myfile
SELinux Service and Boolean options
To view these Boolean options, you can use the “getsebool” command combined with grep to look for specific options
syntax: getsebool -a | grep boolean
[root@server1 repodata]# getsebool -a | grep ftp
allow_ftpd_anon_write –> off
allow_ftpd_full_access –> off
allow_ftpd_use_cifs –> off
allow_ftpd_use_nfs –> off
ftp_home_dir –> off
ftpd_connect_db –> off
httpd_enable_ftp_server –> off
tftp_anon_write –> off
[root@server1 repodata]# getsebool -a | grep samba
samba_create_home_dirs –> off
samba_domain_controller –> off
samba_enable_home_dirs –> off
samba_export_all_ro –> off
samba_export_all_rw –> off
samba_run_unconfined –> off
samba_share_fusefs –> off
samba_share_nfs –> off
use_samba_home_dirs –> off
virt_use_samba –> off
you might be thinking that this is a huge list, so how can you tell which options to change so that Apache, ftp, samba can provide you with different services? the “semanage” command can provide you with a description of each Boolean, It is also very useful if you need a specific settings changed.
[root@server1 ~]# semanage boolean -l | grep ftp
ftp_home_dir -> off Allow ftp to read and write files in the user home directories
tftp_anon_write -> off Allow tftp to modify public files used for public file transfer services.
allow_ftpd_full_access -> off Allow ftp servers to login to local users and read/write all files on the system, governed by DAC.
allow_ftpd_use_nfs -> off Allow ftp servers to use nfs used for public file transfer services.
allow_ftpd_anon_write -> off Allow ftp servers to upload files, used for public file transfer services. Directories must be labeled public_content_rw_t.
allow_ftpd_use_cifs -> off Allow ftp servers to use cifs used for public file transfer services.
ftpd_connect_db -> off Allow ftp servers to use connect to mysql database
httpd_enable_ftp_server -> off Allow httpd to act as a FTP server by listening on the ftp port.
After deciding which Boolean you’d like to change, you need to enable or disable the value appropriately. To enable or disable a Boolean option, you can use the “setsebool” command. When using the command, you also need to use the -P option for the change to be persistent.
syntax: setsebool -P [boolean = on(1) }| off(0)]
[root@server1 ~]# setsebool -P allow_ftpd_anon_write on
[root@server1 ~]# getsebool -a | grep ftp
allow_ftpd_anon_write –> on
allow_ftpd_full_access –> off
allow_ftpd_use_cifs –> off
allow_ftpd_use_nfs –> off
ftp_home_dir –> off
ftpd_connect_db –> off
httpd_enable_ftp_server –> off
tftp_anon_write –> off
SELinux Troubleshooting
SELiux have a two log files
/var/log/audit/audit.log – Logs SELinux denials
/var/log/messages – Logs SELinux denials
Each log file provides specific error messages when denials occur, making them easier to search using “grep”. Two common commands you can use to hunt for error messages include
# grep “SELinux is preventing” /var/log/messages
# grep “denied” /var/log/audit/audit.log
Problems can arise in SELinux for numerous reasons. However, the top three include
■ Labelling problems
Using a nonstandard directory tends to cause problems if the directory or files aren’t labeled correctly.
■ Correct context
When you’re moving files, they can lose or retain incorrect contexts, causing access errors. Use the matchpathcon command to verify the correct context.
■ Confined service
If certain Booleans are not enabled, a service may have trouble operating or communicating with other services.
Review Questions
1. What is the point of using SELinux?
2. What are SELinux Booleans?
3. What command can you use to change the context of files?
4. What command can you use to query Boolean values?
5. What command and option do you use to view the description of Boolean values?
6. How would you view all Boolean options for the HTTP service?
7. Which log file is used to keep track of policy violations?
8. How would you disable SELinux protection for NFS, allowing shares to be
read/write?
Answers to the Review Questions
1. SELinux provides enhanced granular security for the Linux operating system.
2. SELinux Booleans provide restrictions to different aspects of a service.
3. chcon
4. getsebool
5. semanage boolean -l
6. getsebool –a | grep http
7. The /var/log/audit/audit.log file contains all policy violations.
8. setsebool –P nfs_export_all_rw=1
Apntechunix 