What is SELinux and how does it work?

What is SELinux and how does it work?

In this tutorial we will learn to use SELinux. Its been my experience that most Sys-Admins consider it a hassle & ends up disabling it. It is a great tool to help us secure our system & we are not utilizing it.

SELinux or Security Enhanced Linux is advanced access control mechanism which was developed by US security agency NSA to prevent malicious intrusions & tempering. It implements MAC (Mandatory Access control) over already present DAC (Discretionary Access Control ) i.e. read, write , execute permissions.

It has three different modes:-
1. Enforcing              It denies the access based on policy rules,
2. Permissive           It logs the policy violations but deny allow the access that would otherwise be denied in enforcing mode,
3. Disabled               It completely disables Selinux.

Default configuration file to change these modes is /etc/selinux/config,

Changing Selinux Modes

To find out the current mode, run

$ getenforce

To change the mode to permissive, run the following command

$ setenforce 0

or for changing the mode from permissive to enforcing, run

$ setenforce 1

If you need to completely disable selinux, it can only be done through configuration file,

$ vi /etc/selinux/config

& change the SELINUX field so it should look like

SELINUX=disabled

Configuring Selinux for use

Every file or processes are labelled with a SELinux context that contains additional information such as SELinux user, role, type etc. If you are enabling Selinux for the first time, then we need to fix context & labels first. This process of fixing labels & context is known as ‘Relabeling’. To initiate relabeling, firstly goto configuration file& change mode to permissive.

$ vi /etc/selinux/config
SELINUX=permissive

Once mode has been set to ‘permissive’ , we will create an empty hidden file named ‘autorelabel’ in / directory

$ touch /.autorelabel

& now will reboot our machine.

$ init 6

 Note :-We are using ‘permissive’ mode for relabeling because using enforcing mode while ‘relabeling’ might cause system to crash.

Don’t worry if it get stuck on some file during boot, relabeling will take some time. Once relabeling has been completed & your system has booted up, you can goto config file & set mode to ‘enforcing’ & also run

$ setenforce 1

You have now successfully enabled SELinux on your machine.

Monitoring Logs

You might have got some errors while relabeling or might be getting some errors while system is up. To check if your Selinux is working properly & is not blocking access (aka Denails) to any port, application etc, we need to monitor the logs. Log file for Selinux is /var/log/audit/audit.log but you don’t have to read the whole to check the errors. We can use ‘audit2why’ utility to check errors in the logs, run

$ audit2why < /var/log/audit/audit.log

& we will get errors as the output. If everything is fine, no output will be reported.

Setting Selinux Policy

Selinux Policy are set of rules that guides Selinux security engine. Policy defines a set of rules for a particular environment. We will now learn to change policies to allow access to our denied services.

1. Booleans

Booleans allows us to make changes to part of policy at runtime without need for having knowledge of policy writing. This allows changes to be implemented without the need to reloading or recompiling a SELinux Policy.

Example;-
Let’s say we want to share our user’s home directory over FTP for read-write access & we have already shared them but while trying to access them, we can’t see them. That’s because SElinux policy is preventing the FTP daemon from reading & writing in user’s home directory. We need change the policy so that ftp can access home directories, to do that we will see if there are any Booleans available to accomplish it by running,

$ semanage boolean –l

It will produce a list of all available Booleans with their current status (on or off) & description. You can refine your search by adding ‘grep’, to find results only related to ftp

$ semanage boolean –l | grep ftp

& you will following Boolean among others
ftp_home_dir        -> off       Allow ftp to read & write file in user home directory
Its turned off, so we will turn this Boolean on by using ‘setsebool’

$ setsebool ftp_home_dir on

Now, out ftp daemon will be able to access user’s home directory.

Note :- You can also get list of available Booleans by running “”getsebool -a” but it will not show the description of the Boolean.

2. Labelling &Context

It is the most common way for implementing Selinuxpolicy onour sever. Every file, folder, process, port is labelled with SELinux context,
• For files/folders, labels are stored as extended attributes on filesystem& can be viewed by

$ ls –Z /etc/httpd

• For processes & ports kernel manages the labelling & we can see those labels by

$ ps –auxZ | grephttpd (for process)
$ netstat –anpZ | grephttpd (for port)

Example
Now let’s take an example to understand labelling & context in bit detail. Let’s say we are using a web-server which is using /home/dan/html/ as document directory rather then /var/www/html/, SElinux will consider this a violation of the policy & you won’t be able to view your webpage. That is because we have not set the security context associated with the html files. To check the default security context for html file, use the following command

$ ls –lz /var/www/html

 -rw-r—r—. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/
Here, we got httpd_sys_content_t as context for html files. We need to set this security context to our current directory as well which has current context as
-rw-r—r—. dan dan system_u:object_r:user_home_t:s0 /home/dan/html/
Another command to check security context of a file/directory is

$ semanage fcontext -l | grep ‘/var/www’

We will also use ‘semanage’ to change the context, once we have found the right security context. To change the context of /home/dan/html, run the following commands,

$ semanage fcontext -a -t httpd_sys_content_t ‘/home/dan/html(/.*)?’
$ semanage fcontext -l | grep ‘/home/dan/html’
/home/dan/html(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
$ restorecon -Rv /home/dan/html

Once the context has been changes by ‘semange’ , restorecon will load the default context of files & directories. Our web server will now be able to read the files from /home/dan/html folder as the security context for the folder has been changed to ‘httpd_sys_content_t’.

3. Creating Local policies

There might arise a need where the above methods are of no use to you & you are getting errors (avc/denials) in audit.log. When such a condition arise, we need to create a Local policy in order to resolve those denails. You can view all the errors by using audit2why, as has been stated above.
Once we have got the errors, we can then create a Local policy to resolve it. Like for example we are getting an error related to httpd (apache) or smbd (samba) , we will grep the error & will create a policy for it

$ grep httpd_t /var/log/audit/audit.log | audit2allow -M http_policy (for apache)
$ grep smbd_t /var/log/audit/audit.log | audit2allow -M smb_policy (for samba)

Here http_policy & smb_policy are the name of the local polices we created. We now only have to load these created local policies into current SElinux policy , it can be done by

$ semodule –I http_policy.pp
$ semodule –I smb_policy.pp

Our local polices have been loaded & we should not be getting any AVCs or denials in audit.log.

This was my attempt to make you guys understand SELinux. I hope that after reading this tutorial you will be little more comfortable with SELinux. If you have questions/suggestions, please do send them to us via comment box below.

 
Enjoyed this video?
What is SELinux and how does it work?
"No Thanks. Please Close This Box!"