SELinux
Jump to navigation
Jump to search
Contents
Background
- Security Enhanced Linux
- SELinux answers the question "May {subject} do {action} to {object}?"
- Steps beyond traditional UNIX file permissions
- A.k.a., Discretionary Access Control (DAC) - The standard access policy based on user, group and other permissions
- Does not enable fine-grained security policies
- SELinux implements Mandatory Access Control (MAC)
- MAC rules are checked only after DAC!!!! This is why a denial might not show up in the audit!!!!!
- Every process and system label has a special security label called an SELinux context.
References
- SELinux Users and Administrators Guide for RHEL 7
- CentOS6 SELinux troubleshooting
- "SELinux decisions, such as allowing or disallowing access, are cached. This cache is known as the Access Vector Cache (AVC). Denial messages are logged when SELinux denies access. These denials are also known as "AVC denials""
- CentOS7 SELinux troubleshooting
- Configuring SELinux for apache web servers
SELinux context fields
- Unconfined processes run in the unconfined_service_t domain
- Processes running in unconfined domains fall back to using DAC rules exclusively
- By default, newly-created files and directories inherit the SELinux type of their parent directories.
user
semanage login -l
to check how Linux users are mapped to SELinux users
role
- Part of the Role-Based Access Control (RBAC) security model
- SELinux users are authorized for roles
- Roles are authorized for domains
seinfo -r
- List available roles
type
- The most common policy rule which defines the allowed interactions between processes and system resources uses SELinux types and not the full SELinux context
- SELinux types usually end with _t
seinfo -t | sort | grep http
- e.g., show all types that have string "http" in them
security level
- Usually something like
s0
- Like levels of clearance
- Unclassified
- Confidential
- Secret
- Top Secret
Simple Commands and important files
- SE Control programs: getsebool, setsebool, booleans, togglesebool, semanage
man files
man selinux
man -k selinux | less
to see list of SELinux topics, of which there are MANY.
seinfo
- get statistics for policy file
sestatus
- Get status, e.g., whether in enforcing or not
- also setenforce and getenforce
sesearch
yum install setools-console
- SELinux policy query tool
chcon
- Temporarily changes the context for files
- label changes do not survive when the file system is relabeled OR when
restorecon
is run.- For permanent changes that survive a file system relabel, use the semanage utility
- options
- -v: verbose flag
- -R: recursive flag
- -u USER
- -r ROLE
- -l RANGE: as in security range
- -t TYPE
- --reference=RFILE
semodule
- Use to load modules created by audit2allow
Important files
- /etc/selinux/config - Main configuration file
- /sys/fs/selinux/policy - Policy file
- /etc/selinux/targeted/contexts/files/file_contexts.local - when you chcon or semanage fcontext, changes are listed in here.
- See changes with
semanage fcontext -C -l
- See changes with
See SELinux contexts
ls -Z
- List file contextsps aux -Z
- List process contextsid -Z
- What is my user context?- To list the available SELinux users -
seinfo -u
- To list the available SELinux users -
ss -x -a -Z
- List all unix sockets and their contexts- Preserving contexts on copy example:
cp --preserve=context file1 /var/www/html/
matchpathcon -V /var/www/html/*
- compares the current SELinux context to the correct, default context
semanage
- SELinux Policy Management tool
- subcommands
- import
- export
- login
- user
- port - manage network port type definitions
- interface
- module
- node
- fcontext - Manage file context mapping definitions
- boolean - Manage booleans to selectively enable functionality
- permissive - manage process type enforcement
- dontaudit - disable/enable dontaudit rules in policy
- ibpkey
- ibendport
semanage boolean
- boolean httpd_unified: when disabled, the webserver document directory becomes a read-only world (httpd_sys_content_t).
semanage boolean -l | sort | less
- list all SELinux booleans- Pre CentOS 6:
getsebool -a | grep httpd
- Pre CentOS 6:
semanage fcontext
- PERSISTENTLY change the SELinux context of files
- Adds an entry to file_contexts.local
- THEN have to run restorecon to actually change the type
- man 8 semanage-fcontext
- options
- -v: verbose
- -a: add a new record
- -d: delete an locally added context
- -t TYPE
- -e REFERENCEFILE
Examples
semanage fcontext -a -t httpd_sys_content_t "/var/www/lgorders/admin(/.*)?"
restorecon -R -v /var/www/lgorders/admin
[sudo] semanage fcontext -C -l
- show contexts to newly created files and directories
semanage port
semanage port -l
- List all the ports and contexts known to SELinux- e.g.
semanage port -l | grep http
- e.g.
restorecon
- Restores the default SELinux context for files
restorecon -Rv .
- -n: dry-run (passively check whether the file contexts are all set as specified by the active policy)
- -R: recursive
- -v: verbose
- When you cp files from one location to another, they keep their original context
- If you scp (from another machine?) directly into place, they get the context corresponding to the receiving location.
- Every time you copy (cp) new/modified files into /var/www/lgorders you’ll have to run
sudo restorecon -R /var/www/lgorders
to allow httpd to use them.
auditd
- If Linux audit daemon (see below) is turned on, SELinux problems should be written to file
/var/log/audit/audit.log
audit2allow
andaudit2why
- cat /var/log/audit/audit.log | audit2allow
man auditd
- /etc/audit/auditd.conf
service auditd status
- dumps infos to /var/log/audit/audit.log
aureport -a
ausearch -m avc -ts recent
- denials from the last 10 minutes
auditctl
- a utility to assist controlling the kernel's audit system
- To see unsuccessful open call's
auditctl -a exit,always -S open -F success!=0
- -a always,exit = append action always to syscall exit list
- -S open = any open call made by a program
- -F success!=0 = create a rule field evaluating on the exit value
- You may have to do a
service auditd restart
after, not sure.
examples
auditctl -l
- list all user defined audit hooksauditctl -D
- delete all user defined hooksauditctl -a always,exit -S all -F pid=1005
- To see all syscalls made by a specific programauditctl -a always,exit -S openat -F auid=510
- To see files opened by a specific userauditctl -a always,exit -S openat -F success=0
- To see unsuccessful openat callsauditctl -a exit,always -S open -F success=0
- To see unsuccessful open callsauditctl -w /etc/shadow -p wa
orauditctl -a always,exit -F path=/etc/shadow -F perm=wa
- To watch a file for changesauditctl -w /etc/ -p wa
orauditctl -a always,exit -F dir=/etc/ -F perm=wa
- To recursively watch a directory for changesauditctl -a always,exit -F dir=/home/ -F uid=0 -C auid!=obj_uid
- To see if an admin is accessing other user's files