SELinux

From Colettapedia
Jump to navigation Jump to search

Background

  • Security Enhanced Linux
  • SELinux answers the question "May {subject} do {action} to {object}?"
  • Steps beyond traditional UNIX file permissions
    • A.k.a., Discretionary Access Control (DAC) - The standard access policy based on user, group and other permissions
    • Does not enable fine-grained security policies
  • SELinux implements Mandatory Access Control (MAC)
    • MAC rules are checked only after DAC!!!! This is why a denial might not show up in the audit!!!!!
  • Every process and system label has a special security label called an SELinux context.


References


SELinux context fields

  • Unconfined processes run in the unconfined_service_t domain
    • Processes running in unconfined domains fall back to using DAC rules exclusively
  • By default, newly-created files and directories inherit the SELinux type of their parent directories.

user

  • semanage login -l to check how Linux users are mapped to SELinux users

role

  • Part of the Role-Based Access Control (RBAC) security model
  • SELinux users are authorized for roles
  • Roles are authorized for domains
  • seinfo -r - List available roles

type

  • The most common policy rule which defines the allowed interactions between processes and system resources uses SELinux types and not the full SELinux context
  • SELinux types usually end with _t
  • seinfo -t | sort | grep http - e.g., show all types that have string "http" in them

security level

  • Usually something like s0
  • Like levels of clearance
    • Unclassified
    • Confidential
    • Secret
    • Top Secret

Simple Commands and important files

  • SE Control programs: getsebool, setsebool, booleans, togglesebool, semanage

man files

  • man selinux
    • man -k selinux | less to see list of SELinux topics, of which there are MANY.

seinfo

  • get statistics for policy file

sestatus

  • Get status, e.g., whether in enforcing or not
    • also setenforce and getenforce

sesearch

  • yum install setools-console
  • SELinux policy query tool

chcon

  • Temporarily changes the context for files
  • label changes do not survive when the file system is relabeled OR when restorecon is run.
    • For permanent changes that survive a file system relabel, use the semanage utility
  • options
    • -v: verbose flag
    • -R: recursive flag
    • -u USER
    • -r ROLE
    • -l RANGE: as in security range
    • -t TYPE
    • --reference=RFILE

semodule

  • Use to load modules created by audit2allow

Important files

  • /etc/selinux/config - Main configuration file
  • /sys/fs/selinux/policy - Policy file
  • /etc/selinux/targeted/contexts/files/file_contexts.local - when you chcon or semanage fcontext, changes are listed in here.
    • See changes with semanage fcontext -C -l

See SELinux contexts

  • ls -Z - List file contexts
  • ps aux -Z - List process contexts
  • id -Z - What is my user context?
    • To list the available SELinux users - seinfo -u
  • ss -x -a -Z - List all unix sockets and their contexts
  • Preserving contexts on copy example: cp --preserve=context file1 /var/www/html/
  • matchpathcon -V /var/www/html/* - compares the current SELinux context to the correct, default context

semanage

  • SELinux Policy Management tool
  • subcommands
    • import
    • export
    • login
    • user
    • port - manage network port type definitions
    • interface
    • module
    • node
    • fcontext - Manage file context mapping definitions
    • boolean - Manage booleans to selectively enable functionality
    • permissive - manage process type enforcement
    • dontaudit - disable/enable dontaudit rules in policy
    • ibpkey
    • ibendport

semanage boolean

  • boolean httpd_unified: when disabled, the webserver document directory becomes a read-only world (httpd_sys_content_t).
  • semanage boolean -l | sort | less - list all SELinux booleans
    • Pre CentOS 6: getsebool -a | grep httpd

semanage fcontext

  • PERSISTENTLY change the SELinux context of files
    • Adds an entry to file_contexts.local
  • THEN have to run restorecon to actually change the type
  • man 8 semanage-fcontext
  • options
    • -v: verbose
    • -a: add a new record
    • -d: delete an locally added context
    • -t TYPE
    • -e REFERENCEFILE

Examples

  • semanage fcontext -a -t httpd_sys_content_t "/var/www/lgorders/admin(/.*)?"
  • restorecon -R -v /var/www/lgorders/admin
  • [sudo] semanage fcontext -C -l - show contexts to newly created files and directories

semanage port

  • semanage port -l - List all the ports and contexts known to SELinux
    • e.g. semanage port -l | grep http

restorecon

  • Restores the default SELinux context for files
  • restorecon -Rv .
    • -n: dry-run (passively check whether the file contexts are all set as specified by the active policy)
    • -R: recursive
    • -v: verbose
  1. When you cp files from one location to another, they keep their original context
  2. If you scp (from another machine?) directly into place, they get the context corresponding to the receiving location.
  3. Every time you copy (cp) new/modified files into /var/www/lgorders you’ll have to run sudo restorecon -R /var/www/lgorders to allow httpd to use them.

auditd

  • If Linux audit daemon (see below) is turned on, SELinux problems should be written to file /var/log/audit/audit.log
  • audit2allow and audit2why
    • cat /var/log/audit/audit.log | audit2allow
  • man auditd
  • /etc/audit/auditd.conf
  • service auditd status
  • dumps infos to /var/log/audit/audit.log
  • aureport -a
  • ausearch -m avc -ts recent - denials from the last 10 minutes

auditctl

  • a utility to assist controlling the kernel's audit system
  • To see unsuccessful open call's auditctl -a exit,always -S open -F success!=0
    • -a always,exit = append action always to syscall exit list
    • -S open = any open call made by a program
    • -F success!=0 = create a rule field evaluating on the exit value
    • You may have to do a service auditd restart after, not sure.

examples

  • auditctl -l - list all user defined audit hooks
  • auditctl -D - delete all user defined hooks
  • auditctl -a always,exit -S all -F pid=1005 - To see all syscalls made by a specific program
  • auditctl -a always,exit -S openat -F auid=510 - To see files opened by a specific user
  • auditctl -a always,exit -S openat -F success=0 - To see unsuccessful openat calls
  • auditctl -a exit,always -S open -F success=0 - To see unsuccessful open calls
  • auditctl -w /etc/shadow -p wa or auditctl -a always,exit -F path=/etc/shadow -F perm=wa - To watch a file for changes
  • auditctl -w /etc/ -p wa or auditctl -a always,exit -F dir=/etc/ -F perm=wa - To recursively watch a directory for changes
  • auditctl -a always,exit -F dir=/home/ -F uid=0 -C auid!=obj_uid - To see if an admin is accessing other user's files