During the operation of systems with SELinux, I identified several interesting cases, the solutions of which are hardly described on the Internet. Today I decided to share my observations with you in the hope that the number of SELinux supporters will increase a little :)

0. Reinstall policy package

If you didn’t know, I’m reporting: the whole SELinux is through the file, and there is no magic there. Therefore, you can right when SELinux is on, reinstall the policy package if something went wrong.
Example for centos 7 & selinux-policy-minimum

#!/bin/sh setenforce 0 semanage export > exports.semanage yum remove -y selinux-policy-minimum rm -rf /etc/selinux/minimum yum install -y selinux-policy-minimum semodule -RB semanage import -f exports.semanage 

1. SELinux in permissive mode, but some commands do not work

Invalid process context

The reason is that some programs try to change the context (by analogy with setuid / setgid) before exec (3), but use the wrong context for this.

Example: a crond daemon that processes the crontab of the user user whose context is unknown. In this case, it execlp (3) returns the error 'Invalid context'.

Decision

1. Make policy reload (semodule -R)
2. See which user is used
3. View which selinux user is for him (semanage login -l)
4. Ensure that the / etc / selinux / $ type / contexts / users / $ username file is present
5. If there is no file, reset the defaults by reinstalling the policy package.

Invalid file context

If for some reason the author did not happen and the file was left without any context, or with garbage instead of context, access to it can also be blocked due to the fact that open (3) will fall when trying to compare contexts.

Decision

1. Make restorecon / path -Rv
2. Make sure the contexts are correct and that all modules are loaded.
3. Make policy reload (semodule -R)
4. If it did not help, reset the defaults by reinstalling the policy package.

2. After enabling SELinux and rebooting, all processes are started from kernel_t / There are many errors in the logs about accessing kernel_t

How does SELinux turn on?

1. Create file /.autorelabel
2. Reboot, the kernel sees this file and starts autorelabeling
3. Restart again and start the kernel with the context kernel_t.

Problems occur at stage two: the kernel knows only about the contexts of the modules that were explicitly included before the reboot. For example, if the systemd module was not enabled, then:

• The kernel is running with the context kernel_t
• The context transition rules from kernel_t to systemd do not work, because relabel did not assign him the context init_exec_t, systemd inherits the context kernel_t
• For the daemons that systemd runs, the context transition rules also do not work, since the rules are written for the init_t context, not the kernel_t. All daemons are running from kernel_t.
• ....
• FAIL

Decision

• Before creating /.autorelabel, manually turn on all the necessary modules using the semodule -e $ module command, or
• Do restorecon -R / after reboot and reboot the system again, or
• Make systemctl daemon-reexec and restart all daemons manually if the second reboot is not acceptable
• Use the offrestorecon * utility instead of /.autorelabel

3. After updating the policy package, nothing works, all commands write errors

This problem occurs when, after the update, the cyclic dependencies between modules or contexts cannot be resolved. For example:

• In version 1.0, the settings were made and the local_module module was added.
• local_module exported context local_module_file_t
• Was this context assigned with semanage to "/opt/local(/.*)?"

When upgrading to version 1.1, the local_module module is installed after the context settings for "/ opt / local" are applied, which can lead to a circular dependency. In fact, this happens rarely from one module, but when there are 30 of them and they link to each other and carry some of the settings "outside" (via semanage fcontext or semanage port for example), then problems are almost guaranteed.

Decision

• Rearrange the policy package (see point 0), or
• Run sequentially BEFORE update
  

   semanage export > outfile semanage fcontext -D semanage user -D semanage port -D semanage login -D # update your packages semanage import -f outfile 

4. Long reboot when SELinux is enabled

Autorelabeling is a pain for owners of large servers. An average server with a database can reboot for 3-4 hours due to the inclusion of SELinux, which is absolutely unacceptable for business.

Decision

In fact, the labels on the files are in the extended-file system attributes, which can be accessed using the getfattr (1) / setfattr (1) / attr (1) commands. The attribute is called security.selinux and contains the context as a string. At the same time, even when SELinux is turned off, the matchpathcon command from libselinux-utils works, which shows the default context for a particular path.

Combining both of these facts, we get the opportunity to make audorelabel right while the server is running, without spending time on it when rebooting.

This afternoon I put my code on github , a utility called offrestorecon . Do not forget to turn on all the necessary modules and delete the file /.autorelabel!

5. After the reboot, all the variable settings

Decision

Use the -P switch for setsebool, or semanage boolean

Instead of an afterword

If you are interested in the SELinux topic, send comments on your strange cases and their solutions, I will add them to this article. It is possible that this will make the life of the following security-administrators a little easier.