Translation of the article prepared for students of the course "Linux Security"

SELinux or Security Enhanced Linux is an improved access control mechanism developed by the US National Security Agency (NSA) to prevent malicious intrusions. It implements a mandatory (or mandatory) access control model (English Mandatory Access Control, MAC) on top of the existing Discretionary Access Control (DAC) model, that is, read, write, execute permissions.

SELinux has three modes:

1. Enforcing - denies access based on policy rules.
2. Permissive - logging of actions that violate policies that would be prohibited in enforcing mode.
3. Disabled - disable SELinux completely.

The default settings are in /etc/selinux/config

Changing SELinux Modes

To find out the current mode, run

 $ getenforce 

To change the mode to permissive, run the following command

 $ setenforce 0 

or, to change the mode from permissive to enforcing , execute

 $ setenforce 1 

If you need to completely disable SELinux, this can only be done through the configuration file.

 $ vi /etc/selinux/config 

To disable, change the SELINUX parameter as follows:

 SELINUX=disabled 

SELinux Setup

Each file and process is marked with a SELinux context, which contains additional information, such as user, role, type, etc. If you turn on SELinux for the first time, you first need to set the context and labels. The process of assigning labels and context is known as labeling. To start marking, in the configuration file, change the mode to permissive .

 $ vi /etc/selinux/config SELINUX=permissive 

After setting the permissive mode, we will create in the root an empty hidden file named autorelabel

 $ touch /.autorelabel 

and restart the computer

 $ init 6 

Note: we use permissive mode for marking, as the use of enforcing mode can lead to a system crash during reboot.

Do not worry if the download is stuck on a file, the labeling takes some time. After marking and loading your system, you can go to the configuration file and install enforcing mode, as well as run:

 $ setenforce 1 

Now you have successfully enabled SELinux on your computer.

Monitor logs

You may have some errors during labeling or during system operation. To check if your SELinux is working correctly and does not block access to any port, application, etc., you need to look at the logs. The SELinux log is in /var/log/audit/audit.log , but you do not need to read it completely to find errors. You can use the audit2why utility to find errors. Run the following command:

 $ audit2why < /var/log/audit/audit.log 

As a result, you will receive a list of errors. If there were no errors in the log, no messages will be displayed.

Setting up a SELinux policy

A SELinux policy is a set of rules that governs the SELinux security mechanism. A policy defines a set of rules for a particular environment. We will now learn how to configure policies to allow access to prohibited services.

1. Logic values ​​(switches)

Switches (booleans) allow you to change parts of the policy during operation, without the need to create new policies. They allow you to make changes without reloading or recompiling SELinux policies.

Example
Suppose we want to share the user's home directory via FTP for reading and writing, and we’ve shared it, but we’ve seen nothing when trying to access it. This is due to the fact that the SELinux policy prevents the FTP server from reading and writing in the user's home directory. We need to change the policy so that the FTP server can access the home directories. Let's see if there are any switches for this by running

 $ semanage boolean -l 

This command will display a list of available switches with their current state (on / on or off / off) and a description. You can refine your search by adding grep to find results related only to ftp:

 $ semanage boolean -l | grep ftp 

and find the following

 ftp_home_dir -> off Allow ftp to read & write file in user home directory 

This switch is off, so we will enable it using setsebool $ setsebool ftp_home_dir on

Now our ftp-daemon can access the user's home directory.
Note: You can also get a list of available switches without a description by running getsebool -a

2. Tags and context

This is the most common way to implement SELinux policies. Each file, folder, process, and port is marked with a SELinux context:

• For files and folders, labels are stored as extended attributes in the file system and can be viewed with the following command:
  

   $ ls -Z /etc/httpd 

• For processes and ports, the labeling is controlled by the kernel, and you can look at these labels as follows:

process

 $ ps –auxZ | grep httpd 

port

 $ netstat -anpZ | grep httpd 

Example
Now let's take an example to better understand labels and context. Suppose we have a web server that /var/www/html/ /home/dan/html/ instead of the /var/www/html/ /home/dan/html/ directory. SELinux considers this a policy violation and you will not be able to view your web pages. This is because we have not set the security context associated with the HTML files. To view the default security context, use the following command:

 $ ls –lz /var/www/html -rw-r—r—. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/ 

Here we got httpd_sys_content_t as context for html files. We need to set this security context for our current directory, which now has the following context:

 -rw-r—r—. dan dan system_u:object_r:user_home_t:s0 /home/dan/html/ 

Alternative command to check the security context of a file or directory:

 $ semanage fcontext -l | grep '/var/www' 

We will also use semanage to change the context after we find the right security context. To change the context / home / dan / html, run the following commands:

 $ semanage fcontext -a -t httpd_sys_content_t '/home/dan/html(/.*)?' $ semanage fcontext -l | grep '/home/dan/html' /home/dan/html(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 $ restorecon -Rv /home/dan/html 

After the context has been changed using semanage, the restorecon command will load the default context for files and directories. Our web server can now read files from the /home/dan/html folder, because the security context for this folder has been changed to httpd_sys_content_t .

3. Creating local policies

There may be situations when the above methods are useless for you, and you get errors (avc / denial) in audit.log. When this happens, you need to create a local policy (Local policy). All errors can be found using audit2why, as described above.

To eliminate errors, you can create a local policy. For example, we get an error related to httpd (apache) or smbd (samba), we grep the errors and create a policy for them:

 apache $ grep httpd_t /var/log/audit/audit.log | audit2allow -M http_policy samba $ grep smbd_t /var/log/audit/audit.log | audit2allow -M smb_policy 

Here, http_policy and smb_policy are the names of the local policies we created. Now we need to load these created local policies into the current SELinux policy. This can be done as follows:

 $ semodule –I http_policy.pp $ semodule –I smb_policy.pp 

Our local policies were loaded, and we should no longer receive any avc or denail in audit.log.

This was my attempt to help you understand SELinux. I hope that after reading this article you will feel more comfortable with SELinux.