SELinux

Overview

Security-Enhanced Linux is a linux kernel security module that provides a machanism for supporting access control security policies, including mandatory access controls. It's a project of the United States National Secuirty Agency (NSA) and the SELinux community
Options:
- Enforcing: Enabled (by default in RedHat, Fedora and CentOS)
- Permissive: Disabled but log activity
- Disable: Disabled and not log activity
Two main concepts of SELinux:
- Labeling: user:role:type:level
- Type Enforcement (SELINUXTYPE)
  - targeted: targeted processes are protected
  - minimum: modification of targeted policy. Only Selected processes are protected
  - mls: multi level security protection

Configuration

setenforce 0|1: Permission, Disable | Enable. Not persistent after reboot
Permanently configuration: edit /etc/selinux/config (or /etc/sysconfig/selinux)
- SELINUX=enforcing
- SELINUXTYPE=targeted
Before rebooting, create file /.autorelabel
sestatus or getenforce: check status
List label of a file: ls -lZ $file
List label of a directory: ls -dZ $folder
List label of process httpd: ps axZ| grep httpd
List label of socket of http process: netstat -tnlpZ | grep http
manage SELinux settings:
- semanage: to label
  - login
  - user
  - port
  - interface
  - module
  - node
  - file context
  - boolean
  - permissive state
  - dontaudit
get list of all boolean: boolean is an easy way to set on/off an SELinux Policy
- getsebool -a
- semanage boolean -l
- sesearch -b $boolean_name -ACT | grep -v type_transit: DT=disabled, ET=enabled
list all context: semanage fcontext -l
to eanble/turn on a boolean:
- setsebool -P boolean_name on (-P permenant)
check error message: journalctl
to change type in a label
- chcon -t httpd_sys_content_t FILENAME
- semanage -t httpd_sys_content_t FILENAME
check current settings:
- getenforce
allow context to access resource
- semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?": define policy
- restorecon -R -v /web: apply to file system

Audit Log check on SELinux

grep AVC /var/log/audit/audit.log
sudo grep "SELinux is preventing" /var/log/messages: searches for SELinux denial messages in the system logs
sudo ausearch -m avc -ts recent: search for recent message
sudo ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent: search for recent SELinux denial messages
sudo sealert -l $(sudo ausearch -i -m AVC -ts recent | grep "avc: denied" | cut -d' ' -f4): detailed explanation of the denial and suggest possible solutions.

Create Policy to allow blocked traffic

Install required tools if needed

sudo yum install policycoreutils-python-utils

Create a policy

sudo audit2allow -M my_custom_policy < /var/log/audit/audit.log
# my_custom_policy.te and my_custom_policy.pp (compiled) files will be created in the current folder
# semodule_package -u my_grafana_policy.pp -o my_grafana_policy_unpacked: Unpack .pp file to view its content

Load Policy Module

sudo semodule -i my_custom_policy.pp

To understand more about the policy, it refers to source type and target type which are explained below:

sudo ausearch -m avc -ts recent
Output: type=AVC msg=audit(1625241230.123:456): avc:  denied  { read } for  pid=1234 comm="example" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
In this example:
- scontext is system_u:system_r:httpd_t:s0 which means the source_type is httpd_t.
- tcontext is system_u:object_r:httpd_sys_content_t:s0 which means the target_type is httpd_sys_content_t.
Use these types in your sesearch command:

sudo sesearch -A -s httpd_t -t httpd_sys_content_t

This command will display the policy rules relevant to the interaction between httpd_t and httpd_sys_content_t.

Reference

PreviousPackage Manager NextSystem and Process Management

Last updated 1 year ago