Intro to SELinux

SELinux is a set of security rules that determine which processes can access which files, directories, ports, and other system resources. SELinux was developed by the National Security Agency[10], and released as an open standard for others to use. It provides several key advantages to a system. For detailed information specifice to Red Hat, see Red Hat SELinux Documentation .

When SELinux set to enforcing mode, each daemon runs in a domain. Considering httpd for example, as a service it allows remote anonymous access. This allows the possibility of attempts to compromise the httpd daemon with security exploits. httpd runs with the identity of the user apache and the group apache. Therefore, a successful exploit gains system access with the permissions granted to that user and group. In addition to the filesystem areas needed to run a webserver, the apache user and group also have access to other "world-readable" and "world-writeable" locations such as '/tmp'. SELinux ensures that a compromised service cannot gain access to these filesystem locations where it should not need access in the normal course of events.

Installing SELinux

The default installation of Red Hat Linux includes SELinux. The following packages provide a comprehensive set of SELinux utilities and commands.

Table 5.6. SELinux Packages

Package Description
coreutils Always installed. Provides some default elements of SELinux.
policycoreutils Provides restorecon, secon, setfiles, et al.
libselinux-utils Provides getenforce, setenforce, getsebool, setsebool, et al.
policycoreutils-gui Provides system-config-selinux and sepolgen, et al.
policycoreutils-python Provides semanage, audit2allow, audit2why, et al.
setroubleshoot Provides seapplet.
setroubleshoot-server Provides sealert, sedispatch, setroubleshootd, et al.

SELinux Configuration

SELinux runs in one of three enforcement modes. The table below lists these modes and describes their behavior.

Table 5.7. SELinux Enforcement Modes

Mode Description
Disabled No rules are enforced and the SELinux filesystem contexts are stripped away. Moving to or from this mode to one of the others requires a reboot, during which the entire filesystem will be processed to add or remove the SELinux filesystem context labels.
Permissive Rules are in place, violations are logged, but access is permitted (rules not enforced). Useful for troubleshooting.
Enforcing Rules are in place and enforced. Attempted violations are logged and access is denied.

There are several critical files that control how SELinux is configured. The following table shows those file locations.

Table 5.8. SELinux Config Files

File Location Description
'/etc/sysconfig/selinux' Used to set enforcement mode and policy set.
'/var/log/audit/audit.log' Extensive log of SELinux messages.[a]
'/var/log/messages' Contains short summaries of SELinux messages when setroubleshoot-server is installed and active.

[a] Use the command `grep -i avc` (Access Vector Cache) on the log file listed to isolate SELinux violations.

SELinux as a Service

SELinux is not a service per se, when considering services as running daemons. It could be considered protective layer within the operating system.

Commands to Manipulate SELinux

The table below shows a full array of commands to manipulate SELinux.

Table 5.9. SELinux Commands

Command Description
`getsebool -a` Show all booleans and their current values.
`semanage boolean -l` Show all booleans with current values and meanings.
`getsebool <boolean-name>` Show a specific boolean value.
`getsebool -a | grep <query-term>` Query all SELinux booleans and filter the results for a specific query term.
`setsebool <variablename> <value>` Modify a boolean non-persistently (for testing, or temporary use).[a]
`setsebool -P <variablename> <value>` Modify a boolean persistently.
`sestatus` Displays information about the current SELinux parameters.
`semanage` Modifies SELinux contexts persistently.
`chcon` Changes context labels on files (but non-persistently! Use with semanage for persistent changes.
`getenforce` Returns the current state of SELinux enforcement mode.
`setenforce <mode>` Makes changes to the SELinux enforcement mode. To make persistent changes, edit /etc/sysconfig/selinux.
`semanage fcontext -l` View SELinux file contexts.
`ps -eZ`, `ps -axZ`, `ps -Zc <process name>`, etc. View SELinux process contexts.
`ls -Zd /path/to/dir/`, `ls -Z /path/to/file` View SELinux contexts of directories and files.
`id -Z` View SELinux contexts of user.
`semanage fcontext -[a|d|m] -f <ftype> -t <context> '<regex>'` Add/delete/modify rules.
`audit2why` Determine why an SELinux denial took place.
`audit2allow` Determine how to configure SELinux to permit a certain action.
`system-config-selinux` Use the Red Hat graphical tool to manage SELinux.

[a] non-persistently means that the value that is set will not survive or persist after a reboot of the machine.

Understanding SELinux

SELinux is a complicated beast. However, an understanding of the basic elements can help bring the creature into focus and thereby capable of being tamed. Consider the following elements as the basic foundation of SELinux.

SELinux Enforcing Mode

Whether is basically whether SELinux is working or not. If it is "working", it says "what to do with it". See the section called "SELinux Configuration" above for the details.

Policy Type

SELinux policy type can be considered to be what gets enforced, and how far that enforcement reaches.

There are several SELinux policy types. A policy type tell how forceful SELinux will be in terms of how severe it will restrict certain actions. Listed below are the most popular "out of the box" SELinux policy types.

Table 5.10. SELinux Policy Types

Policy Type Description
Targeted (default)[a] Default policy set that aims to protect the most high-risk system services.
Strict (Deprecated? Unable to find RHEL6 information about this policy type. Replaced by MLS?)
MLS Implements Multi-Level Security policies. This is a much stricter policy set than the default.
Minimum A less intrusive implementation of minimal aspects of SELinux.

[a] In terms of the RHCE exam, this would be the most likely candidate to become familiar with.

SELinux Contexts

When SELinux is not disabled, every file, directory, and process has an SELinux file context label. These labels are used to determine which protected service(s) can operate in this location.

The initial SELinux file contexts are created based on a set of rules, which are also used by `restorecon` to restore contexts to the default. When using the default Targeted policy, these rules are stored in '/etc/selinux/targeted/contexts/files/file_contexts'. New customized rules are stored in '/etc/selinux/targeted/contexts/files/file_contexts.local'.

The program output below shows the output of a search for file locations/contexts that apply to the ftp service.[11]

# semanage fcontext -l | grep "/var/ftp"
/var/ftp(/.*)?                                     all files           system_u:object_r:public_content_t:s0
/var/ftp/bin(/.*)?                                 all files          system_u:object_r:bin_t:s0
/var/ftp/etc(/.*)?                                 all files          system_u:object_r:etc_t:s0
/var/ftp/lib(64)?(/.*)?                            all files          system_u:object_r:lib_t:s0
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)*            regular file       system_u:object_r:ld_so_t:s0

The images below show various SELinux file system contexts.

Figure 5.1. SELinux Executable File Contexts

SELinux Executable File Contexts

Figure 5.2. SELinux Home Directory File Contexts

SELinux Home Directory File Contexts

Figure 5.3. SELinux HTTPD File Contexts

SELinux HTTPD File Contexts

Figure 5.4. SELinux /etc Directory File Contexts

SELinux /etc Directory File Contexts

See the section called "Commands to Manipulate SELinux" shows several commands and ways to work with SELinux contexts.

SELinux Booleans

SELinux booleans can be considered to be toggles that turn on or off a certain aspect of SELinux enforcement. These boolean variables [12] are set or not to change SELinux policy in pre-defined ways without the need to reload or recompile the entire SELinux policy. See the section called "Commands to Manipulate SELinux" for several commands and methods to query, find, and set SELinux booleans.

Many targeted services have specialized man pages dealing with SELinux configuration. Online help is available for SELinux with regard to specific services. The command output below shows appropriate man pages for SELinux.

    # man -k '_selinux'
    ftpd_selinux         (8)  - Security-Enhanced Linux policy for ftp daemons
    httpd_selinux        (8)  - Security Enhanced Linux Policy for the httpd daemon
    kerberos_selinux     (8)  - Security Enhanced Linux Policy for Kerberos
    named_selinux        (8)  - Security Enhanced Linux Policy for the Internet Name server (named) daemon
    nfs_selinux          (8)  - Security Enhanced Linux Policy for NFS
    pam_selinux          (8)  - PAM module to set the default security context
    rsync_selinux        (8)  - Security Enhanced Linux Policy for the rsync daemon
    samba_selinux        (8)  - Security Enhanced Linux Policy for Samba
    ypbind_selinux       (8)  - Security Enhanced Linux Policy for NIS

SELinux violations are logged to '/var/log/audit/audit.log'. Installing the package `setroubleshoot-server` sends SELinux error messages to '/var/log/messages'. These can be further parsed with the command `sealert`. Additional (and very concise) assistance can be garnered with the commands `audit2why` and `audit2allow`. These commands are invoked to explain why access was denied, and how to modify your configuration to allow it.

[11] In these rules the regular expression (/.*)? is a match for the preceding directory and everything within it, recursively.

[12] The boolean will be set to a value of 1 (on) or 0 (off).