Security-Enhanced Linux (SELinux) Link to heading

  • Provide access control security policies for Linux

  • Tags every file and resource on the system to add a more granular security system
    Unlike the standard security scheme of users, groups, and permissions

  • When a process in Linux runs, it inherits the rights and privileges of the user or process that started it up
    If I open a text editor, the text editor has access to the same files I have access to. It can write to my home folder and it can edit files that I’ve created. But this can get a little more tricky with system processes like a web server or a file server

  • Most of these file servers get started by the root user
    Because they need to access resources like network ports, system files or devices

  • What happens if a process is malicious?
    SELinux strives to prevent malicious software using the granular tagging system

  • SELinux sets security contexts on files and resources

  • Unrelated context = no access
    For example, with SELinux, you can tag files within the context for the web server process. And regardless of the regular permissions of a file, if it’s not tagged with a web service context, the web server can’t access it.

SELinux Operating States Link to heading

StateDescriptionPolicies
enforcingenforces SELinux policies granting and preventing access to resources in accordance with its rules- strict
- targeted
permissivechecks requests for resources but only logs exceptions to /var/log/audit/audit_log, still allowing operations to continue. If a resource access request is in violation of the policy, a message is written to the audit log.- strict
- targeted
disableSELinux doesn’t participate at all in system security

SELinux Operating Policies Link to heading

PolicyDescriptionPolicies
strictall activity on the system is subject to the SELinux operating policy- strict
- targeted
targetedthe policy is only enforced on specific known processes (e.g. httpd, named, ntpd, snmpd, …)- strict
- targeted
disableSELinux doesn’t participate at all in system security
# See current SELinux status
[root@standalone ~]$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted 

# See the security context of files
[root@standalone ~]$ ls -Z
-rw-------. root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfg
-rw-r--r--. root root system_u:object_r:admin_home_t:s0 install.log
-rw-r--r--. root root system_u:object_r:admin_home_t:s0 install.log.syslog

SELinux Security Context Link to heading

user context : role context : type context : Multi-Level Security (MLS) context
unconfined_u : object_r     : user_home_t  : s0

This example is from a user’s home folder. By default, things created in the user’s home folder have a user home type context (user_home_t). They also have an unconfined user context (unconfined_u). Unconfined means that it’s out of the scope for SELinux’s protection when you’re using the targeted policy.

Using chcon command to change security context

# Change type context of index.html file to user_home_t
[root@standalone ~]$ chcon -R -t user_home_t index.html

# Change full SELinux context of index.html file
[root@standalone ~]$ chcon system_u:object_r:httpd_syscontent_t:s0 index.html

SELinux Access Control Link to heading

Uses 3 following methods to determine whether an action is permitted:

  • Type Enforcement (TE): The most common method used to determine the result of a security policy
  • Role-Based Access Control (RBAC)
  • Multi-Level Security (MLS): RBAC and MLS aren’t used in the targeted mode
# Processes also have a context
[root@standalone ~]$ ps auZ
LABEL                           USER        PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
system_u:system_r:getty_t:s0    root       1797  0.0  0.0   4068   540 tty2     Ss+  09:53   0:00 /sbin/mingetty /dev/tty2
system_u:system_r:getty_t:s0    root       1799  0.0  0.0   4068   544 tty3     Ss+  09:53   0:00 /sbin/mingetty /dev/tty3
system_u:system_r:getty_t:s0    root       1801  0.0  0.0   4068   544 tty4     Ss+  09:53   0:00 /sbin/mingetty /dev/tty4
system_u:system_r:getty_t:s0    root       1804  0.0  0.0   4068   540 tty5     Ss+  09:53   0:00 /sbin/mingetty /dev/tty5
system_u:system_r:getty_t:s0    root       1809  0.0  0.0   4068   540 tty6     Ss+  09:53   0:00 /sbin/mingetty /dev/tty6
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1886 0.0  0.1 108364 1820 tty1 Ss+ 09:56   0:00 -bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 3303 0.0  0.1 108364 1760 pts/0 Ss 10:08   0:00 -bash
...

If a process type context doesn’t match the type context of a file, and there are policies in place for the process, and the policies are being enforced, the process won’t be allowed to access the file

Customizing Policies Link to heading

  • SELinux has many policies already configured for well-known processes (snmpd, httpd, …): But sometimes, these need to allow or configuration
  • SELinux has a set of options called booleans, which control specific aspects of enforcement: Booleans allow parts of SELinux policy to be changed at runtime, without any knowledge of SELinux policy writing. This allows changes, such as allowing services access to NFS volumes, without reloading or recompiling SELinux policy.

E.g: SMB cannot share the file if boolean samba_enable_home_dirs is off

Basic booleans commands

# See a list of booleans and their current value
[root@standalone ~]$ getsebool -a
abrt_anon_write --> off
abrt_handle_event --> off
allow_console_login --> on
allow_cvs_read_shadow --> off
allow_daemons_dump_core --> on
...

# Get the description of booleans
[root@standalone ~]$ semanage boolean -l | grep "samba_enable_home_dirs"
samba_enable_home_dirs         (off  ,  off)  Allow samba to share users home directories.

# Persist boolean changes across reboots
[root@standalone ~]$ setsebool -P samba_enable_home_dirs on

If semanage command is not found, you need to install dependency packages.

# Find out which package provides /usr/sbin/semanage
[root@standalone ~]$ yum provides /usr/sbin/semanage
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
 * base: mirror.csclub.uwaterloo.ca
 * extras: mirror.netaddicted.ca
 * updates: mirror.netaddicted.ca
policycoreutils-python-2.0.83-30.1.el6_8.x86_64 : SELinux policy core python
                                                : utilities
Repo        : base
Matched from:
Filename    : /usr/sbin/semanage

# Install the policycoreutils-python package
[root@standalone ~]$ yum install policycoreutils-python -y