初识SELinux

1. Introduction

 

Security-Enhanced Linux (SELinux) is a mandatory access control (MAC) security mechanism implemented in the kernel. SELinux was first introduced in CentOS 4.

---

 

2. Enable & Disable SELinux ( SELinux Mode )

 

Enforcing: The default mode which will enable and enforce the SELinux security policy on the system, denying access and logging actions

Permissive: In Permissive mode, SELinux is enabled but will not enforce the security policy, only warn and log actions. Permissive mode is useful for troubleshooting SELinux issues

Disabled: SELinux is turned off 

 

2.1 Check Mode

[root@bhrjira1 ~]# sestatus

SELinux status:                 enabled

SELinuxfs mount:                /selinux

Current mode:                   permissive

Mode from config file:          enforcing

Policy version:                 21

Policy from config file:        targeted

[root@bhrjira1 ~]# getenforce

Permissive

 

2.2 Switch between Enforcing and Permissive

[root@bhrjira1 ~]# setenforce

usage:  setenforce [ Enforcing | Permissive | 1 | 0 ]

 

2.3 Enable SELinux

•  rpm -qa | grep selinux, rpm -q policycoreutils, and rpm -qa | grep setroubleshoot commands to confirm that the SELinux packages are installed.
• configure SELINUX=permissive in /etc/selinux/config
• Reboot
• grep "SELinux is preventing" /var/log/messages command to confirm that SELinux did not deny actions during the last boot. If SELinux did not deny actions during the last boot, this command does not return any output. 
• If there were no denial messages in /var/log/messages, configure SELINUX=enforcing in /etc/selinux/config
• Reboot. Then confirm getenforce output Enforcing.

2.4 Disable SELinux

To disable SELinux, configure SELINUX=disabled in /etc/selinux/config

Reboot

 

---

3. Booleans

[root@bhrjira1 ~]# getsebool -a

httpd_builtin_scripting --> on

httpd_can_network_connect --> off

httpd_can_network_connect_db --> off

 

Set Boolean. 

[root@bhrjira1 ~]# getsebool xdm_sysadm_login

xdm_sysadm_login --> off

[root@bhrjira1 ~]# setsebool xdm_sysadm_login on

[root@bhrjira1 ~]# getsebool xdm_sysadm_login

xdm_sysadm_login --> on

[root@bhrjira1 ~]#

 

setsebool -P XXX on

This change will persistent across reboot.

 

---

4.SELinux Contexts - Labeling Files

 

List file contexts

~]$ ls -Z file1

-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1

 

4.1 Temporary Changes: chcon

 chcon -t type file-name

 

Use the restorecon -v file1 command to restore the SELinux context for the file1 file.

 

4.2 Persistent Changes: semanage fcontext

 

The semanage fcontext command changes the SELinux context for files. When using targeted policy, changes made with this command are added to the /etc/selinux/targeted/contexts/files/file_contexts file if the changes are to files that exists in file_contexts, or are added to file_contexts.local for new files and directories, such as creating a /web/ directory. The setfiles command, which is used when a file system is relabeled, and the restorecon command, which restores the default SELinux contexts, read these files. This means that changes made by semanage fcontext are persistent, even if the file system is relabeled. SELinux policy controls whether users are able to modify the SELinux context for any given file.

 

 

# semanage fcontext -a -t samba_share_t /etc/file1

# restorecon -v /etc/file1

 

semanage only write the rules in file_contexts. Need use restorecon to read and apply to file.

 

---

5. SELinux Packages

 

Default Package:

 

policycoreutils — provides utilities such as restorecon, secon, setfiles, semodule,load_policy, and setsebool, for operating and managing SELinux.

selinux-policy — provides the SELinux Reference Policy.

selinux-policy-targeted — provides the SELinux targeted policy.

libselinux — provides an API for SELinux applications.

libselinux-utils — provides the avcstat, getenforce, getsebool, matchpathcon,selinuxconlist, selinuxdefcon, selinuxenabled, setenforce, togglesebool tools.

libselinux-python — provides Python bindings for developing SELinux applications.

 

 

Optional Package:

 

selinux-policy-mls — provides the MLS SELinux policy.

setroubleshoot-server — translates denial messages, produced when access is denied by SELinux,into detailed descriptions that are viewed with sealert (which is provided by this package).

mcstrans — translates levels, such as s0-s0:c0.c1023, to an easier to read form, such as SystemLow-SystemHigh. This package is not installed by default.

policycoreutils-python — provides utilities such as semanage, audit2allow, audit2why and chcat, for operating and managing SELinux.

policycoreutils-gui — provides system-config-selinux, a graphical tool for managing SELinux.

 

---

6. Log files

 

auditd on /var/log/audit/audit.log

auditd off; rsyslogd on /var/log/messages

setroubleshootd, rsyslogd, and auditd on    /var/log/audit/audit.log. Easier-to-read denial messages also sent to /var/log/messages

 

---

7. Main Config File

 

The /etc/selinux/config file is the main SELinux configuration file. 

 

---

8. Allowing Access to a Port

 

# semanage port -a -t http_port_t -p tcp 81 

# semanage port -l