SELinux
Types of access control
Discretionary Access Control = FACL, File perms, SUID/SGID, SU/Sudo
Mandatory Access Control = OS controls access
- Subject| user or process that accesses an object.
- Object | a resource e.g. file, dir, device or pipe
- Access | An action performed by Subject on Object.
- Rule | Allow/Deny access to an object
- Security Policy | System-wide set of rules
- Context | File metadata to store SELINUX attributes for subjects and objects.
N.B! Permissive mode is good for troubleshooting SELINUX policy issues
Enforcement Policies
- Type enforcement | Default policy, what types can do to other types.
- RBAC | Access control based on users in roles.
- Multi-Level (MLS) / Multi-Catagory (MCS) | Access based on security levels. A containerisation of processes.
Commands to use
$ sestatus $ getenforce $ setenforce $ vim /etc/selinux/config
Display the security context of a user
$ id -Z
- unconfined_u | is the user
- unconfined_r | is the role
- unconfined_t | is the type enforcement
- Last section | is MLS/MCS security
Display processes and security context
$ ps -eZ
Display file security context
$ ls -lZ
SELinux supports domain transitioning which means subjects can move from one type to another,
if allowed in the security policy.
The “unconfined_t” column is the important one to check.
To check this execute the following steps:-
$ ls -lZ /usr/bin/passwd $ ls -lZ /etc/shadow
Open a new tab in terminal an exec $passwd and leave it running $ ps -eZ | this will show the context of the $passwd command.
To change the context of a file:- $ chcon -t etc_t <filename> $ restorecon <filename> | Resets the context to the value stored in the context database. | So you don’t have to guess when restoring the file to it’s original setting.
Restore all files back to original security context, create a file in root and reboot:-
$ touch /.autorelabel
If you don’t want autorelabel och restorecon to work on a file exec to edit the security context database:-
$ semanage fcontext -a -t <type> <filename> t.ex the following will add the row to the database with that info for the testfile.txt file. $ semanage fcontext -a -t etc_t /home/user1/testfile.txt
Display file info from the context database:-
$ semanage fcontext -l | grep <filename> N.B! It’s best to change the policy and then use $ restorecon to set the context, rather than use $ chcon. Only use chcon to troubleshoot.
SELINUX Boleans
To Display the booleans use the following cmds:-
$ getsebool -a $ getsebool mozilla_plugin_use_gps $ setatus -b $ semanage boolean -l | This also displays a short description of the boolean
To set a boolean:-
$ setsebool mozilla_plugin_use_gps on |Only temp until reboot
Add to policy to make changes persistent.
$ setsebool -P mozilla_plugin_use_gps on | Persistent i.e survives a reboot
To verify changes
$ semanage boolean -l | egrep ‘SELinux|mozilla_plugin_use_gps’
SELinux logging
If auditd is running the logs are stored in:-
/var/log/audit/audit.log
If not then the logs are stored in:-
/var/log/messages
If you have access to a desktop, use the SELinux browser to search/troubleshoot SELinux logs. Terminal cli commands to use are:-
$ ausearch $ audit2allow $ semodule $ sealert N.B! run sealert from the cli, each report will describe each issue and explain how to resolve them. The most important part of the report is found at the end of each alert. This is where it explains how to resolve the problem. $ yum install setroubleshoot setools $ sealert -a /var/log/audit/audit.log
Lines in logfiles to search for
type=AVC | identifies problem as SELinux error. “Access Vector Cache” scontext = subject context tcontext = object context
Possible solutions to SELinux errors
Change a Boolean to allow the action
$ semanage boolean -l $ setsebool -P <boolean> on
Change a file or dir type
$ chcon | Temporarily changes, reversed with restorecon OR autorelabel $ semanage | Persistent changes
Create a new security policy module although it’s better to fault/fix rather than using this.
$ audit2allow
Troubleshooting actions/steps
- Put SELinux in permissive mode
- Run the application that was denied
- Search through the audit logs
- Look for SELinux desktop notifications (if possible)
- Follow instructions in SELinux alert browser
Commands with SELinux support
$ cp -a | preserves SELinux contexts $ mv | preserves by default is keeps file metadata unchanged $ tar --selinux | include sec context info $ rsync -a X | copy between hosts retaining security context N.B! The preferred alternative is to copy/mv files and then perform $ restorecon to reapply security context.