SELinux

Från wiki.soltec.se
Hoppa till: navigering, sök

Types of access control

Discretionary Access Control = FACL, File perms, SUID/SGID, SU/Sudo
Mandatory Access Control = OS controls access
  • Subject| user or process that accesses an object.
  • Object | a resource e.g. file, dir, device or pipe
  • Access | An action performed by Subject on Object.
  • Rule | Allow/Deny access to an object
  • Security Policy | System-wide set of rules
  • Context | File metadata to store SELINUX attributes for subjects and objects.
N.B! Permissive mode is good for troubleshooting SELINUX policy issues

Enforcement Policies

  • Type enforcement | Default policy, what types can do to other types.
  • RBAC | Access control based on users in roles.
  • Multi-Level (MLS) / Multi-Catagory (MCS) | Access based on security levels. A containerisation of processes.

Commands to use

$ sestatus
$ getenforce
$ setenforce
$ vim /etc/selinux/config

Display the security context of a user

$ id -Z
  • unconfined_u | is the user
  • unconfined_r | is the role
  • unconfined_t | is the type enforcement
  • Last section | is MLS/MCS security

Display processes and security context

$ ps -eZ

Display file security context

$ ls -lZ

SELinux supports domain transitioning which means subjects can move from one type to another,

if allowed in the security policy.

The “unconfined_t” column is the important one to check.

To check this execute the following steps:-

$ ls -lZ /usr/bin/passwd
$ ls -lZ /etc/shadow
Open a new tab in terminal an exec $passwd and leave it running
$ ps -eZ      | this will show the context of the $passwd command.
To change the context of a file:-
$ chcon -t etc_t <filename>
$ restorecon <filename>  | Resets the context to the value stored in the context database. 
                         | So you don’t have to guess when restoring the file to it’s original setting.

Restore all files back to original security context, create a file in root and reboot:-

$ touch /.autorelabel

If you don’t want autorelabel och restorecon to work on a file exec to edit the security context database:-

$ semanage fcontext -a -t <type> <filename>

t.ex the following will add the row to the database with that info for the testfile.txt file.
$ semanage fcontext -a -t etc_t /home/user1/testfile.txt

Display file info from the context database:-

$ semanage fcontext -l | grep <filename>
N.B! It’s best to change the policy and then use $ restorecon to set the context, rather than use $ chcon. Only use chcon to troubleshoot.

SELINUX Boleans

To Display the booleans use the following cmds:-

$ getsebool -a
$ getsebool mozilla_plugin_use_gps
$ setatus -b
$ semanage boolean -l      | This also displays a short description of the boolean

To set a boolean:-

$ setsebool mozilla_plugin_use_gps on   |Only temp until reboot

Add to policy to make changes persistent.

$ setsebool -P mozilla_plugin_use_gps on  | Persistent i.e survives a reboot

To verify changes

$ semanage boolean -l | egrep ‘SELinux|mozilla_plugin_use_gps’

SELinux logging

If auditd is running the logs are stored in:-

/var/log/audit/audit.log

If not then the logs are stored in:-

/var/log/messages

If you have access to a desktop, use the SELinux browser to search/troubleshoot SELinux logs. Terminal cli commands to use are:-

$ ausearch
$ audit2allow
$ semodule
$ sealert
  N.B! run sealert from the cli, each report will describe each issue and explain how to resolve them.
           The most important part of the report is found at the end of each alert.
           This is where it explains how to resolve the problem.
           $ yum install setroubleshoot setools
           $ sealert -a /var/log/audit/audit.log

Lines in logfiles to search for

type=AVC      | identifies problem as SELinux error. “Access Vector Cache”
scontext = subject context
tcontext = object context

Possible solutions to SELinux errors

Change a Boolean to allow the action

$ semanage boolean -l
$ setsebool -P <boolean> on

Change a file or dir type

$ chcon    | Temporarily changes, reversed with restorecon OR autorelabel
$ semanage | Persistent changes

Create a new security policy module although it’s better to fault/fix rather than using this.

$ audit2allow

Troubleshooting actions/steps

  • Put SELinux in permissive mode
  • Run the application that was denied
  • Search through the audit logs
  • Look for SELinux desktop notifications (if possible)
  • Follow instructions in SELinux alert browser

Commands with SELinux support

$ cp -a          | preserves SELinux contexts
$ mv             | preserves by default is keeps file metadata unchanged
$ tar --selinux  | include sec context info
$ rsync -a X     | copy between hosts retaining security context
N.B! The preferred alternative is to copy/mv files and then perform $ restorecon to reapply security context.