SELinux
the S in security stands for SELinux
For the last couple of weeks I’ve been doing a lot of Infrastructure As a Code on CentOS. Think of Elastic Stack, Zabbix, Nagios, Salt, etc. One thing I’ve noticed on every single guide on how to use one of these frameworks is that it starts with the message “Disable SELinux to prevent error’s”. While it might be convenient to disable it so your infrastructure can work, it’s a horrible idea since u just disabled the platform greatest defense system. But what exactly is SELinux?
SELinux or Security Enhanced Linux is a more advance access control technique which initially was developed by the NSA to prevent malicious intrusions and tempering. The “enhanced” part of SELinux becomes clear when you look at it’s access control. Normal Unix systems uses the Discretionary Access Control (DAC) which dictates the read, write and execute permissions. SeLinux sits on top of this with it’s Mandatory Access Control MAC) which basically dictates how much control a user can have over a process.
SELinux primarily consists of three modes:
- Enforcing
- Permissive
- Disabled
When the state is set to Enforcing mode, SELinux is completely active and will only allow access using the SELinux policies.
In the Permissive mode, SELinux will be monitoring and logging all activity it detects, but unlike Enforcing, it won’t block anything.
In the Disabled mode, SELinux is completely disabled.
On RHEL based systems, the configuration of SELinux can be found under /etc/sysconfig/selinux, however in order for changes made to this file to be effective, the system needs to be rebooted.
Configuring SELinux
1st it’s important to know which mode SELinux is currently running on. This can be achieved by entering the following command.
foo@bar:~$ getenforce
To change the mode to permissive or enforcing run:
#enforcing
foo@bar:~$ setenforce 1
#permissive
foo@bar:~$ setenforce 0
AVC Denials
If SELinux isn’t properly configured, you might get error’s which will cause some services to crash. To check if SELinux is Working properly and not generating false positives (wrong denials) to any service or port we can check the logs using a common Unix tool like Cat and Tail in combination with Grep. The default directory for SELinux is /var/log/audit/audit.log. But I’ve personally been in situation where this logfile can be too overwhelming with details. To get a more concise description of the logs , I lie using sealert. The command can be executed as follows.
foo@bar:~$ sealert -l e9d8fa2e-3608-1ffa-9e72-32c1b85e460b
SELinux is preventing httpd from open access on the file /var/log/httpd/error_log.
***** Plugin restorecon (95.5 confidence) suggests **************************
If you want to fix the label.
/var/log/httpd/error.log default label should be httpd_log_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /var/log/httpd/error_log
[trimmed for clarity]
SELinux policies
SELinux policies are a set of predefined rules that instructs the SELinux security engine how to function. A policy defines a set of rules for a particular environment. These policies are controlled by Boolean values and it allows us to change part of the policy at runtime without needing to have knowledge about rewriting policies.
and be used as follows.
Let’s take a simple FTP service as example. Say we want to share a directory over FTP for read-write access. If SELinux is in enforcing mode, it will block the FTP daemon from reading and writing in that specified Directory. To fix this, let’s change the policy so that ftp can access the directory. first run the semanage command in combination with grep to show active Boolean values
foo@bar:~$ semanage boolean –l | grep ftp
allow_ftpd_full_access -> off Allow ftp access to directories
[trimmed for clarity]
As you can see, the Boolean false is set to false (off). To change this we simply run the following command, and the user trying to user the FTP service on the pc can do this without any further SELinux issues.
foo@bar:~$ setsebool -P allow_ftpd_full_access on
Labelling & Context
Every file, folder, port or process on a Unix system can and is by default labelled with the SELinux context.
These can be viewed as follow.
#for ports
foo@bar:~$ netstat –anpZ | grep httpd
#for running processes
foo@bar:~$ ps –auxZ | grep httpd
#for directories
foo@bar:~$ ls –Z /etc/httpd
notice the -Z flag used at every command, this flag tells our system to also show us the context label.
To understand the concept of labelling lets use an example.
Lets say we are running a apache (httpd) server which is using /home/dev/html as document directory rather than /var/www/html/. SELinux will consider this a violation of policy and blocks the webpage. That’s because, as discussed above, the security context associated with the html files are wrong.
To check the default context, run the following command.
foo@bar:~$ ls –lz /var/www/html
-rw-r—r—. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/
Here you can see httpd_sys_content_t as context for html files. This exact context needs to be set for the created /home/dev/html/ direcotry too. This can be accomplished by running the following 3 commands.
foo@bar:~$ semanage fcontext -a -t httpd_sys_content_t '/home/dev/html(/.*)?'
foo@bar:~$semanage fcontext -l | grep '/home/dev/html'
/home/dev/html(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
foo@bar:~$ restorecon -Rv /home/dev/html
Once the context has been changed by semanage, restore con will load the default context of files and directories. The webserver will now be able to read files from the directory as the security context of the folder has been changed to ‘httpd_sys_content_t’.
As you can see SELinux can provide us with various way for hardening every file, process or port on our system. If you’d like a more descriptive explanation of SELinux I highly suggest This DigitalOcean article .