A Beginner’s Guide to SELinux on CentOS 7 – Linode

SELinux is a mandatory access control (MAC) system, developed by the NSA. SELinux was developed as a replacement for Discretionary Access Control (DAC) that ships with most Linux distributions.

The difference between DAC and MAC is how users and applications access machines. Traditionally, the sudo command gives the user the ability to increase permissions to the root level. Root access on a DAC system gives the person or program access to all programs and files on a system.

A person with root access should be a trusted party. But if security has been compromised, so has the system. SELinux and MAC solve this problem by limiting privileged processes and automating the creation of security policies.

SELinux denies by default anything that is not explicitly allowed. SELinux has two global modes, permissive and mandatory. Permissive mode allows the system to function as a DAC system, while logging each violation in SELinux. The enforcement mode applies a strict denial of access to everything that is not explicitly allowed. To explicitly allow certain behavior on a machine, you, as the system administrator, must write policies that allow it. This guide provides a brief and basic introduction to the commands and practices commonly used for SELinux system administration.

Before you begin

,

  1. make sure you have followed the Getting Started and Securing the Server guides

  2. . Update your system: sudo yum update Install compatible SELinux packages In this section, you install several SELinux packages to help you create, manage, and analyze SELinux policies.

  1. Check which SELinux packages are installed on your system: sudo

    rpm -aq | grep selinux

    A newly deployed Linode CentOS 7 must have

  2. the following packages installed:libselinux-2.5-14.1.el7.x86_64 selinux-policy-3.13.1-252.el7_7.6.noarch selinux-policy-targeted-3.13.1-252.el7_7.6.noarch libselinux-utils-2.5-14.1.el7.x86_64 libselinux-python-2.5-14.1.el7.x86_64

  3. Install the following packages and their associated dependencies:

    sudo yum install policycoreutils policycoreutils-python setools setools-console setroubleshoot

    • policycoreuitls and policyoreutils-python contain several management tools for managing your SELinux environment and policies.
    • setools provides command-line tools for working with SELinux policies. Some of these tools include, sediff that you can use to see the differences between policies, seinfo a tool to view information about the components that make up SELinux policies, and sesearch used to search through your SELinux policies. Setools-Console consists of Sediff, Seinfo and SESEARCH. You can issue the -help option after any of the tools listed to see more information about each.
    • setroubleshoot suite of tools helps you determine why a script or file may be blocked by SELinux.

    Optionally, install setroubleshoot-server and mctrans. The setroubleshoot-server allows, among many other things, email notifications to be sent from the server to notify you of any policy violations. The mctrans daemon translates SELinux output into human-readable text.

SELinux states and modes

SELinux states When SELinux

is installed on your system, it can be enabled or disabled. By default, the CentOS 7 image provided by Linode has SELinux in an enabled state.

To disable

  • SELinux, update your SELinux configuration file using the text editor of your choice. Set the SELINUX policy to disabled as shown in the example.

    File: /etc/selinux/config

  • Restart your Linode

  • for the changes to take effect

  • : sudo reboot Connect to your Linode

  • via SSH (replace 192.0.2.0 with your own Linode IP address) and check

    the status of your SELinux installation: ssh example_user@192.0.2.0 sudo sestatus

    Your output should show SELinux status

    disabled: SELinux modes disabled When SELinux

is enabled, can run in application or permissive mode.

  • In enforcement mode, SELinux enforces its policies on your system and denies access based on those policies. Use the following command to view the

    SELinux policy modules currently loaded into memory: sudo semodule -l

  • Permissive mode does not enforce any of your SELinux policies, instead logging any actions that were denied to your /var/log/audit/audit.log file.

  • You can check which mode your system is running by issuing

  • the following command: sudo getenforce

  • To put SELinux into permissive mode, use the following command:

    sudo setenforce 0

    Permissive mode is useful when configuring your system, as you and your system components can interact with your files, scripts, and programs without restrictions. However, you can use audit logs and system messages to understand what would be restricted in enforcement mode. This will help you better build the necessary policies for your system’s users and programs.

  • Use the sealert utility to generate a report from the audit log. The log will include information about what SELinux is preventing and how to enable the action, if desired.

    sudo sealert -a /var/log/audit/audit.log

    The result looks like the example, however, it varies depending on your system’s programs and configurations. The sample was generated using a Linode running the Apache web server with a virtual host configuration.

    SELinux is preventing /usr/sbin/httpd from writing to directory records. The httpd_write_content plugin (92.2 trust) suggests *************** If you want

  • to allow httpd to have write access to the logs directory, you must change the label in ‘logs’ Do # semanage fcontext -a -t httpd_sys_rw_content_t ‘logs’ # restorecon -v ‘logs’

  • To allow /usr/sbin/httpd write access to directory logs, as shown in the output, You can run the suggested commands, semanage fcontext -a -t httpd_sys_rw_content_t ‘logs’ and restorecon -v ‘logs’.

SELinux Context

SELinux marks each object on a machine with a context. Every file, user, and process has a context. The context is divided into three parts: user, role, and type. An SELinux policy controls which users can get which roles. Each specific role imposes a restriction on the type of files the user can access. When a user logs on to a system, they are assigned a role As seen in the ls -Z example, the output unconfined_u is a user role.

  1. Create a directory

  2. in your home folder: mkdir ~/example_dir Print the SELinux

  3. security context from the directories and files in your home folder

    : ls -Z ~/

    The output is similar to

    :d rwxrwxr-x. example_user example_user unconfined_u:object_r:user_home_t:s0

    example_dir SELinux-specific information is contained in unconfined_u:object_r: user_home_t:s0, which follows the following syntax: User:Role:Type:Level. For more information about users, roles, and related access control, see the CentOS SELinux documentation.

SELinux Boolean

A SELinux Boolean is a variable that can be turned on and off without reloading or recompiling an SELinux policy

. You

  1. can view the list of Boolean variables by using the getsebool -a command. Pipe the command through grep to narrow down your results. sudo getsebool -a | grep

    “httpd_can”

    You will see a similar output:

    httpd_can_check_spam -> off httpd_can_connect_ftp -> off httpd_can_connect_ldap -> off httpd_can_connect_mythtv -> off httpd_can_connect_zabbix -> off httpd_can_network_connect -> off httpd_can_network_connect_cobbler -> off httpd_can_network_connect_db -> off httpd_can_network_memcache -> off httpd_can_network_relay -> off httpd_can_sendmail -> off

    You can change the value of any variable by using the setsebool command. If you set the -P flag, the settings will persist during reboots. If, for example, you want to allow HTTPD scripts and modules to connect to the network, update the corresponding Boolean variable.

    sudo setsebool -P httpd_can_network_connect ON When you see a

    list of Boolean variables, you should now see that it is set to ON.

    sudo getsebool -a | grep “httpd_can” httpd_can_check_spam

-> off httpd_can_connect_ftp -> off httpd_can_connect_ldap -> off httpd_can_connect_mythtv -> off httpd_can_connect_zabbix -> off httpd_can_network_connect -> on httpd_can_network_connect_cobbler -> off httpd_can_network_connect_db -> off httpd_can_network_memcache -> off httpd_can_network_relay -> off httpd_can_sendmail -> off

Next steps

This guide provides a brief, basic introduction to managing SELinux. You can now dive deeper into SELinux by checking out some of the resources included in the More Information section of this guide.

You

may want to refer to the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot guarantee the accuracy or timeliness of externally hosted materials.

  • Graphical Policy Guide
  • Resources for
  • SELinux

  • CentOS Users SELinux Wiki