Set SELinux Type
When running RedHat Enterprise Linux, SELinux (abbreviation for Security Enhanced Linux) is often enabled - and not everybody is comfortable with configuring it. SELinux offers Mandatory Access Control (MAC) for Linux.
Let’s start by explaining MAC. There are different access control models, and the most commonly-discussed are:
- Discretionary access control (DAC), which involves granting different security levels (or groups) for users based on which they can access resources. An example is the r-w-x Linux file system permissions
- Mandatory access control (MAC), which labels resources to which users gain access through their security levels through system-wide policies. An example is SELinux (Security Enhanced Linux).
- Role based access control (RBAC), which associates users with the roles that they perform and the roles are associated wth a set of permissions on resources.
SELinux can be set in one of three modes: Disabled, Permissive, and Enforcing. Permissive mode writes to the audit log but does not prevent applications from accessing data.
SELinux associates users, roles, types, and levels to a resource in a colon-separated string. Example: unconfined_u:object_r:default_t:s0
To view the audit log, use the command: aureport -a
Looking at /var/log/messages or /var/log/syslog or journalctl -t setroubleshoot --since=hh:mm, we would have a message similar to:
Jan 1 00:00:01 cerberus setroubleshoot: SELinux is preventing /usr/sbin/httpd from name_bind access on the tcp_socket port 8080. For complete SELinux messages. run sealert -l abcdef01-abcd-abcd-abcd-abcdef012345
The sealert command provided in the log message can help reveal more details; it can also be run with an asterisk instead of the identifier. sealert -b launches a GUI utility.
We can also search the audit logs using ausearch. Example: ausearch -ts today -c httpd -m avc (“today” and “recent” are commonly used options for the -ts timestamp, -c specifies the name of the executable, and -m indicates the message type. avc refers to the Access Vector Cache).
To quickly grant access to something that you see being denied access, you can grep the /var/log/audit.log file and pipe the output to the audit2allow -M <policy-file-name> and then run semodule -i <policy-file-name>.pp
The SELinux types associated with directories and files on the file system can be viewed by passing the -Z option to the ls command or the matchpathcon <path> command. To make changes to these types temporarily, we can use chcon (Example: chcon -Rv -u system_u -t samba_share_t /my_data). These types are temporary because they will be reset by the next restorecon. To make the changes permanent, use semanage fcontext -a -t samba_share_t /my_data.* (the -a is to add; -d is to delete; this writes to /etc/selinux/targeted/contexts/files/) and then use restorecon -R -v /my_data (this applies the types from /etc/selinux/targeted/contexts/files/). Use semanage fcontext -l to list the added types for files.
SELinux can also be associated with TCP/UDP ports (Example: semanage port -a -t httpd_port_t -p tcp 8080 to set, semanage port -l to list).
SELinux has boolean flags that can be controlled with getsebool and setsebool (Example: getsebool httpd_enable_homedirs and setsebool -P httpd_enable_homedirs 1 with the -P indicating persistent)
Custom SELinux modules can also be created as in the example from the MongoDB documentation below:
cat > mongodb_proc_net.te <<EOF
module mongodb_proc_net 1.0;
require {
type proc_net_t;
type mongod_t;
class file { open read };
}
#============= mongod_t ==============
allow mongod_t proc_net_t:file { open read };
EOF
checkmodule -M -m -o mongodb_proc_net.mod mongodb_proc_net.te # Compile to binary
semodule_package -o mongodb_proc_net.pp -m mongodb_proc_net.mod # Package
semodule -i mongodb_proc_net.pp # Install
Also see: AppArmor, SecComp, Tomoyo, GRSecurity, Smack, Linux Security Modules, /var/lib/setroubleshoot/setroubleshoot_database.xml (read by sealert)