SELinux

Learn about SELinux.

SELinux means security-enhanced Linux, it is an advanced security feature/utility in Linux. SELinux cannot be replaced with antivirus, firewall, permissions, and ACLs on Linux. As the name implies, it is a security-enhanced feature and not a replacement of other security features. ->To show selinux context labels (ps auxZ or ls -lZ) -> sestatus -v : to check the current selinux status. ->getenforce : same thing. ->setenforce 0 : to set the selinux in permissive mode. ->>setenforce 1: if you want to set it to enforcing mode. => the last two commands are meant to change the SELinux temporarily but permanent. if you want to, then you have to change the SELinux configuration file which located under /etc/sysconfig/selinux Enforcing Mode : SELinux is fully operational and enforcing all SELinux rules in the policy Permissive Mode : all SELinux-related activity is logged, but no access is blocked. Disabled Mode : Never set to disabled, unless you know that that's what you really want.

SELinux Contexts :

The SELinux policy uses these contexts in a series of rules which define how processes can interact with each other and the - various system resources. By default, the policy does not allow any interaction unless a rule explicitly grants access. -> SELinux contexts have several fields: user, role, type, and security level. The SELinux type information is the most important when it comes to the SELinux policy, as the most common policy rule which defines the allowed interactions between processes and system resources uses SELinux types and not the full SELinux context. user_context:role_context:type

-> For example, the SELinux type name for the web server process is httpd_t. ->The type context for files and directories normally found in /var/www/html/ is httpd_sys_content_t. -> How Context settings applied : ⦁) If a new file is created, it inherits the context settings from the parent directory. ⦁) If a file is copied to a directory, this is considered a new file, so it inherits the context settings from the parent directory. ⦁) If a file is moved, or copied while keeping its properties (by using cp -a), the original context settings of the file are applied. Small hint : when using mv command make sure to include the -Z option, so it will inherits the context of the new directory. For better understanding the SELinux contest lets analyze the diagram below :

Uses the general purpose semanage to define file, port and other object contexts. -> semanage fcontext writes a file context into the selinux policy for use. For file system based objects, tweaking a policy does not take affect immediately. ->Use restorecon to enforce a policy on the file system e.g. semanage fcontext -a -t system_u:object_r:etc_t "/etc(/.*)?" restorecon -Rv /etc -> Another option is to touch /.autorelabel and reboot. -> To see the context of a port use this command : netstat -Ztulpen

Booleans :

• Higher level concept for turning on/off complete set of functionlity

• getsebool -a list all

• To toggle a bool setsebool -P httpd_enable_homedirs on.

• e.g : allow httpd to see home dirs for a public webpage -> show all booleans and pipe to grep for httpd :

  getsebool -a | grep httpd

  httpd_enable_homedirs --> off

  ->change boolean : setsetbool -P http_enable_homedirs on

Logging :

• Default uses auditd, logs are not human friendly grep AVC /var/log/audit/audit.log

• AVC = access vector cache, and is a signature of selinux logs

• Nicer is sealert which parses raw audit log events, value adds and writes /var/log/messages

• Run sealert <uuid> to get advice on a known event

• Use journalctl | grep sealert to locate UUID

==> If a service is not working, always suspect selinux. Check if its running getenforce. Temporarily relax to permissive mode setenforce 0. Re-test, if the service is operational, you know selinux is to blame. grep sealert /var/log/messages.