SELinux configuration

[Mutt]

Security-Enhanced Linux (SELinux) is a new Linux access control method based on the Linux Security Kernel Module (LSM). SELinux is enabled by default in many Red Hat based distributions using rpm like Fedora, CentOS, etc.
In this article, we will consider configuring SELinux, we will not touch the creation of new policies, but will try to approach the system from the other side, see how it can be useful to an ordinary Linux user, consider the basics of its operation, enable, disable and change states. CentOS 8 was used as the system for running the examples.

SELinux Basics
SELinux is a labeling system, each process has a label. Every file, directory, or even user on the system has a label. Even the ports and devices and host names on the system are labeled. SELinux defines rules for a process to access objects with specific labels. This is called politics. Compliance with the rules is monitored by the kernel. This is sometimes referred to as Mandatory Access Control (MAC).
The owner of the file does not have complete discretion over the security attributes. Standard access control attributes such as group and owner mean nothing to SELinux. Everything is completely controlled by labels. Attribute values can be set without root rights, but you need special SELinux authority to do so.
Now let's talk a little about politicians. We define a label for processes of a certain type, as well as for objects of the file system, too, of a certain type. Just imagine a system in which objects (processes) are cats and dogs. These are the types of processes. And we have the objects they want access to - food. But they have different food_cats and food_dogs. Objects need to have access only to their own food.

The dog has permission to eat its food, and the cat has its own. In SELinux policies, it will look like this:

allow the cat to eat
allow the dog dog_food to eat

The kernel will now enforce these rules. In SELinux, everything is disabled by default, so if a dog tries to eat cat food, the kernel will not allow it.
Let's say the Apache process has the httpd_t label, and we named the files that Apache should have access to httpd_sys_content. We also have credit card details stored in the mysql database. If a hacker breaks into the Apache process and has root access, then he still won't be able to access files from mysql.
SELinux can cause a lot of problems for system administrators, many people simply disable it, thus solving the problem and reducing security. As mentioned above, by default SELinux blocks anything and everything. This fits the description of a strict policy. But to make it easier for system administrators, other standard policies have been developed. Many distributions use a targeted policy, it covers about 200 network services and processes, all the rest of the programs run and run freely, no SELinux models apply to them.
SELinux can work in three modes - disabled, the system is completely disabled and does not work, Enforcing restriction mode - the program is activated and blocks all actions that do not comply with policies, and the third Permissive mode - only to record violations.
SELinux policies are also of several types. The targeted policy discussed above is a Type Enforcment (TE) policy that enforces role-based file access control. This also includes the strict policy. There are also Multi-Level Security (MLS) policies , in which additional categories have been added, they are complex and unnecessary for an ordinary user, so beginners can forget about their existence for now. It should be understood that the SELinux subsystem was developed by the military for the military, so ordinary users will hardly need all of its capabilities. In this article, we will be discussing the targeted policy.
The theory is considered in general terms. Now let's move on to the practical part.

1. Condition
After rebooting, you can see the SELinux status:

sestatus

Here we see that the system is turned on SELinux status: enabled, Current Mode Current mode - enforcing is, that is, the system will block unauthorized actions. The current policy is targeted. This policy is used to ensure that SELinux rules only apply to specific services.

3. Mode of operation
Now let's turn on the active mode, to do this, run the command:

sudo setenforce 1

You can disable the active mode by sending the same command 0:

sudo setenforce 0

You can also view the currently used mode with a similar command:

getenforce

All basic SELinux configuration is done through the / etc / selinux / config. Here you can both completely disable selinux and configure the used security policy.

sudo vi / etc / selinux / config

This parameter means SELinux operation mode, you can specify one of the three parameters enforce, permissive and disabled here

SELINUX = enforcing

Use disabled to completely disable SELinux or whatever to enable SELinux back. This mode will be applied by default at system startup.

4. Choice of policy
Configuring SELinux policies is also done in this file. The SELINUXTYPE parameter is responsible for the policy:

SELINUXTYPE = targeted

You can link to any policy located in the / etc / selinux directory. Three main policies can be used:

• targeted - protects basic system services such as web server, DHCP, DNS, but does not touch all other programs.
• strict - the strictest policy, controls not only network services, but also user programs.
• mls - contains not only rules, but also different levels of security. It allows you to implement a multi-layered security system based on SELinux.

You can also add your own policies. To apply the policy, you must restart the computer, and it is desirable that SELinux be in permissive mode during this restart. Also, in order for the system to update all labels in the file system, you may have to create an empty file at the root:

sudo vi /.autolabel

5. View context
Each file and each process has its own SELinux label, which is commonly called a context. Which label will be assigned to this or that file or process is determined by the policy, in our case it is targeted. You can view the SELinux context using the ls command:

ls -lZ /

The syntax for the context line is:

user_name: object_name: type_or_domain: access_level

In the targeted policy, the username and object name are practically not used, the access level refers to MLS policies and can also be ignored. And it's worth looking at the third field. For files or folders, it is called a type, and for processes, a domain. For example, the / bin folder has the bin_t type.

To view the domain of a process, use the ps command, for example, for httpd:

ps auxZ | grep httpd

As you can see, here the httpd service has the httpd_t domain, which means that only those resources that are allowed to be touched by this domain will be available to it, in this case it is the sys_httpd_content type. All of this, including the names, is defined in the targeted policy. At the same time, other processes, here, for example grep, are launched with the unconfined_t domain , which means that they will have access to all resources in the system, without exception, because this is precisely the behavior that is configured in the policy for this domain.

6. Change of context
By default, the web server folder is / var / www / html. It has the same context as we discussed earlier:

If you want to move this folder to another location, you will need to change the context for the new folder. To do this, use the chcon command, you only need to specify the type:

sudo chcon -Rv --type = httpd_sys_content_t / home / losst / htdocs

However, you can specify the entire context:

sudo chcon -Rv system_u: object_r: httpd_sys_content_t: s0 / home / losst / htdocs

This change will persist after a reboot, but it will be erased after the filesystem labels are updated. To avoid this, you need to add a rule to the policy.

7. Policy modification
You can add additional file labeling rules to the policy using the semanage utility. To set the httpd_sys_content_t type for the / home / losst / httdocs directory and all files in it, you need to execute:

semanage fcontext -a -t httpd_sys_content_t "/home/losst/httdocs(/.*)?"

If you need to change the context for only one file, then you do not need to use the mask:

semanage fcontext -a -t httpd_sys_content_t "/home/losst/httdocs/index.html"

By itself, this command does not change anything in the file system, you need to create the /.autolabel file and restart the computer or run the restorecon command for the desired folder:

restorecon -R -v / home / losst / httdocs

You can view all the rules added in this way using the following command:

semanage fcontext -C -l

8. Logs
Regardless of the mode in which SELinux is running, all violation messages are written to the log file /var/log/audit/audit.log. You can watch it manually:

less /var/log/audit/audit.log

Or, for a more convenient viewing, you can use the sealert utility. To install it, run:

sudo yum install setroubleshoot

Then you can watch:

sealert -a /var/log/audit/audit.log

The utility does not display all lines, but only messages about access errors and at the same time displays the proposed solutions. Very comfortably. Among the solutions, the utility offers to create its own module for the targeted policy, which allows you to do what is currently impossible.

9. Modules
The targeted policy is modular. It consists of many modules for different programs. To view all currently active modules run:

semodule -l

To view all installed modules run:

semodule --list-modules = full

In the last paragraph, it was shown how to look at possible solutions to the access problem using the sealert utility. The most common solution is to create your own module for a log-based policy. The audit2allow utility analyzes the log file, finds information about objects to which there is no access, and then allows this access in a new module. In the previous example, the sealert utility advised this command:

ausearch -c 'httpd' --raw | audit2allow -M my-httpd

After that, the module package with the .pp extension will appear in the current folder, which can already be installed using the semodule utility:

sudo semodule -i my-httpd.pp

10. Flags
In addition, the behavior of the policy can be configured using flags. Usually, the flags to be enabled are recommended by the same sealert utility. All flags are defined in policy modules. You can see which flags are available now and their state using the command:

getsebool -a

Use the setsebool command to change the state of the flag. For example, to allow httpd modules to connect to the network, run:

setsebool -P httpd_can_network_connect on

Conclusions
Now you know how to enable or disable SELinux, as well as how to change the policy or mode of the program. We've covered working with context, policy modules, and flags. This is enough to understand how to configure SELinux on your server. Everything else is beyond the scope of our short article.