Ctrl+K

SELinux

SELinux#

SELinux, Security Enhanced Linux, is an implementation of Mandatory Access Control (MAC) for the Linux kernel. Mandatory Access Control (MAC) is a security feature that allows the kernel to enforce access control policies on the kernel objects. This means that with SELinux enforces if a process can access a file or directory, or execute a program, or open a device or socket while having the same user identifier.

While SELinux may seem difficult to use, it is very easy to use with the right tools and knowledge. The benefits of applying SELinux correctly are enourmous as it reduced lateral movement of people and data, and reduced the risk of security breaches. It can also be used te determine if an account has the right security level to access a file or directory.

Introduction to SELinux#

Mode: * Disabled (reboot required) * Permissive * Enforcing

$ sudo setenforce 0
$ sudo getenforce
Permissive
$ sudo setenforce 1
$ sudo getenforce
Enforcing

$ ps Zaux
LABEL                           USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
system_u:system_r:init_t:s0     root           1  0.0  0.0 173684 14312 ?        Ss   apr09   0:25 /usr/lib/systemd/systemd rhgb --system --deserialize 61
system_u:system_r:kernel_t:s0   root           2  0.0  0.0      0     0 ?        S    apr09   0:00 [kthreadd]
system_u:system_r:kernel_t:s0   root           3  0.0  0.0      0     0 ?        I<   apr09   0:00 [rcu_gp]
system_u:system_r:kernel_t:s0   root           4  0.0  0.0      0     0 ?        I<   apr09   0:00 [rcu_par_gp]
system_u:system_r:kernel_t:s0   root           6  0.0  0.0      0     0 ?        I<   apr09   0:00 [kworker/0:0H-events_highpri]

$ ps -ZC sshd
LABEL                               PID TTY          TIME CMD
system_u:system_r:sshd_t:s0-s0:c0.c1023 669548 ? 00:00:00 sshd

$ ls -Z /home
unconfined_u:object_r:user_home_dir_t:s0 user01
unconfined_u:object_r:user_home_dir_t:s0 user02

$ ls -Z /var/www
system_u:object_r:httpd_sys_script_exec_t:s0 cgi-bin
    system_u:object_r:httpd_sys_content_t:s0 html

$ ls -Z ~/.ssh
unconfined_u:object_r:user_home_t:s0 authorized_keys
unconfined_u:object_r:user_home_t:s0 aws-test-2022.pem
 unconfined_u:object_r:ssh_home_t:s0 config
 unconfined_u:object_r:ssh_home_t:s0 id_rsa
 unconfined_u:object_r:ssh_home_t:s0 id_rsa.pub
 unconfined_u:object_r:ssh_home_t:s0 known_hosts
unconfined_u:object_r:user_home_t:s0 other_keys.seahorse

SELinux Booleans#

$ getsebool -a
abrt_anon_write --> off
abrt_handle_event --> off
abrt_upload_watch_anon_write --> on
antivirus_can_scan_system --> off
antivirus_use_jit --> off
auditadm_exec_content --> on
authlogin_nsswitch_use_ldap --> off
authlogin_radius --> off
authlogin_yubikey --> off
awstats_purge_apache_log_files --> off
...

# setsebool zabbix_can_network 1

# setsebool -P zabbix_can_network 1

SELinux file context#

# ls -Zd /var/www/html
# touch /var/www/html/somefile
# ls -Z /var/www/html/somefile

# mkdir /srv/html
# ls -Z /srv/html
# semanage fcontext -a -t httpd_sys_content_t '/srv/html(/.*)?'
# ls -Z /srv/html
# restorecon -RFvv /srv/html
# ls -Z /srv/html

Troubleshooting#

/var/log/audit/audit.log and with package setroubleshoot-server installed also in /var/log/messages

sealert -a /var/log/audit/audit.log

Contents