SELINUX#

SELinux (Security-Enhanced Linux) is a security feature in Linux that provides a flexible mandatory access control system. Here are some common commands to work with SELinux:

  1. Check SELinux Status:
sestatus
  • Enable/Disable SELinux: To temporarily change SELinux mode:
setenforce 0  # Permissive mode
setenforce 1  # Enforcing mode
  • Modify SELinux Settings:
# To change SELinux mode permanently
vim /etc/selinux/config
  • Context of Files and Directories: Viewing SELinux context of files:
ls -Z
  • Changing SELinux Context: To change the context of a file or directory:
chcon -t <target_context> <file/directory>
  • Restore Default SELinux Context: If a file’s context has been changed unintentionally, restore it to default:
restorecon -v <file/directory>

# To restore every label on the whole system to the correct type, depending on SElinux policies
# Navigate to / and touch file .autorelabel 
# Then do a reboot and SELinux will label the corret type depending on folder and files.
# The .autorelabel file will automatically selfdelete as well
cd / && sudo touch .autorelabel
  • Booleans: SELinux Booleans manage specific functionalities.
getsebool -a  # List all SELinux booleans or use 'semange boolean --list'
setsebool -P <boolean_name> <value> # Set SELinux boolean value for the runnig system (Will not persist through reboot)
semange boolean --modify --on <boolean_name> # Set SELinux boolean value for the runnig system (Will persist through reboot)
  • Audit Logs: Checking SELinux audit logs:
ausearch -m AVC,USER_AVC -i

Remember, when working with SELinux, it’s crucial to understand the security implications of your actions. Modifying contexts and booleans can impact system security, so always ensure changes align with your system’s security policies.

  • Change policies: semanage can be used to change a policy for a folder

Example: We want to move the default location for files for apache web server, which is /var/www to another location on our system, we need to set up a policy for the new location, otherwise SELinux will use the default type (default_t) and apache/httpd will not be able to read those files:

# Create the new www folder somewhere and let's call it web
cd / && sudo mkdir web

# Set the policy for the new web folder to the correct SELinux webserver policy
# -a = add
# -t = type
# /web(/.*)? = the new folder location + regex for all the files and folders in that folder
sudo semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"

# Set recursive permissions in the new web folder
cd /web/ && sudo restorecon -R *

File/folder permissions#

In SELinux, the security context of a file or resource is represented by a string containing various fields that convey information about the object’s type, role, user, and sensitivity level.

root@host# ls -Z
system_u:object_r:admin_home_t:s0 anaconda-ks.cfg

The security context system_u:object_r:admin_home_t:s0 is broken down into four parts:

  1. User (system_u): This field represents the SELinux user associated with the object. In this case, system_u indicates a system-level user. SELinux users are distinct from Linux users and are used by SELinux to apply different security policies to different users or processes.

  2. Role (object_r): The role identifies the role associated with the object. In SELinux, roles represent different modes or functions that users or processes can perform. Here, object_r signifies the role of the object within the system.

  3. Type (admin_home_t): The type field specifies the SELinux type associated with the object. Types are used to define the security attributes and policies that apply to different objects. In this case, admin_home_t indicates the type of the object, which could be, for instance, a directory or file within the admin’s home directory. This type determines the rules and permissions applicable to the object.

    1. File Types: - Regular files (file_type_t): Generic label for regular files.

      • Directory (dir_type_t): Label for directories.
      • Symbolic links (symlink_type_t): Labels for symbolic links.
      • Device files (device_type_t): Labels for device files like /dev.

    2. Process Types:

      • System (system_u): Default label for system processes.
      • User (user_u): Default label for user processes.
      • Role (role_t): Defines roles that processes can assume for specific tasks.

    3. Network Types:

      • Network (net_type_t): Labels for network resources and interfaces.

    4. Socket Types:

      • Socket (socket_type_t): Labels for sockets used in networking.

    5. Labeling for Services:

      • HTTP (httpd_t), FTP (ftpd_t), SSH (sshd_t), etc.: Labels for services or daemons to restrict their access rights.

    6. Security Contexts:

      • Security context (security_t): Represents the security label for various objects.

  4. Level (s0): The sensitivity level represents the security level associated with the object. The sensitivity level determines the level of access or restrictions placed on the object. In SELinux, levels like s0 indicate the default sensitivity level, while s1, s2, and so on might represent higher sensitivity levels.

This context string (system_u:object_r:admin_home_t:s0) indicates that the object (likely a file or directory) is associated with the system_u SELinux user, has the object_r role, belongs to the admin_home_t type within the system, and has a sensitivity level of s0.

This context is used by SELinux to enforce security policies and access controls, ensuring that only authorized users or processes with the appropriate security context can access or modify the object.