What is selinux on linux

What Is SELinux?

W hat is SELinux? Why should I use SELInux on my CentOS or Red Hat Enterprise Linux server running on IBM hardware?

Tutorial details
Difficulty level	Intermediate
Root privileges	No
Requirements	None
Est. reading time	N/A

SELinux is an acronym for Security-enhanced Linux. It is a security feature of the Linux kernel. It is designed to protect the server against misconfigurations and/or compromised daemons. It put limits and instructs server daemons or programs what files they can access and what actions they can take by defining a security policy.

What is SELinux and DAC?

DAC is an acronym for Discretionary Access Control (DAC). It is the standard mechanism for Linux, *BSD, Apple OSX, and Unix like operating system security. Under DAC, each processes run under a user and group. For example, httpd process run with an associated user and a group called apache. httpd process has access to all files and directories that the apache can access. If httpd process got cracked it can create a number of security problems. Hacked httpd process can access, modify and destroy all files that belong to the apache user. It may access temporary directories (/tmp/ or /var/tmp) and world readable files. The /tmp or /var/tmp or any other legitimate directories such as caching directories can be used to install backdoor and take full control of your Linux system. Ownership of a file provides risky control. A cgi or php script with an unexpected access right can do anything it wants to the files owned by the apache user. It can perform any operations on files in the apache group. An attacker can use this misocofigured cgi/php script or broken apache server to gain root level access. This will give superuser access on a Linux based system. Once rooted an attacker can steal your private data or gain access other parts of your internal network (LAN).

Fig.01: Linux or Unix Server With DAC Security Model

MAC: Security mechanism via SELinux

MAC is an acronym for Mandatory Access Control (MAC). SELinux is an implementation of a MAC security mechanism. It is built into the Linux kernel and enabled by default on Fedora, CentOS, RHEL and a few other Linux distributions. SELinux allows server admin to define various permissions for all process. It defines how all processes can interact with other parts of the server such as:

• No ads and tracking
• In-depth guides for developers and sysadmins at Opensourceflare✨
• Join my Patreon to support independent content creators and start reading latest guides:
  • How to set up Redis sentinel cluster on Ubuntu or Debian Linux
  • How To Set Up SSH Keys With YubiKey as two-factor authentication (U2F/FIDO2)
  • How to set up Mariadb Galera cluster on Ubuntu or Debian Linux
  • A podman tutorial for beginners – part I (run Linux containers without Docker and in daemonless mode)
  • How to protect Linux against rogue USB devices using USBGuard

Join Patreon ➔

1. Pipes
2. Files
3. Network ports
4. Sockets
5. Directories
6. Other process

SELinux puts restrictions on each of the above object according to a policy. For example, an apache user with full permission can only access /var/www/html directory, but can not touch other parts of the system such as /etc directory without policy modification. If an attacker managed to gain access to sendmail mail or bind dns or apache web server, would only have access to exploited server and the files normally has access as defined in the policy for the server. An attacker can not access the other parts of the system or internal LAN. In other words, damage can be now restricted to the particular server and files. The cracker will not able to get a shell on your server via common daemons such as Apache / BIND / Sendmail as SELinux offers the following security features:

1. Protect users’ data from unauthorized access.
2. Protect other daemons or programs from unauthorized access.
3. Protect network ports / sockets / files from unauthorized access.
4. Protect server against exploits.
5. Avoid privilege escalation and much more.

Please note that SELinux is not a silver bullet for protecting the server. You must follow other security practices such as

• Implementing firewalls policy.
• Server monitoring.
• Patching the system on time.
• Writing and securing cgi/php/python/perl scripts.

Conclusion

I hope you understood basic concepts of SELinux. For more info see:

🐧 Get the latest tutorials on Linux, Open Source & DevOps via

Источник

SELinux

Security-Enhanced Linux (SELinux) is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style Mandatory Access Control (MAC), through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD.

Running SELinux under a Linux distribution requires three things: An SELinux enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on the Reference Policy). Some common Linux programs will also need to be patched/compiled with SELinux features.

Contents

Current status in Arch Linux

SELinux is not officially supported (see [1][2]). The status of unofficial support is:

Name	Status	Available at
SELinux enabled kernel	Implemented for all officially supported kernels	Available in official repositories since 4.18.8.
SELinux Userspace tools and libraries	Implemented in AUR: https://aur.archlinux.org/packages/?O=0&K=selinux	Work is done at https://github.com/archlinuxhardened/selinux
SELinux Policy	Work in progress, using Reference Policy as upstream	Upstream: https://github.com/SELinuxProject/refpolicy (since release 20170805 the policy has integrated support for systemd and single-/usr/bin directory)

Summary of changes in AUR as compared to official core packages:

Name	Status and comments
linux, linux-lts, linux-zen, linux-hardened	Need to set the lsm= kernel parameter
coreutils	Need a rebuild with —with-selinux flag to link with libselinux
cronie	Need a rebuild with —with-selinux flag
dbus	Need a rebuild with —enable-libaudit and —enable-selinux flags
findutils	Need a rebuild with libselinux installed to enable SELinux-specific options
iproute2	Need a rebuild with —with-selinux flag
logrotate	Need a rebuild with —with-selinux flag
openssh	Need a rebuild with —with-selinux flag
pam	Need a rebuild with —enable-selinux flag for Linux-PAM ; Need a patch for pam_unix2, which only removes a function already implemented in a recent versions of libselinux
pambase	Configuration changes to add pam_selinux.so to /etc/pam.d/system-login
psmisc	Need a rebuild with —with-selinux flag
shadow	Need a rebuild with —with-selinux flags
sudo	Need a rebuild with —with-selinux flag
systemd	Need a rebuild with —enable-audit and —enable-selinux flags
util-linux	Need a rebuild with —with-selinux flag

All of the other SELinux-related packages may be included without changes nor risks.

Concepts: Mandatory Access Controls

Before you enable SELinux, it is worth understanding what it does. Simply and succinctly, SELinux enforces Mandatory Access Controls (MACs) on Linux. In contrast to SELinux, the traditional user/group/rwx permissions are a form of Discretionary Access Control (DAC). MACs are different from DACs because security policy and its execution are completely separated.

An example would be the use of the sudo command. When DACs are enforced, sudo allows temporary privilege escalation to root, giving the process so spawned unrestricted systemwide access. However, when using MACs, if the security administrator deems the process to have access only to a certain set of files, then no matter what the kind of privilege escalation used, unless the security policy itself is changed, the process will remain constrained to simply that set of files. So if sudo is tried on a machine with SELinux running in order for a process to gain access to files its policy does not allow, it will fail.

Another set of examples are the traditional (-rwxr-xr-x) type permissions given to files. When under DAC, these are user-modifiable. However, under MAC, a security administrator can choose to freeze the permissions of a certain file by which it would become impossible for any user to change these permissions until the policy regarding that file is changed.

As you may imagine, this is particularly useful for processes which have the potential to be compromised, i.e. web servers and the like. If DACs are used, then there is a particularly good chance of havoc being wreaked by a compromised program which has access to privilege escalation.

Installing SELinux

Package description

All SELinux related packages belong to the selinux group in the AUR.

SELinux aware system utilities

SELinux userspace utilities

SELinux policy packages

Other SELinux tools

Installation

There are two methods to install the requisite SELinux packages.

Via AUR

• First, install SELinux userspace tools and libraries, in this order (because of the dependencies): libsepolAUR , libselinuxAUR , checkpolicyAUR , secilcAUR , setoolsAUR , libsemanageAUR , semodule-utilsAUR , policycoreutilsAUR , selinux-pythonAUR (which depends on python-ipy ), mcstransAUR and restorecondAUR .
• Then install pambase-selinuxAUR and pam-selinuxAUR and make sure you can login again after the installation completed, because files in /etc/pam.d/ got removed and created when pambase got replaced with pambase-selinuxAUR .
• Next you can recompile some core packages by installing: coreutils-selinuxAUR , findutils-selinuxAUR , iproute2-selinuxAUR , logrotate-selinuxAUR , openssh-selinuxAUR , psmisc-selinuxAUR , shadow-selinuxAUR , cronie-selinuxAUR
• Next, backup your /etc/sudoers file. Install sudo-selinuxAUR and restore your /etc/sudoers (it is overridden when this package is installed as a replacement of sudo ).
• Next come util-linux and systemd. Because of a cyclic makedepends between these two packages which will not be fixed (FS#39767), you need to build the source package systemd-selinuxAUR , install systemd-libs-selinuxAUR , build and install util-linux-selinuxAUR (with util-linux-libs-selinuxAUR ) and rebuild and install systemd-selinuxAUR .
• Next, install dbus-selinuxAUR .
• Next, install selinux-alpm-hookAUR in order to run restorecon every time pacman installs a package.

After all these steps, you can install a SELinux kernel (like linux ) and a policy (like selinux-refpolicy-arch AUR or selinux-refpolicy-git AUR ).

Using the GitHub repository

All packages are maintained at https://github.com/archlinuxhardened/selinux . This repository also contains a script named build_and_install_all.sh which builds and installs (or updates) all packages in the needed order. Here is an example of a way this script can be used in a user shell to install all packages (with downloading the GPG keys which are used to verify the source tarballs of the package):

Of course, it is possible to modify the content of build_and_install_all.sh before running it, for example if you already have SELinux support in your kernel.

Enable SELinux LSM

To enable SELinux as default security model on every boot, set the following kernel parameter:

Custom kernel

When compiling the kernel, it is required to set at least the following options:

To enable the SELinux Linux security model by default and omit the need to set kernel parameters, additionally set the CONFIG_LSM option and specify selinux as the first «major» module in the list:

Checking PAM

A correctly set-up PAM is important to get the proper security context after login. Check for the presence of the following lines in /etc/pam.d/system-login :

Installing a policy

Policies are the mainstay of SELinux. They are what govern its behaviour. The only policy currently available in the AUR is the Reference Policy. In order to install it, you should use the source files, which may be got from the package selinux-refpolicy-src AUR or by downloading the latest release on https://github.com/SELinuxProject/refpolicy/wiki/DownloadRelease#current-release. When using the AUR package, navigate to /etc/selinux/refpolicy/src/policy and run the following commands:

to install the reference policy as it is. Those who know how to write SELinux policies can tweak them to their heart’s content before running the commands written above. The command takes a while to do its job and taxes one core of your system completely, so do not worry. Just sit back and let the command run for as long as it takes.

To load the reference policy run:

Then, make the file /etc/selinux/config with the following contents (Only works if you used the defaults as mentioned above. If you decided to change the name of the policy, you need to tweak the file):

Now, you may reboot. After rebooting, run:

to label your filesystem.

Now, make a file requiredmod.te with the contents:

and run the following commands:

This is required to remove a few messages from /var/log/audit/audit.log which are a nuisance to deal with in the reference policy. This is an ugly hack and it should be made very clear that the policy so installed simply patches the reference policy in order to hide the effects of incorrect labelling.

Testing in a Vagrant virtual machine

It is possible to use Vagrant to provision a virtual Arch Linux machine with SELinux configured. This is a convenient way to test an Arch Linux system running SELinux without modifying a current system. Here are commands which can be used to achieve this:

Post-installation steps

You can check that SELinux is working with sestatus . You should get something like:

To maintain correct context, you can enable restorecond.service .

To switch to enforcing mode without rebooting, you can use:

Swapfiles

If you have a swap file instead of a swap partition, issue the following commands in order to set the appropriate security context:

Working with SELinux

SELinux defines security using a different mechanism than traditional Unix access controls. The best way to understand it is by example. For example, the SELinux security context of the apache homepage looks like the following:

The first three and the last columns should be familiar to any (Arch) Linux user. The fourth column is new and has the format:

1. User: The SELinux user identity. This can be associated to one or more roles that the SELinux user is allowed to use.
2. Role: The SELinux role. This can be associated to one or more types the SELinux user is allowed to access.
3. Type: When a type is associated with a process, it defines what processes (or domains) the SELinux user (the subject) can access. When a type is associated with an object, it defines what access permissions the SELinux user has to that object.
4. Level: This optional field can also be know as a range and is only present if the policy supports MCS or MLS.

This is important in case you wish to understand how to build your own policies, for these are the basic building blocks of SELinux. However, for most purposes, there is no need to, for the reference policy is sufficiently mature. However, if you are a power user or someone with very specific needs, then it might be ideal for you to learn how to make your own SELinux policies.

This [dead link 2021-07-12 ⓘ] is a great series of articles for someone seeking to understand how to work with SELinux.

Troubleshooting

The place to look for SELinux errors is the systemd journal. In order to see SELinux messages related to the label system_u:system_r:policykit_t:s0 (for example), you would need to run:

Useful tools

There are some tools/commands that can greatly help with SELinux.

restorecon Restores the context of a file/directory (or recursively with -R ) based on any policy rules chcon Change the context on a specific file

Источник