Red Hat Enterprise Linux 7 Implementation

Security Enhanced Linux (SELinux) Permissions

Module Topics

Enabling and Monitoring Security Enhanced Linux (SELinux)
Basic SELinux Security Concepts
SELinux Modes
SELinux Booleans
Changing SELinux Modes
Setting the Default SELinux Mode
Initial SELinux Context
Changing the SELinux Context of a File
Defining SELinux Default File Context Rules
Changing SELinux Booleans
SELinux Booleans
Troubleshooting SELinux Issues
Monitoring SELinux Violations

Enabling and Monitoring Security Enhanced Linux (SELinux)

To display current SELinux mode, use getenforce
- Determines whether SELinux rules are applied
To display SELinux context labels, use -Z option to ls and ps
To display SELinux Booleans and values, use getsebool -a

Basic SELinux Security Concepts

SELinux: Additional layer of system security
Primary goal: Protect user data from compromised system services
Most Linux administrators familiar with discretionary access control
- Standard user/group/other permission security model
SELinux’s additional security layer:
- Object-based
- Controlled by sophisticated rules: Mandatory access control

Basic SELinux Security Concepts

Apache Without SELinux

Must open firewall ports to allow anonymous web server access
Opens system to malicious security exploit
Permits access to user and group permissions
- Read access to document root /var/www/html
- Write access to /tmp, /var/tmp, any other world-writable files/directories

apache-no-selinux

Basic SELinux Security Concepts

Apache with SELinux

SELinux security rules determine which process can access which files, directories, ports
Every file, process, directory, port has SELinux context
- Context: Name SELinux policy uses to determine whether process can access file, directory, port
- Default: Policy does not allow interaction unless rule grants access

apache-selinux-enforcing

Basic SELinux Security Concepts

SELinux Label Contexts

User
Role
Type
Sensitivity
Targeted policy bases rules on type context
- Names usually end with _t
Type context for:
- Web server: httpd_t
- Files/directories in /var/www/html: httpd_sys_content_t
- Files/directories normally in /tmp and /var/tmp: tmp_t
- Web server ports: http_port_t

Basic SELinux Security Concepts

SELinux Policy Rules

Permit Apache (web server process httpd_t) to access files/directories with context in /var/www/html and other web server directories (httpd_sys_content_t)
Contain no-allow rule for files in /tmp and /var/tmp
- Malicious user cannot access /tmp directory
Contain rules for remote file systems
- Files on these systems are labeled with same context

Basic SELinux Security Concepts

Command Options

[root@server1 ~]# ps axZ
LABEL                             PID TTY      STAT   TIME COMMAND
system_u:ystem_r:init_t:s0         1 ?        Ss     0:09 /usr/lib/systemd/...
system_u:ystem_r:kernel_t:s0       2 ?        S      0:00 [kthreadd]
system_u:ystem_r:kernel_t:s0       3 ?        S      0:00 [ksoftirqd/0]
[... Output omitted ...]
[root@server1 ~]# systemctl start httpd
[root@server1 ~]# ps -ZC httpd
LABEL                             PID TTY          TIME CMD
system_u:ystem_r:httpd_t:s0     1608 ?        00:00:05 httpd
system_u:ystem_r:httpd_t:s0     1609 ?        00:00:00 httpd
[... Output omitted ...]
[root@server1 ~]# ls -Z /home
drwx------. root    root    system_u:bject_r:lost_found_t:s0 lost+found
drwx------. student student unconfined_u:bject_r:user_home_dir_t:s0 student
drwx------. visitor visitor unconfined_u:bject_r:user_home_dir_t:s0 visitor
[root@server1 ~]# ls -Z /var/www
drwxr-xr-x. root root system_u:bject_r:httpd_sys_script_exec_t:s0 cgi-bin
drwxr-xr-x. root root system_u:bject_r:httpd_sys_content_t:s0 error
drwxr-xr-x. root root system_u:bject_r:httpd_sys_content_t:s0 html
drwxr-xr-x. root root system_u:bject_r:httpd_sys_content_t:s0 icons

SELinux Modes

Can use SELinux modes to temporarily disable SELinux protection
- Good for troubleshooting

Enforcing Mode

SELinux denies access to web server attempting to read files with tmp_t context
SELinux both logs and protects

apache-selinux-enforcing

SELinux Modes

Permissive Mode

Can use to troubleshoot
SELinux allows all interactions
Logs interactions it would have denied in enforcing mode
Use to allow temporary access to content SELinux is restricting
No reboot required to go from enforcing to permissive or back

apache-selinux-permissive

SELinux Modes

Disabled Mode

Completely disables SELinux
System reboot required to disable or go from disabled mode to enforcing or permissive mode
Recommended: Use permissive rather than disabled mode
In permissive mode, Kernel automatically maintains SELinux file system labels
- Avoids expensive file system relabeling when system is rebooted
To display current SELinux mode:
```
[root@server1 ~]# getenforce
Enforcing
```

SELinux Booleans

SELinux Booleans: Switches that change behavior of SELinux policy
- Rules you can enable/disable
- Can use to tune policy to make selective adjustments
Use getsebool to display SELinux Booleans and current values

Use -a to list all Booleans:

[root@server1 ~]# getsebool -a
abrt_anon_write --> off
allow_console_login --> on
allow_corosync_rw_tmpfs --> off
[... Output omitted ...]

Many Boolean names changed from Red Hat Enterprise Linux 6 to Red Hat Enterprise Linux 7.

References

Man pages: selinux(8), getenforce(8), ls(1), ps(1), and getsebool(8)

Changing SELinux Modes

setenforce Command

Can use SELinux modes to temporarily disable SELinux protection
- Can change modes temporarily between enforcing and permissive mode
- Can also set default SELinux mode determined at boot time

Use setenforce command to modify current SELinux mode:

[root@server1 ~]# getenforce
Enforcing
[root@server1 ~]# setenforce
usage: setenforce [ Enforcing | Permissive | 1 | 0 ]
[root@server1 ~]# setenforce 0
[root@server1 ~]# getenforce
Permissive
[root@server1 ~]# setenforce Enforcing
[root@server1 ~]# getenforce
Enforcing

Changing SELinux Modes

Passing Parameters

Can also pass parameter to kernel at boot time
Passing enforcing=0 causes system to boot into permissive mode
- Value 1 specifies enforcing mode
Passing selinux=0 disables SELinux
- Value 1 enables SELinux

Setting the Default SELinux Mode

To determine SELinux mode at boot time, use /etc/selinux/config

Passing selinux= and/or enforcing= overrides default values specified in /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes
#               are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Reference

Man pages: getenforce(1), setenforce(1), and selinux_config(5)

Initial SELinux Context

SELinux context of file’s parent directory determines file’s initial SELinux context
- Parent directory context assigned to new file
- Works for vim, cp, touch

If file is created elsewhere and permissions are preserved (mv or cp -a), original SELinux context does not change

[root@server1 ~]# ls -Zd /var/www/html/
drwxr-xr-x. root root system_u:bject_r:httpd_sys_content_t:s0 /var/www/html/
[root@server1 ~]# touch /var/www/html/index.html
[root@server1 ~]# ls -Z /var/www/html/index.html
-rw-r--r--. root root unconfined_u:bject_r:httpd_sys_content_t:s0 /var/www/html/index.html

Changing the SELinux Context of a File

Two commands to change file’s SELinux context:
- To change file context to context specified as argument to command, use chcon
  - Often use -t to specify context type component only
- As the preferred method, use restorecon
  - Does not explicitly specify context
  - Uses rules in SELinux policy to determine file’s context
Do not use chcon
- Can make mistakes specifying context
- File contexts revert to default context if file systems are relabeled at boot time

Transcript:

There are two commands that are used to change the SELinux context of files:chcon and restorecon. The chcon command changes the context of the file to the context specified as an argument to the command. Often the -t option is used to specify only the type component of the context.

The restorecon command is the preferred method for changing the SELinux context of a file or directory. Unlike chcon, the context is not explicitly specified when using this command. It uses rules in the SELinux policy to determine what the context of the file should be.

chcon should not be used to change the SELinux context of files. Mistakes can be made when specifying the context explicitly. File contexts will be changed back to their default context if the system’s file systems are relabeled at boot time.

Changing the SELinux Context of a File

[root@server1 ~]# mkdir /virtual
[root@server1 ~]# ls -Zd /virtual
drwxr-xr-x. root root unconfined_u:bject_r:default_t:s0 /virtual
[root@server1 ~]# chcon -t httpd_sys_content_t /virtual
[root@server1 ~]# ls -Zd /virtual
drwxr-xr-x. root root unconfined_u:bject_r:httpd_sys_content_t:s0 /virtual
[root@server1 ~]# restorecon -v /virtual
restorecon reset /virtual context unconfined_u:bject_r:httpd_sys_content_t:s0->
unconfined_u:bject_r:default_t:s0
[root@server1 ~]# ls -Zd /virtual
drwxr-xr-x. root root unconfined_u:bject_r:default_t:s0 /virtual

Defining SELinux Default File Context Rules

To display or modify rules that restorecon uses to set default file contexts, use semanage fcontext
Uses extended regular expressions to specify path and file names.
- (/.*)? most common extended regular expression
  - Means "optionally, match / followed by any number of characters"
  - Matches directory listed before expression and everything in directory recursively
restorecon part of policycoreutil package

semanage part of policycoreutil-python package

[root@server1 ~]# touch /tmp/file1 /tmp/file2
[root@server1 ~]# ls -Z /tmp/file*
-rw-r--r--. root root unconfined_u:bject_r:user_tmp_t:s0 /tmp/file1
-rw-r--r--. root root unconfined_u:bject_r:user_tmp_t:s0 /tmp/file2
[root@server1 ~]# mv /tmp/file1 /var/www/html/
[root@server1 ~]# cp /tmp/file2 /var/www/html/
[root@server1 ~]# ls -Z /var/www/html/file*
-rw-r--r--. root root unconfined_u:bject_r:user_tmp_t:s0 /var/www/html/file1
-rw-r--r--. root root unconfined_u:bject_r:httpd_sys_content_t:s0 /var/www/
html/file2
[root@server1 ~]# semanage fcontext -l
...
/var/www(/.*)?       all files    system_u:bject_r:httpd_sys_content_t:s0
...
[root@server1 ~]# restorecon -Rv /var/www/
restorecon reset /var/www/html/file1 context unconfined_u:bject_r:user_tmp_t:s0
-> system_u:bject_r:httpd_sys_content_t:s0
[root@server1 ~]# ls -Z /var/www/html/file*
-rw-r--r--. root root system_u:bject_r:httpd_sys_content_t:s0
   /var/www/html/file1
-rw-r--r--. root root unconfined_u:bject_r:httpd_sys_content_t:s0
   /var/www/html/file2

Defining SELinux Default File Context Rules

Adding a Context

[root@server1 ~]# mkdir /virtual
[root@server1 ~]# touch /virtual/index.html
[root@server1 ~]# ls -Zd /virtual/
drwxr-xr-x. root root unconfined_u:bject_r:default_t:s0 /virtual/
[root@server1 ~]# ls -Z /virtual/
-rw-r--r--. root root unconfined_u:bject_r:default_t:s0 index.html
[root@server1 ~]# semanage fcontext -a -t httpd_sys_content_t '/virtual(/.*)?'
[root@server1 ~]# restorecon -RFvv /virtual
[root@server1 ~]# ls -Zd /virtual/
drwxr-xr-x. root root system_u:bject_r:httpd_sys_content_t:s0 /virtual/
[root@server1 ~]# ls -Z /virtual/
-rw-r--r--. root root system_u:bject_r:httpd_sys_content_t:s0 index.html

References

Man pages: chcon(1), restorecon(8), and semanage(8)

SELinux Booleans

SELinux Booleans: Switches that change behavior of SELinux policy
- Can enable or disable rules
- Use to tune policy to make selective adjustments
selinux-policy-devel package provides *_selinux(8) man pages
- Explain purpose of Booleans available for various services
- To list documents, use man -k '_selinux'

SELinux Booleans

Commands

To display SELinux Booleans, use getsebool
To modify Booleans, use setsebool
To make SELinux policy to modification persistent, use setsebool -P

To show whether Boolean is persistent, with description, use semanage boolean -l

[root@server1 ~]# getsebool -a
abrt_anon_write --> off
abrt_handle_event --> off
abrt_upload_watch_anon_write --> on
antivirus_can_scan_system --> off
antivirus_use_jit --> off
...
[root@server1 ~]# getsebool httpd_enable_homedirs
httpd_enable_homedirs --> off
[root@server1 ~]# setsebool httpd_enable_homedirs on
[root@server1 ~]# semanage boolean -l | grep httpd_enable_homedirs
httpd_enable_homedirs          (on   ,  off)  Allow httpd to enable homedirs
[root@server1 ~]# getsebool httpd_enable_homedirs
httpd_enable_homedirs --> on
[root@server1 ~]# setsebool -P httpd_enable_homedirs on
[root@server1 ~]# semanage boolean -l | grep httpd_enable_homedirs
httpd_enable_homedirs          (on   ,   on)  Allow httpd to enable homedirs

SELinux Booleans

Use semanage boolean -l -C to list only local modifications to SELinux Booleans:

[root@server1 ~]# semanage boolean -l -C
SELinux boolean                State  Default Description

cron_can_relabel               (off   ,   on)  Allow cron to can relabel

References:

Man pages: booleans(8), getsebool(8), setsebool(8), semanage(8), semanage-boolean(8)

Troubleshooting SELinux Issues

SELinux may be doing its job correctly.
Most common issue: Incorrect file context
- Can occur when file created in location with one file context is moved to place expecting different context is expected
- Can usually run restorecon to correct issue
Another possible remedy: Adjustment of a Boolean
- For example, need to turn on ftpd_anon_write Boolean to allow anonymous FTP users to upload files to server
SELinux policy may have bug that prevents legitimate access
- Rare occurrence
- Contact Red Hat support to report bug

Transcript:

What should be done when SELinux prevents access to files on a server? There is a sequence of steps that should be taken when this occurs.

Before thinking of making any adjustments, consider that SELinux may be doing its job correctly by prohibiting the attempted access. If a web server tries to access files in /home, this could signal a compromise of the service if web content isn’t published by users. If access should have been granted, then additional steps need to be taken to solve the problem.
The most common SELinux issue is an incorrect file context. This can occur when a file is created in a location with one file context and moved into a place where a different context is expected. In most cases, running restorecon will correct the issue. Correcting issues in this way has a very narrow impact on the security of the rest of the system.
Another remedy for a too-restrictive access could be the adjustment of a Boolean. For example, the ftpd_anon_write Boolean controls whether anonymous FTP users can upload files. This Boolean would have to be turned on if it is desirable to allow anonymous FTP users to upload files to a server. Adjusting Booleans requires more care because they can have a broad impact on system security.
It is possible that the SELinux policy has a bug that prevents a legitimate access. Since SELinux has matured, this is a rare occurrence. When it is clear that a policy bug has been identified, contact Red Hat support to report the bug so it can be resolved.

Monitoring SELinux Violations

Must install setroubleshoot-server package to send SELinux messages to /var/log/messages
setroubleshoot-server
- Listens for audit messages in /var/log/audit/audit.log
- Sends summary to /var/log/messages
Summary includes unique identifiers (UUIDs) for SELinux violations
- To produce report for specific incident, use sealert -l UUID
- To produce reports for all incidents in file, use sealert -a /var/log/audit/audit.log

Monitoring SELinux Violations

Sample Command Sequence

[root@server1 ~]# touch /root/file3
[root@server1 ~]# mv /root/file3 /var/www/html
[root@server1 ~]# systemctl start httpd
[root@server1 ~]# curl http://localhost/file3
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /file3
on this server.</p>
</body></html>

Monitoring SELinux Violations

Viewing Log Files

Contents of file3 are expected
Web server returns permission denied error

Inspect /var/log/audit/audit.log and /var/log/messages for information about error:

[root@server1 ~]# tail /var/log/audit/audit.log
...
type=AVC msg=audit(1392944135.482:29): avc:  denied  { getattr } for
  pid=1609 comm="httpd" path="/var/www/html/file3" dev="vda1" ino=8980981
  scontext=system_u:ystem_r:httpd_t:s0
  tcontext=unconfined_u:bject_r:admin_home_t:s0 tclass=file
...
[root@server1 ~]# tail /var/log/messages
...
Feb 20 19:5:42 server1.example.com setroubleshoot: SELinux is preventing /usr/sbin/httpd
  from getattr access on the file . For complete SELinux messages. run
  sealert -l 613ca624-248d-48a2-a7d9-d28f5bbe2763

Monitoring SELinux Violations

sealert

[root@server1 ~]# sealert -l 613ca624-248d-48a2-a7d9-d28f5bbe2763
SELinux is preventing /usr/sbin/httpd from getattr access on the file .

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that httpd should be allowed getattr access on the
  file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:ystem_r:httpd_t:s0
Target Context                unconfined_u:bject_r:admin_home_t:s0
Target Objects                 [ file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          server1.example.com
Source RPM Packages           httpd-2.4.6-14.el7.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.12.1-124.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     server1.example.com
Platform                      Linux server1.example.com 3.10.0-84.el7.x86_64 #1
                              SMP Tue Feb 4 16:8:19 EST 2014 x86_64 x86_64
Alert Count                   2
First Seen                    2014-02-20 19:5:35 EST
Last Seen                     2014-02-20 19:5:35 EST
Local ID                      613ca624-248d-48a2-a7d9-d28f5bbe2763

Raw Audit Messages
type=AVC msg=audit(1392944135.482:29): avc:  denied  { getattr } for
  pid=1609 comm="httpd" path="/var/www/html/file3" dev="vda1" ino=8980981
  scontext=system_u:ystem_r:httpd_t:s0
  tcontext=unconfined_u:bject_r:admin_home_t:s0 tclass=file

type=SYSCALL msg=audit(1392944135.482:29): arch=x86_64 syscall=lstat
  success=no exit=EACCES a0=7f9fed0edea8 a1=7fff7bffc770 a2=7fff7bffc770
  a3=0 items=0 ppid=1608 pid=1609 auid=4294967295 uid=48 gid=48 euid=48
  suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
  comm=httpd exe=/usr/sbin/httpd subj=system_u:ystem_r:httpd_t:s0 key=(null)

Hash:httpd,httpd_t,admin_home_t,file,getattr

Reference

Man page: sealert(8)

Summary

Enabling and Monitoring Security Enhanced Linux (SELinux)
Basic SELinux Security Concepts
SELinux Modes
SELinux Booleans
Changing SELinux Modes
Setting the Default SELinux Mode
Initial SELinux Context
Changing the SELinux Context of a File
Defining SELinux Default File Context Rules
Changing SELinux Booleans
SELinux Booleans
Troubleshooting SELinux Issues
Monitoring SELinux Violations

Module Completion

Nice job!

Click the button below to complete this module of the course: