Skip to content

SELinux security

With the arrival of kernel version 2.6, a new security system was introduced to provide a security mechanism to support access control security policies.

This system is called SELinux (Security Enhanced Linux) and was created by the NSA (National Security Agency) to implement a robust Mandatory Access Control (MAC) architecture in the Linux kernel subsystems.

If, throughout your career, you have either disabled or ignored SELinux, this document will be a good introduction to this system. SELinux works to limit privileges or remove the risks associated with compromising a program or daemon.

Before starting, you should know that SELinux is mainly intended for RHEL distributions, although it is possible to implement it on other distributions like Debian (but good luck!). The distributions of the Debian family generally integrate the AppArmor system, which works differently from SELinux.

Generalities

SELinux (Security Enhanced Linux) is a Mandatory Access Control system.

Before the appearance of MAC systems, standard access management security was based on DAC (Discretionary Access Control) systems. An application, or a daemon, operated with UID or SUID (Set Owner User Id) rights, which made it possible to evaluate permissions (on files, sockets, and other processes...) according to this user. This operation does not sufficiently limit the rights of a corrupted program, potentially allowing it to access the subsystems of the operating system.

A MAC system reinforces the separation of confidentiality and integrity information to achieve a containment system. The containment system is independent of the traditional rights system and there is no notion of a superuser.

With each system call, the kernel queries SELinux to see if it allows the action to be performed.

SELinux

SELinux uses a set of rules (policies) for this. A set of two standard rule sets (targeted and strict) is provided and each application usually provides its own rules.

The SELinux context

The operation of SELinux is totally different from traditional Unix rights.

The SELinux security context is defined by the trio identity+role+domain.

The identity of a user depends directly on his Linux account. An identity is assigned one or more roles, but to each role corresponds to one domain, and only one.

It is according to the domain of the security context (and thus the role) that user's rights on a resource are evaluated.

SELinux context

The terms "domain" and "type" are similar. Typically "domain" refers to a process, while "type" refers to an object.

The naming convention is: user_u:role_r:type_t.

The security context is assigned to a user during their connection, according to their roles. The security context of a file is defined by the chcon (change context) command, which we will see later in this document.

Consider the following pieces of the SELinux puzzle:

  • The subjects
  • The objects
  • The policies
  • The mode

When a subject (an application for example) tries to access an object (a file for example), the SELinux part of the Linux kernel queries its policy database. Depending on the mode of operation, SELinux authorizes access to the object in case of success, otherwise it records the failure in the file /var/log/messages.

The SELinux context of standard processes

The rights of a process depend on its security context.

By default, the security context of the process is defined by the context of the user (identity + role + domain) who launches it.

A domain is a specific type (in the SELinux sense) linked to a process and inherited (normally) from the user who launched it. Its rights are expressed in terms of authorization or refusal on types linked to objects:

A process whose context has security domain D can access objects of type T.

The SELinux context of standard processes

The SELinux context of important processes

Most important programs are assigned a dedicated domain.

Each executable is tagged with a dedicated type (here sshd_exec_t) which automatically switches the associated process to the sshd_t context (instead of user_t).

This mechanism is essential since it restricts the rights of a process as much as possible.

The SELinux context of an important process - example of sshd

Management

The semanage command manages SELinux rules.

semanage [object_type] [options]

Example:

semanage boolean -l
OptionsObservations
-aAdds an object
-dDeletes an object
-mModifies an object
-lLists the objects

The semanage command may not be installed by default under Rocky Linux.

Without knowing the package that provides this command, you should search for its name with the command:

dnf provides */semanage

then install it:

sudo dnf install policycoreutils-python-utils

Administering Boolean objects

Booleans allow the containment of processes.

semanage boolean [options]

To list the available Booleans:

semanage boolean –l
SELinux boolean    State Default  Description
…
httpd_can_sendmail (off , off)  Allow httpd to send mail
…

Note

As you can see, there is a default state (eg. at startup) and a running state.

The setsebool command is used to change the state of a boolean object:

setsebool [-PV] boolean on|off

Example:

sudo setsebool -P httpd_can_sendmail on
OptionsObservations
-PChanges the default value at startup (otherwise only until reboot)
-VDeletes an object

Warning

Don't forget the -P option to keep the state after the next startup.

Administering Port objects

The semanage command is used to manage objects of type port:

semanage port [options]

Example: allow port 81 for httpd domain processes

sudo semanage port -a -t http_port_t -p tcp 81

Operating modes

SELinux has three operating modes:

  • Enforcing

Default mode for Rocky Linux. Access will be restricted according to the rules in force.

  • Permissive

Rules are polled, access errors are logged, but access will not be blocked.

  • Disabled

Nothing will be restricted, nothing will be logged.

By default, most operating systems are configured with SELinux in Enforcing mode.

The getenforce command returns the current operating mode

getenforce

Example:

$ getenforce
Enforcing

The sestatus command returns information about SELinux

sestatus

Example:

$ sestatus
SELinux status:       enabled
SELinuxfs mount:     /sys/fs/selinux
SELinux root directory:    /etc/selinux
Loaded policy name:        targeted
Current mode:             enforcing
Mode from config file:     enforcing
...
Max kernel policy version: 33

The setenforce command changes the current operating mode:

setenforce 0|1

Switch SELinux to permissive mode:

sudo setenforce 0

The /etc/sysconfig/selinux file

The /etc/sysconfig/selinux file allows you to change the operating mode of SELinux.

Warning

Disabling SELinux is done at your own risk! It is better to learn how SELinux works than to disable it systematically!

Edit the file /etc/sysconfig/selinux

SELINUX=disabled

Note

/etc/sysconfig/selinux is a symlink to /etc/selinux/config

Reboot the system:

sudo reboot

Warning

Beware of the SELinux mode change!

In disabled mode, newly created files will not have any labels.

To reactivate SELinux, you will have to reposition the labels on your entire system.

Labeling the entire system:

sudo touch /.autorelabel
sudo reboot

The Policy Type

SELinux provides two standard types of rules:

  • Targeted: only network daemons are protected (dhcpd, httpd, named, nscd, ntpd, portmap, snmpd, squid and syslogd)
  • Strict: all daemons are protected

Context

The display of security contexts is done with the -Z option. It is associated with many commands:

Examples:

id -Z # the user's context
ls -Z # those of the current files
ps -eZ # those of the processes
netstat –Z # for network connections
lsof -Z # for open files

The matchpathcon command returns the context of a directory.

matchpathcon directory

Example:

sudo matchpathcon /root
 /root system_u:object_r:admin_home_t:s0

sudo matchpathcon /
 /      system_u:object_r:root_t:s0

The chcon command modifies a security context:

chcon [-vR] [-u USER] [–r ROLE] [-t TYPE] file

Example:

sudo chcon -vR -t httpd_sys_content_t /data/websites/
OptionsObservations
-vSwitches to verbose mode
-RApplies recursion
-u,-r,-tApplies to a user, role or type

The restorecon command restores the default security context (the one provided by the rules):

restorecon [-vR] directory

Example:

sudo restorecon -vR /home/
OptionsObservations
-vSwitch into verbose mode
-RApply recursion

To make a context change survive to a restorecon, you have to modify the default file contexts with the semanage fcontext command:

semanage fcontext -a options file

Note

If you are performing a context switch for a folder that is not standard for the system, creating the rule and then applying the context is a good practice as in the example below!

Example:

sudo semanage fcontext -a -t httpd_sys_content_t "/data/websites(/.*)?"
sudo restorecon -vR /data/websites/

audit2why command

The audit2why command indicates the cause of a SELinux rejection:

audit2why [-vw]

Example to get the cause of the last rejection by SELinux:

sudo cat /var/log/audit/audit.log | grep AVC | grep denied | tail -1 | audit2why
OptionsObservations
-vSwitch into verbose mode
-wTranslates the cause of a rejection by SELinux and proposes a solution to remedy it (default option)

Going further with SELinux

The audit2allow command creates a module to allow a SELinux action (when no module exists) from a line in an "audit" file:

audit2allow [-mM]

Example:

sudo cat /var/log/audit/audit.log | grep AVC | grep denied | tail -1 | audit2allow -M mylocalmodule
OptionsObservations
-mJust create the module (*.te)
-MCreate the module, compile and package it (*.pp)

Example of configuration

After the execution of a command, the system gives you back the command prompt but the expected result is not visible: no error message on the screen.

  • Step 1: Read the log file knowing that the message we are interested in is of type AVC (SELinux), refused (denied) and the most recent one (therefore the last one).
sudo cat /var/log/audit/audit.log | grep AVC | grep denied | tail -1

The message is correctly isolated but is of no help to us.

  • Step 2: Read the isolated message with the audit2why command to get a more explicit message that may contain the solution to our problem (typically a boolean to be set).
sudo cat /var/log/audit/audit.log | grep AVC | grep denied | tail -1 | audit2why

There are two cases: either we can place a context or fill in a boolean, or we must go to step 3 to create our own context.

  • Step 3: Create your own module.
$ sudo cat /var/log/audit/audit.log | grep AVC | grep denied | tail -1 | audit2allow -M mylocalmodule
Generating type enforcement: mylocalmodule.te
Compiling policy: checkmodule -M -m -o mylocalmodule.mod mylocalmodule.te
Building package: semodule_package -o mylocalmodule.pp -m mylocalmodule.mod

$ sudo semodule -i mylocalmodule.pp

Author: Antoine Le Morvan

Contributors: Steven Spencer, markooff, Ganna Zhyrnova