SELinux system administrator cheat sheet: 42 answers to important questions

Translation of the article was prepared especially for students of the course. Linux Administrator.


Here you will get answers to important questions about life, the universe and all that in Linux with enhanced security.

“The important truth is that things are not always what they seem to be well known …”

-Douglas Adams, The Hitchhiker’s Guide to the Galaxy

Security. Improving reliability. Conformity. Politics. Four Horsemen of the Apocalypse of the sysadmin. In addition to our daily tasks – monitoring, backing up, implementing, configuring, updating, etc. – we are also responsible for the security of our systems. Even those systems where a third-party provider recommends that we turn off enhanced security. It seems to work Ethan Hunt from Mission Impossible.

Faced with this dilemma, some system administrators decide to take blue pillbecause they think they will never know the answer to the big question of life, the universe and all that. And, as we all know, this answer is 42.

In the spirit of the “Hitchhiker’s Guide to the Galaxy”, here are 42 answers to important questions about management and use SELinux in your systems.

1. SELinux is a forced access control system, which means that every process has a label (lable). Each file, directory, and system object also has tags. Policy rules control access between labeled processes and objects. The kernel enforces these rules.

2. The two most important concepts are: Labeling – labeling (files, processes, ports, etc.) and Type enforcement (which isolates processes from each other based on types).

3. The correct label format user:role:type:level (optionally).

4. The purpose of ensuring multilevel security (Multi-Level Security – MLS) is the management of processes (domains) based on the level of security of the data that they will use. For example, a secret process cannot read top-secret data.

5. Ensuring multi-category security (Multi-Category Security – MCS) protects similar processes from each other (for example, virtual machines, OpenShift mechanisms, SELinux sandboxes, containers, etc.).

6. Kernel parameters for changing SELinux modes at boot:

  • autorelabel=1 → forces the system to start re-marking
  • selinux=0 → the kernel does not load the SELinux infrastructure
  • enforcing=0 → download in permissive mode

7. If you need to re-mark the entire system:

# touch /.autorelabel
#reboot

If the system marking contains a large number of errors, you may need to boot in permissive mode for the marking to succeed.

8. To check if SELinux is enabled: # getenforce

9. To temporarily enable / disable SELinux: # setenforce [1|0]

10. Checking SELinux status: # sestatus

11. Configuration file: /etc/selinux/config

12. How does SELinux work? Here is a sample labeling for the Apache web server:

  • Binary representation: /usr/sbin/httpd→httpd_exec_t
  • Configuration directory: /etc/httpd→httpd_config_t
  • Log file directory: /var/log/httpd → httpd_log_t
  • Content Directory: /var/www/html → httpd_sys_content_t
  • Startup script: /usr/lib/systemd/system/httpd.service → httpd_unit_file_d
  • Process: /usr/sbin/httpd -DFOREGROUND → httpd_t
  • Ports 80/tcp, 443/tcp → httpd_t, http_port_t

A process running in context httpd_t, can interact with an object tagged httpd_something_t.

13. Many teams accept an argument -Z To view, create, and change context:

  • ls -Z
  • id -Z
  • ps -Z
  • netstat -Z
  • cp -Z
  • mkdir -Z

Contexts are set when files are created based on the context of their parent directory (with some exceptions). RPMs can set contexts as during installation.

14. There are four main causes of SELinux errors, which are described in more detail in paragraphs 15-21 below:

  • Labeling Issues
  • Because of something SELinux needs to know
  • Error in SELinux policy / application
  • Your information may be compromised.

fifteen. Labeling problem: if your files are in /srv/myweb marked incorrectly, access may be denied. Here are some ways to fix this:

  • If you know the label:
    # semanage fcontext -a -t httpd_sys_content_t '/srv/myweb(/.*)?'
  • If you know a file with equivalent markings:
    # semanage fcontext -a -e /srv/myweb /var/www
  • Having restored the context (for both cases):
    # restorecon -vR /srv/myweb

16. Labeling problem: if you move the file instead of copying it, the file will retain its original context. To fix this problem:

  • Change the context command labeled:
    # chcon -t httpd_system_content_t /var/www/html/index.html
  • Change the context command with the link label:
    # chcon --reference /var/www/html/ /var/www/html/index.html
  • Restore the context (for both cases): # restorecon -vR /var/www/html/

17. If SELinux needs to knowthat HTTPD is listening on port 8585, tell SELinux:

# semanage port -a -t http_port_t -p tcp 8585

18. SELinux needs to know Boolean values ​​that allow you to change parts of SELinux policy at runtime without knowledge of overwriting SELinux policy. For example, if you want httpd to send email, enter: # setsebool -P httpd_can_sendmail 1

19. SELinux needs to know Boolean values ​​for enabling / disabling SELinux settings:

  • To see all the boolean values: # getsebool -a
  • To see a description of each: # semanage boolean -l
  • To set a boolean value: # setsebool [_boolean_] [1|0]
  • For permanent installation add -P. For instance: # setsebool httpd_enable_ftp_server 1 -P

20. SELinux policies / applications may contain errors, including:

  • Fancy Code Paths
  • Configurations
  • Redirect stdout
  • File descriptor leaks
  • Executable memory
  • Poorly built libraries

Open tickets (do not send a report to Bugzilla; there is no SLA in Bugzilla).

21. Your information may be compromised.if you have limited domains trying:

  • Download kernel modules
  • Disable enforced SELinux mode
  • Write in etc_t/shadow_t
  • Change iptables rules

22. SELinux tools for developing policy modules:

# yum -y install setroubleshoot setroubleshoot-server

Reboot or restart auditd after installation.

23. Use

journalctl

to list all logs associated with setroubleshoot:

# journalctl -t setroubleshoot --since=14:20

24. Use journalctl to list all the logs associated with a particular SELinux label. For instance:

# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0

25. If a SELinux error occurs, use the log setroubleshoot with a suggestion of several possible solutions.
For example, from journalctl:

Jun 14 19:41:07 web1 setroubleshoot: SELinux is preventing httpd from getattr access on the file /var/www/html/index.html. For complete message run: sealert -l 12fd8b04-0119-4077-a710-2d0e0ee5755e

# sealert -l 12fd8b04-0119-4077-a710-2d0e0ee5755e
SELinux is preventing httpd from getattr access on the file /var/www/html/index.html.

***** Plugin restorecon (99.5 confidence) suggests ************************

If you want to fix the label,
/var/www/html/index.html default label should be httpd_syscontent_t.
Then you can restorecon.
Do
# /sbin/restorecon -v /var/www/html/index.html

26. Logging: SELinux records information in many places:

  • / var / log / messages
  • /var/log/audit/audit.log
  • /var/lib/setroubleshoot/setroubleshoot_database.xml

27. Logging: search for SELinux errors in the audit log:

# ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today

28. To find SELinux Access Vector Cache (AVC) messages for a specific service:

# ausearch -m avc -c httpd

29. Utility audit2allow collects information from logs of prohibited operations, and then generates SELinux permission policy rules. For instance:

  • To create a readable description of the reason for denied access: # audit2allow -w -a
  • To view a type enforcement rule that allows denied access: # audit2allow -a
  • To create a custom module: # audit2allow -a -M mypolicy
  • Option -M creates an enforcement file of type (.te) with the specified name and compiles the rule into a policy package (.pp): mypolicy.pp mypolicy.te
  • To install a custom module: # semodule -i mypolicy.pp

30. To configure a separate process (domain) to work in permissive mode: # semanage permissive -a httpd_t

31. If you no longer want the domain to be permissive: # semanage permissive -d httpd_t

32. To disable all permissive domains: # semodule -d permissivedomains

33. Enabling MLS SELinux policies: # yum install selinux-policy-mls
в /etc/selinux/config:
SELINUX=permissive
SELINUXTYPE=mls

Make sure SELinux is in permissive mode: # setenforce 0

Use script fixfilesto ensure that the files will be re-marked on the next reboot:

# fixfiles -F onboot # reboot

34. Create a user with a specific MLS range: # useradd -Z staff_u john

Using the command useradd, map the new user to the existing SELinux user (in this case, staff_u)

35. To view the correspondence between SELinux and Linux users: # semanage login -l

36. Define a specific range for the user: # semanage login --modify --range s2:c100 john

37. To correct the label in the user’s home directory (if necessary): # chcon -R -l s2:c100 /home/john

38. To view the current categories: # chcat -L

39. To change categories or start creating your own, edit the file as follows:

/etc/selinux/_<selinuxtype>_ / setrans.conf

40. To run a command or script in a specific file, role and user context:

# runcon -t initrc_t -r system_r -u user_u yourcommandhere

  • -t file context
  • -r role context
  • -u user context

41. Containers working with disabled SELinux:

  • Podman: # podman run --security-opt label=disable …
  • Docker: # docker run --security-opt label=disable …

42. If you need to give the container full access to the system:

  • Podman: # podman run --privileged …
  • Docker: # docker run --privileged …

And now you already know the answer. Therefore, please: do not panic and turn on SELinux.

References:

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *