SELinux Security

lock

SELinux is a set of security rules using which we can control the processes that can access specific files, folders and ports. These processes, files, folders and ports has a special security label called SELinux context. The label called context can be:
(1) user
(2) role
(3) type
(4) sensitivity.

The SELinux policy determines if a process can access a files, folders or port. By default the SELinux policy blocks all access to files, folders and ports.

The default policy enabled in RHEL/CentOS called “targeted policy” bases its rules on the 3rd context which is the “type” context, which usually ends with “_t“.

If we take example of a Apache web service, the httpd process usually access the folders “/var/ww/html“, “/var/tmp“, “/tmp“, etc. The type context associated with httpd service is “httpd_t“. The Type context associated with the folder “/var/ww/html” is “httpd_sys_content_t“, the port is “http_port_t“, etc.

The SELinux context can be displayed when using commands such as ps, ls, cp, mkdir. etc by using the “-Z” switch. For example:

[root@shiju-test ~]# ps -axZ | grep http
system_u:system_r:httpd_t:s0 11675 ? Ss 0:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0 11676 ? S 0:00 /usr/sbin/httpd -DFOREGROUND

[root@shiju-test ~]# ls -Z /var/www
drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 cgi-bin
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html

SELinux can be configured in three modes:

  • Enforced : Policies are enforced and logging is enabled
  • Permissive : Policies are actually disabled but logging is enabled as the policies are enabled
  • Disabled : Policies are disabled and logging is also not enabled.

Command to verify the mode in which SELinux is running:
getenforce

Command to switch to disbaled mode:
setenforce 0

Command to switch to permissive mode:
setenforce 1

Configuration file for SELinux is “/etc/selinux/config

SELinux logs useful information such as info about access denied, etc. The default log file is:
/var/log/audit/audit.log

 

Let us work on a practice example:

=================

  • Verify if everyone can see the web page by accessing the server via a web browser. It should work while selinux is also enabled.
  • Restart the web server by running the command “systemctl restart httpd
  • Allow everyone to access the page by issuing the command “chmod 755 /var/www/html/index.html
  • Create an html file name index.html displaying a line “Hello World -- var -- html
  • Ensure firewalld or iptables is disabled in the host during testing.
  • Install httpd using the command “yum install httpd -y
  • Use a system in which SELinux is enabled. The command “getenforce” will show the present SELinux setting
  • Create a new folder named virtual by issuing the command “mkdir /virtual
  • Create an html file name /virtual/index.html displaying a line “Hello World -- virtual -- html“.
  • Add the following lines in your apache webserver’s configuration file httpd.conf:
    <Directory “/virtual”>
    AllowOverride None
    # Allow open access:
    Require all granted
    </Directory>
  • In the httpd.conf file, edit the line that starts with “DocumentRoot” so that it is “DocumentRoot “/virtual”
  • Restart apache by running the command “systemctl restart httpd
  • You may not be able to see the correct web page since SELinux may be blocking access to “/virtual/index.html”
  • Check the log file “/var/log/audit/audit.log” for any entry related to it like:
    type=AVC msg=audit(1523351308.296:598): avc: denied { getattr } for pid=1247 comm=”httpd” path=”/virtual/index.html” dev=”xvda2″ ino=25270803 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file
  • if you disable SELinux temporarily by issuing the command “setenforce 0” or permanently by editing the file “/etc/selinux/config” you will see that the file gets displayed.

We can change the contect of a file by using either:
(1) chcon
(2) restorecon

To make the webpage “/virtual/index.html” accessible by http server while SELinux is enforced, run the following command:
chcon -t httpd_sys_content_t /virtual/index.html

Check the result by running the following command:
ls -Z /virtual

To restore the context to default settings as mentioned in SELinux policy use the following command:
restorecon -Rv /virtual/index.html

Command to view the default SELinux policy used by “restorecon” is as below. You may use “grep” function to display selective results
semanage fcontext -l

We can add an SELinux Policy by using semanage fcontext commands so that the same can be used when “restorecon” command is used. Mentioned below command changes the context of all files in “/virtual” folder
semanage fcontext -a -t httpd_sys_content_t ‘/virtual(/.*)?’