{"id":535,"date":"2018-04-10T09:10:10","date_gmt":"2018-04-10T09:10:10","guid":{"rendered":"http:\/\/shijuvarghese.com\/?p=535"},"modified":"2018-04-10T12:47:28","modified_gmt":"2018-04-10T12:47:28","slug":"selinux-security","status":"publish","type":"post","link":"http:\/\/shijuvarghese.com\/?p=535","title":{"rendered":"SELinux Security"},"content":{"rendered":"<p>SELinux is a set of security rules using which we can control the processes that can access specific files, folders and ports. These processes, files, folders and ports has a special security label called SELinux <strong>context<\/strong>. The label called context can be:<br \/>\n(1) user<br \/>\n(2) role<br \/>\n(3) type<br \/>\n(4) sensitivity.<\/p>\n<p>The <strong>SELinux policy<\/strong> determines if a process can access a files, folders or port. By default the SELinux policy blocks all access to files, folders and ports.<\/p>\n<p>The default policy enabled in RHEL\/CentOS called &#8220;<strong>targeted policy<\/strong>&#8221; bases its rules on the 3rd context which is the &#8220;<strong>type<\/strong>&#8221; context, which usually ends with &#8220;<strong>_t<\/strong>&#8220;.<\/p>\n<p>If we take example of a Apache web service, the httpd process usually access the folders &#8220;<em>\/var\/ww\/html<\/em>&#8220;, &#8220;<em>\/var\/tmp<\/em>&#8220;, &#8220;<em>\/tmp<\/em>&#8220;, etc. The <strong>type<\/strong> context associated with httpd service is &#8220;<strong>httpd_t<\/strong>&#8220;. The Type context associated with the folder &#8220;\/var\/ww\/html&#8221; is &#8220;<strong>httpd_sys_content_t<\/strong>&#8220;, the port is &#8220;<strong>http_port_t<\/strong>&#8220;, etc.<\/p>\n<p>The SELinux context can be displayed when using commands such as <strong>ps, ls, cp, mkdir<\/strong>. etc by using the &#8220;<strong>-Z<\/strong>&#8221; switch. For example:<\/p>\n<p><em><strong>[root@shiju-test ~]# ps -axZ | grep http<\/strong><\/em><br \/>\nsystem_u:system_r:httpd_t:s0 11675 ? Ss 0:00 \/usr\/sbin\/httpd -DFOREGROUND<br \/>\nsystem_u:system_r:httpd_t:s0 11676 ? S 0:00 \/usr\/sbin\/httpd -DFOREGROUND<\/p>\n<p><em><strong>[root@shiju-test ~]# ls -Z \/var\/www<\/strong><\/em><br \/>\ndrwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 cgi-bin<br \/>\ndrwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html<\/p>\n<p>SELinux can be configured in three modes:<\/p>\n<ul>\n<li><strong>Enforced<\/strong> : Policies are enforced and logging is enabled<\/li>\n<li><strong>Permissive<\/strong> : Policies are actually disabled but logging is enabled as the policies are enabled<\/li>\n<li><strong>Disabled<\/strong> : Policies are disabled and logging is also not enabled.<\/li>\n<\/ul>\n<p>Command to verify the mode in which SELinux is running:<br \/>\n<em><strong>getenforce<\/strong><\/em><\/p>\n<p>Command to switch to disbaled mode:<br \/>\n<em><strong>setenforce 0<\/strong><\/em><\/p>\n<p>Command to switch to permissive mode:<br \/>\n<em><strong>setenforce 1<\/strong><\/em><\/p>\n<p>Configuration file for SELinux is &#8220;<strong>\/etc\/selinux\/config<\/strong>&#8221;<\/p>\n<p>SELinux logs useful information such as info about access denied, etc. The default log file is:<br \/>\n<strong>\/var\/log\/audit\/audit.log<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>Let us work on a practice example:<\/p>\n<p>=================<\/p>\n<ul>\n<li>Verify if everyone can see the web page by accessing the server via a web browser. It should work while selinux is also enabled.<\/li>\n<li>Restart the web server by running the command &#8220;<strong>systemctl restart httpd<\/strong>&#8220;<\/li>\n<li>Allow everyone to access the page by issuing the command &#8220;<em><strong>chmod 755 \/var\/www\/html\/index.html<\/strong><\/em>&#8220;<\/li>\n<li>Create an html file name <strong>index.html<\/strong> displaying a line &#8220;<em>Hello World &#8211; var &#8211; html<\/em>&#8220;<\/li>\n<li>Ensure firewalld or iptables is disabled in the host during testing.<\/li>\n<li>Install httpd using the command &#8220;<em><strong>yum install httpd -y<\/strong><\/em>&#8220;<\/li>\n<li>Use a system in which SELinux is enabled. The command &#8220;<em><strong>getenforce<\/strong><\/em>&#8221; will show the present SELinux setting<\/li>\n<li>Create a new folder named <strong>virtual<\/strong> by issuing the command &#8220;<em><strong>mkdir \/virtual<\/strong><\/em>&#8220;<\/li>\n<li>Create an html file name <strong>\/virtual\/index.html<\/strong> displaying a line &#8220;<em>Hello World &#8211; virtual &#8211; html<\/em>&#8220;.<\/li>\n<li>Add the following lines in your apache webserver&#8217;s configuration file httpd.conf:<br \/>\n&lt;Directory &#8220;\/virtual&#8221;&gt;<br \/>\nAllowOverride None<br \/>\n# Allow open access:<br \/>\nRequire all granted<br \/>\n&lt;\/Directory&gt;<\/li>\n<li>In the httpd.conf file, edit the line that starts with &#8220;<strong>DocumentRoot<\/strong>&#8221; so that it\u00a0is &#8220;<em>DocumentRoot &#8220;\/virtual&#8221;<\/em><\/li>\n<li>Restart apache by running the command &#8220;s<em><strong>ystemctl restart httpd<\/strong><\/em>&#8220;<\/li>\n<li>You may <strong>not<\/strong> be able to see the correct web page since SELinux may be blocking access to &#8220;\/virtual\/index.html&#8221;<\/li>\n<li>Check the log file &#8220;<em><strong>\/var\/log\/audit\/audit.log<\/strong><\/em>&#8221; for any entry related to it like:<br \/>\ntype=AVC msg=audit(1523351308.296:598): avc: denied { getattr } for pid=1247 comm=&#8221;httpd&#8221; path=&#8221;\/virtual\/index.html&#8221; dev=&#8221;xvda2&#8243; ino=25270803 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file<\/li>\n<li>if you disable SELinux temporarily by issuing the command &#8220;<em><strong>setenforce 0<\/strong><\/em>&#8221; or permanently by editing the file &#8220;<strong>\/etc\/selinux\/config<\/strong>&#8221; you will see that the file gets displayed.<\/li>\n<\/ul>\n<p>We can change the contect of a file by using either:<br \/>\n(1) chcon<br \/>\n(2) restorecon<\/p>\n<p>To make the webpage &#8220;\/virtual\/index.html&#8221; accessible by http server while SELinux is enforced, run the following command:<br \/>\n<em><strong>chcon -t httpd_sys_content_t \/virtual\/index.html<\/strong><\/em><\/p>\n<p>Check the result by running the following command:<br \/>\n<em><strong>ls -Z \/virtual<\/strong><\/em><\/p>\n<p>To restore the context to default settings as mentioned in SELinux policy use the following command:<br \/>\n<em><strong>restorecon -Rv \/virtual\/index.html<\/strong><\/em><\/p>\n<p>Command to view the default SELinux policy used by <strong>&#8220;restorecon&#8221;<\/strong> is as below. You may use &#8220;grep&#8221; function to display selective results<br \/>\n<em><strong>semanage fcontext -l<\/strong><\/em><\/p>\n<p>We can add an SELinux Policy by using <strong>semanage fcontext<\/strong> commands so that the same can be used when &#8220;<strong>restorecon<\/strong>&#8221; command is used. Mentioned below command changes the context of all files in &#8220;\/virtual&#8221; folder<br \/>\n<em><strong>semanage fcontext -a -t httpd_sys_content_t &#8216;\/virtual(\/.*)?&#8217;<\/strong><\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<div class=\"mh-excerpt\"><p>SELinux is a set of security rules using which we can control the processes that can access specific files, folders and ports. These processes, files, <a class=\"mh-excerpt-more\" href=\"http:\/\/shijuvarghese.com\/?p=535\" title=\"SELinux Security\">[&#8230;]<\/a><\/p>\n<\/div>","protected":false},"author":1,"featured_media":260,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,14],"tags":[],"class_list":["post-535","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","category-security"],"_links":{"self":[{"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=\/wp\/v2\/posts\/535","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=535"}],"version-history":[{"count":7,"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=\/wp\/v2\/posts\/535\/revisions"}],"predecessor-version":[{"id":542,"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=\/wp\/v2\/posts\/535\/revisions\/542"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=\/wp\/v2\/media\/260"}],"wp:attachment":[{"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=535"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=535"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=535"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}