SELinux Security
Management of SELinux and Its Principle
Configure the permission of modes for protection
Getting ready
$ vagrant up
$ vagrant ssh
How to do it
From the man pages selinux, it NSA Security-Enhanced Linux (SELinux).
use help command for setenforce
# setenforce --help
setenforce key option for basic
$ setenforce --help
usage: setenforce [ Enforcing | Permissive | 1 | 0 ]
First we check selinux will be enforcing or either permissive
$ getenforce
Enforcing
Set for temporary in permissive mode.
$ sudo setenforce Permissive
$ getenforce
Permissive
For the default setting
$ sudo vim /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissve
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
~
~
~
"/etc/sysconfig/selinux" 14L, 547C
How it work
Managing Booleans
Getting ready
$ vagrant up
$ vagrant ssh
How to do it
From the man pages booleans, it Policy booleans enable runtime customization of SELinux policy.
check the booleans value
$ getsebool -a
$ getsebool -a | grep samba
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_portmapper --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_use_samba --> off
use_samba_home_dirs --> off
virt_sandbox_use_samba --> off
virt_use_samba --> off
Set the booleans value
$ sudo setsebool -P samba_create_home_dirs=1
$ getsebool -a | grep samba
samba_create_home_dirs --> on
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_portmapper --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_use_samba --> off
use_samba_home_dirs --> off
virt_sandbox_use_samba --> off
virt_use_samba --> off
How it work
Configuring SElinux contexts
Getting ready
$ vagrant up
$ vagrant ssh
How to do it
From the man pages chcon, it change file SELinux security context.
use help command for chcon
# chcon --help
chcon key option for basic
$ chcon --help
Usage: chcon [OPTION]... CONTEXT FILE...
or: chcon [OPTION]... [-u USER] [-r ROLE] [-l RANGE] [-t TYPE] FILE...
or: chcon [OPTION]... --reference=RFILE FILE...
Change the SELinux security context of each FILE to CONTEXT.
With --reference, change the security context of each FILE to that of RFILE.
Mandatory arguments to long options are mandatory for short options too.
--dereference affect the referent of each symbolic link (this is
the default), rather than the symbolic link itself
-h, --no-dereference affect symbolic links instead of any referenced file
-u, --user=USER set user USER in the target security context
-r, --role=ROLE set role ROLE in the target security context
-t, --type=TYPE set type TYPE in the target security context
-l, --range=RANGE set range RANGE in the target security context
--no-preserve-root do not treat '/' specially (the default)
--preserve-root fail to operate recursively on '/'
--reference=RFILE use RFILE's security context rather than specifying
a CONTEXT value
-R, --recursive operate on files and directories recursively
-v, --verbose output a diagnostic for every file processed
The following options modify how a hierarchy is traversed when the -R
option is also specified. If more than one is specified, only the final
one takes effect.
-H if a command line argument is a symbolic link
to a directory, traverse it
-L traverse every symbolic link to a directory
encountered
-P do not traverse any symbolic links (default)
--help display this help and exit
--version output version information and exit
From the man pages semanage, it SELinux Policy Management tool. check the SElinux context.
$ semanage --help
usage: semanage [-h]
{import,export,login,user,port,interface,module,node,fcontext,boolean,permissive,dontaudit}
...
semanage is used to configure certain elements of SELinux policy with-out
requiring modification to or recompilation from policy source.
positional arguments:
{import,export,login,user,port,interface,module,node,fcontext,boolean,permissive,dontaudit}
import Output local customizations
export Output local customizations
login Manage login mappings between linux users and SELinux
confined users
user Manage SELinux confined users (Roles and levels for an
SELinux user)
port Manage network port type definitions
interface Manage network interface type definitions
module Manage SELinux policy modules
node Manage network node type definitions
fcontext Manage file context mapping definitions
boolean Manage booleans to selectively enable functionality
permissive Manage process type enforcement mode
dontaudit Disable/Enable dontaudit rules in policy
optional arguments:
-h, --help show this help message and exit
$ ls -alZ /
total 36
drwxr-xr-x. 18 system_u:object_r:root_t:s0 root root 4096 May 19 04:55 .
drwxr-xr-x. 18 system_u:object_r:root_t:s0 root root 4096 May 19 04:55 ..
lrwxrwxrwx. 1 system_u:object_r:bin_t:s0 root root 7 Aug 1 2014 bin -> usr/bin
dr-xr-xr-x. 4 system_u:object_r:boot_t:s0 root root 4096 Aug 1 2014 boot
drwxr-xr-x. 19 system_u:object_r:device_t:s0 root root 3000 May 19 04:55 dev
drwxr-xr-x. 76 system_u:object_r:etc_t:s0 root root 8192 May 19 07:57 etc
drwxr-xr-x. 4 system_u:object_r:home_root_t:s0 root root 32 May 19 05:19 home
lrwxrwxrwx. 1 system_u:object_r:lib_t:s0 root root 7 Aug 1 2014 lib -> usr/lib
lrwxrwxrwx. 1 system_u:object_r:lib_t:s0 root root 9 Aug 1 2014 lib64 -> usr/lib64
drwxr-xr-x. 2 system_u:object_r:mnt_t:s0 root root 6 Aug 1 2014 media
drwxr-xr-x. 2 system_u:object_r:mnt_t:s0 root root 6 Jun 9 2014 mnt
drwxr-xr-x. 3 system_u:object_r:usr_t:s0 root root 38 Aug 1 2014 opt
dr-xr-xr-x. 104 system_u:object_r:proc_t:s0 root root 0 May 19 04:55 proc
dr-xr-x---. 3 system_u:object_r:admin_home_t:s0 root root 4096 May 19 06:58 root
drwxr-xr-x. 23 system_u:object_r:var_run_t:s0 root root 720 May 19 07:57 run
lrwxrwxrwx. 1 system_u:object_r:bin_t:s0 root root 8 Aug 1 2014 sbin -> usr/sbin
drwxr-xr-x. 2 system_u:object_r:var_t:s0 root root 6 Jun 9 2014 srv
dr-xr-xr-x. 13 system_u:object_r:sysfs_t:s0 root root 0 May 19 04:55 sys
drwxrwxrwt. 7 system_u:object_r:tmp_t:s0 root root 88 May 19 07:57 tmp
drwxr-xr-x. 13 system_u:object_r:usr_t:s0 root root 4096 Aug 1 2014 usr
drwxr-xr-x. 2 unconfined_u:object_r:default_t:s0 root root 6 Aug 1 2014 vagrant
drwxr-xr-x. 20 system_u:object_r:var_t:s0 root root 4096 May 19 04:55 var
$ ls -dZ /
drwxr-xr-x. root root system_u:object_r:root_t:s0 /
Now contexts will change in two way which is semanage or chcon
use chcon
$ mkdir myweb
$ ls -lZ
drwxrwxr-x. vagrant vagrant unconfined_u:object_r:user_home_t:s0 myweb
$ chcon -u system_u -t httpd_sys_content_t myweb
$ ls -lZ
drwxrwxr-x. vagrant vagrant system_u:object_r:httpd_sys_content_t:s0 myweb
use semanage
$ restorecon myweb/
$ ls -lZ
drwxrwxr-x. vagrant vagrant system_u:object_r:user_home_t:s0 myweb
$ sudo semanage fcontext -a -t httpd_sys_content_t '/home/vagrant/myweb(/.*)?'
$ sudo restorecon -vvFR myweb/
restorecon reset /home/vagrant/myweb context unconfined_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
How it work
SELinux TroubleShooting
Getting Ready
$ vagrant up
$ vagrant ssh
How to do it
use sealert and Logs For Troubleshoot
From the man pages **