SELinux for beginners

Do you know the following situation: You are following a step by step tutorial on the web and on your environment does not work as expected because of SELinux. Your looking on search engines command how you can disable the SELinux… Does that sound familiar?

On this Blog I will explain what SELinux are, where and how to use is. Let’s start!

What is SELinux and why should I not disable it?

SE stands for “Security Enhanced”, which provides administrators strict control over all processes on their system. Processes that are not considered necessary are blocked. Let’s say you have PHP application which is vulnerable by SQL Injection. Now if someone’s find your vulnerability, this person will try to get important files from your server such as the ‘etc/passwd’ from the URL. An example SQL Injection attack will look like this: https://example.com/file=’../../../../etc/passwd’

As you know the passwd file includes all users which has access to your server. The attacker will have more information’s to exploit your environment. By activating SELinux, this could not be happened. SELinux will block this because the apache service is not allowed by default to get files from the root folders. It is only allowed read data from ‘/var/www/html’ and will return the status 403 Forbidden. It makes sense to restrict access rights even if you actually trust the programs. If the application is hijacked by a third party, much less damage can occur. If programs infected by malware can access all processes and files on a system, they will also take advantage of this. SELinux restricts access and thus also the damage radius.

Summarized: By using SELinux you can define access controls for processes, files and applications. In other words, SELinux is like a watchdog which is watching changes and accesses for every file of your system. Since 2003 its integrated into the Linux upstream kernel.

How works SELinux?

SELinux works like a Firewall. By default, everything will be blocked. Once you need to allow something, you need to go ahead and configure it. If a service, program, or user then attempts to access or modify a file or resource that is not required for its function, access is denied, and the action is logged.

Linux uses Discretionary Access Control (DAC) as access control. Users or applications that have the appropriate rights then usually have unrestricted access to the respective files and processes of the operating system. SELinux uses MAC (Mandatory Access Control) as access control. Administrators can precisely define security policies with MAC to define additional attributes under which conditions and in which contexts a rights holder can access certain processes or files of the operating system. If these conditions not match, access will be denied.

Before we go deeper, we should know that SELinux has three basic modes of operation. By default, it is Enforcing mode:

• Enforcing:The default mode. SELinux is enabled and running in enforce mode, which means all polices is watching and logging actions.
• Permissive:In Permissive mode, SELinux is enabled but will not enforce the security policy, only warn and log actions. Permissive mode is useful for troubleshooting SELinux issues.
• Disabled:SELinux is turned off

How to use SELinux?

To check your current mode:

sestatus

If you want to change your mode, you can simple run setenforce 0 or setenforce 1. This will not change it permanently! After a reboot your mode will switch to default. To make changes persistent through a system reboot, edit the ‘SELINUX=’ line in  /etc/selinux/config  for either ‘enforcing’, ‘permissive’, or ‘disabled’.

If you disabled SELinux before, you might be to reset the policy value to default.

First, set enforcing in ‘etc/selinux/config’ and then create in the server root directory .autorelabel and the reboot

touch /.autorelabel
reboot

Following labels can be set for each process and each file to define the policies.

• User
• Role
• Type
• Level

For example, an application may only access folders that have a certain label. The review of the guidelines is called SELinux enforcement

How to set policies?

SELinux comes with a lot of policies by default, you need just enable it. To see a list of all built-in policies you can use the getsebool -a command.

For example, to get all http related policies:

getsebool -a | grep http

To enable a policy:

setsebool -P httpd_can_sendmail=1

For sure you can create your own policies. For that there are multiple ways to do that. The easiest way is to check the audit.log file and creating from there the policy.

grep nginx /var/log/audit/audit.log audit | audit2why

audit2why will explain why something has blocked. If you want to create a custom policy from the audit.log file, you need run following command:

grep nginx /var/log/audit/audit.log | audit2allow -M nginxpolicy

Advanced configuration

To make even more specific policies, you need understand the targeted SELinux Policy. There are 4 types of targeted:

• Type Enforcement (TE):Type Enforcement is the primary mechanism of access control used in the targeted policy
• Role-Based Access Control (RBAC):Based around SELinux users (not necessarily the same as the Linux user), but not used in the default configuration of the targeted policy
• Multi-Level Security (MLS):Not commonly used and often hidden in the default targeted
• Multi-Category Security(MCS):An extension of Multi-Level Security, used in the targeted policy to implement compartmentalization of virtual machines and containers through sVirt.

Note: The -Z switch will work with most utilities to show SELinux security contexts (e.g, ‘ls -Z’, ‘ps axZ’ etc).

Conclusion

This Blog has written for SELinux beginners. SELinux can very complicated and the administration could be very time-consuming. My recommendation: If you want to use SELinux, the administrator should document every change. Otherwise the overview can quickly get lost. But never disable SELinux! Instead set it to permissive mode! Have fun with Security Enhanced 🙂