Tag Archives: sestatus

Hands on SELinux

Selinux was such a burden for me years ago ( and still sometimes 🙂 ). First time I worked as a sys admin, I had to deploy an apache server with its document Root mounted as an NFS partition. I spent 2 days wondering and searching why in hell my apache couldn’t access its html directory. Too stupid when you found out that there is something called SELinux that is turned on by default to restrict access to your NFS partition by Apache processes!!!!

SELinux is such a wonderful tool for hardening your system and that can get your system to the chaos if you mess with it xD xD xD.

What is SELinux?

SELinux is a built-in kernel module with a bunch of rules and decisions determining who/what has the right to access what. This is done through a labeling of the whole file system, security decisions are then results of a combination of these labels and policy rules used.

It handles access to files/objects much more meticulously than do other classic permissions, ACLs …. But read/write, owner permissions and ACL applies before SELinux rules, meaning that SELinux rules applies only when DAC permissions allow access to an object.

What do you need to know about SELinux?

Suppose you have your kernel compiled with SELinux, and your system is installed with SELinux support, here are some basics to help you get familiar with SELinux (I’m using Centos 6).

Advertisements

SELinux Configuration

With SELinux activated on your kernel, you need to know which mode and policy (ex: targeted, MLS) you are running.

SELinux mode is used to enable/disable SELinux, whereas the policy is about the philosophy used to enhance security within your system, targeted is the commonly used policy and also the default one.

SELinux Modes are:

  • Enforcing: respect your policy rules.
  • Permissive:This  mode will not use policy rules to deny access but it will log everything the policy would prevent.
  • Disabled.

When use Permissive mode?

If your sysem wasn’t initially using SELinux and you would like to go on with Enforcing mode, use permissive mode and audit all the denials you get when running your applications.

If auditd is installed and running, check audit.log logs for type=AVC messages with denied string:

#grep denied /var/log/audit/audit.log

auditlog

 

You can also use audit2allow command to check SELinux denials and follow the output recommandations:

 

audit2allow

 

You can then go on with Enforcing mode after some work on your policy adding and updating the rules you need to correctly run your applications.

You should reboot your OS if you go from permissive to disabled mode and vice-versa.

 

Here is your set of tools to manipulate SELinux mode and policy:

 

  • sestatus command:

Use sestatus command to see the current configuration in your system.
you can see below I’m using enforcing mode and targeted policy.

 

sesatus

 

  • getenforce, setenforce commands

getenforce command returns SELinux mode currently running, and you can configure the mode with setenforce {0,1} command as follows:

 

getsetenforce

 

You can also configure your SELinux mode and policy by editing the appropriate section in the /etc/selinux/config file:

 

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

#     enforcing – SELinux security policy is enforced.

#     permissive – SELinux prints warnings instead of enforcing.

#     disabled – No SELinux policy is loaded.

SELINUX=enforcing

# SELINUXTYPE= can take one of these two values:

#     targeted – Targeted processes are protected,

#     mls – Multi Level Security protection.

SELINUXTYPE=targeted

 

Don’t freak out if SELinux policy lacks some necessary rules for your application :), you can always add new rules by creating SELinux modules using audit2allow , but this is not the goal of this post. I’ll write another one for customized policies :p