SELinux
SELinux provides an additional layer of security that is object-based and controlled by more sophisticated rules, known as mandatory access control.
SELinux is a set of security rules that determine which process can access which files, directories, and ports. Every file, process, directory and port has a special security label called an SELinux context. A context is a name used by the SELinux policy to determine whether a process can access a file, directory, or port. By default, the policy does not allow any interaction unless an explicit rule grants access. If there is no allow rule, no access is allowed.
ps, ls, cp and mkdir all use -Z.
You can also configure SELinux persistently using the /etc/selinux/config file.
Consider two files created in /tmp, one moved to /var/www/html and the second one copied to the same directory. The file that was moved to the /var/www/html directory retains the file context for the /tmp directory. The file that was copied to the /var/www/html directory inherited SELinux context from the /var/www/html directory.
If needed, install the policycoreutil and policycoreutil-python packages.
Example of setting contexts for httpd.
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html(/.*)?"
restorecon -R -v /var/www/html
touch /.autorelabel
These contain the restorecon and semanage commands, respectively.
SELinux booleans are switches that change the behaviour of the SELinux policy. SELinux booleans are rules that can be enabled or disabled. They can be used by security administrators to tune the policy to make selective adjustments.
To understand what actions you must take when SELinux prevents access to files on a server use the following steps as a guide to troubleshooting these issues:
-
Before thinking of making any adjustments, consider that SELinux may be doing its job correctly by prohibiting the attempted access. If a web server tries to access files in /home , this could signal a compromise of the service if web content is not published by users. If access should have been granted, then additional steps need to be taken to solve the problem.
-
The most common SELinux issue is an incorrect file context. This can occur when a file is created in a location with one file context and moved into a place where a different context is expected. In most cases, running
restoreconwill correct the issue. Correcting issues in this way has a very narrow impact on the security of the rest of the system. -
Another remedy for overly restrictive access could be the adjustment of a Boolean. For example, the
ftpd_anon_writeboolean controls whether anonymous FTP users can upload files. You must turn this boolean on to permit anonymous FTP users to upload files to a server. Adjusting booleans requires more care because they can have a broad impact on system security.
The SELinux policy may have a bug that prevents legitimate access. Since SELinux has matured, this is a rare occurrence.
To monitor SELinux violations explore the following.
tail /var/log/audit/audit.log
tail /var/log/messages
sealert -l 613ca624-248d-48a2-a7d9-d28f5bbe2763
ausearch -m AVC -ts recent
To list ports governed by SELinux:
Use semanage command to bind port 8080/TCP to the http_port_t type:
Summary
Use the getenforce and setenforce commands to manage the SELinux mode of a system. Use the semanage command to manage SELinux policy rules. The restorecon command applies the context defined by the policy. Booleans are switches that change the behaviour of the SELinux policy. They can be enabled or disabled and are used to tune the policy. The sealert displays useful information to help with SELinux troubleshooting.
Command References:
getenforce, setenforce, selinux_config, chcon, restorecon, semanage, semanage-fcontext, getsebool and setsebool.