enforcing.<\/em><\/p>\nIn permissive mode SELinux is doing everything except denying any activity. Log messages will appear just as though SELinux was enforcing policy on your system.<\/p>\n
It is highly recommended to start in permissive mode and check your logs before going to enforcing, which we will do below. Permissive mode seems to be the default mode on most linux distros.<\/p>\n
The most useful commands for checkiong the status of SELinux are:<\/p>\n
sestatus\ngetenforce<\/pre>\nOn Centos 7, these utilities can be found in the following packages which are part of the base installation:<\/p>\n
[sysadmin@server ~]$ sudo yum -q whatprovides \/sbin\/sestatus<\/strong>\npolicycoreutils-2.5-29.el7.x86_64 : SELinux policy core utilities\nRepo : @base\n\n[sysadmin@server ~]$ sudo yum -q whatprovides \/sbin\/getenforce<\/strong>\nlibselinux-utils-2.5-14.1.el7.x86_64 : SELinux libselinux utilies\nRepo : @base\n<\/pre>\nSELinux Disabled<\/h5>\n
In disabled mode, SELinux is not loaded into the kernel, and no functionality is available.<\/p>\n
[sysadmin@server ~]# sestatus<\/strong>\nSELinux status: disabled<\/pre>\nIf your machine looks like above, then check the following file:<\/p>\n
cat \/etc\/selinux\/config<\/strong>\n# This file controls the state of SELinux on the system.\n# SELINUX= can take one of these three values:\n# enforcing - SELinux security policy is enforced.\n# permissive - SELinux prints warnings instead of enforcing.\n# disabled - No SELinux policy is loaded.\nSELINUX=disabled\n# SELINUXTYPE= can take one of these two values:\n# targeted - Targeted processes are protected,\n# minimum - Modification of targeted policy. Only selected processes are protected.\n# mls - Multi Level Security protection.\nSELINUXTYPE=targeted<\/pre>\nYou will need to enable SELinux by changing “disabled” to “permissive” and then rebooting your machine.<\/p>\n
sudo vim \/etc\/selinux\/config<\/strong>\nSELINUX=permissive<\/pre>\nThis should<\/em> be a safe action. I performed this without issue on a cloud machine on which I have no console access. The machine took a little longer to boot the first time, but came back as expected. Of course, there’s no guarantees so take care!<\/p>\nSELinux ENabled<\/h5>\n
getenforce<\/em> provides a simple one-line output, useful for confirming which enabled mode your system is in:<\/p>\n[sysadmin@server ~]$ getenforce<\/strong>\nPermissive<\/pre>\nsestatus <\/em>provides a more detailed output:<\/p>\n[sysadmin@server ~]$ sestatus<\/strong>\nSELinux status: enabled\nSELinuxfs mount: \/sys\/fs\/selinux\nSELinux root directory: \/etc\/selinux\nLoaded policy name: targeted\nCurrent mode: permissive\nMode from config file: permissive\nPolicy MLS status: enabled\nPolicy deny_unknown status: allowed\nMax kernel policy version: 28<\/pre>\nThe most useful information here is the mode (permissive) and the policy name (targeted).<\/p>\n
From here we’ll assume you are in permissive<\/em> mode.<\/p>\nHow to find SELinux Logs<\/h4>\n
On Centos, SELinux uses the linux audit daemon (service), known as auditd<\/em>.<\/p>\nAuditd logs everything to \/var\/log\/audit\/audit.log which requires elevated privileges to read:<\/p>\n
[sysadmin@server ~]$ less \/var\/log\/audit\/audit.log<\/strong>\nless: \/var\/log\/audit\/audit.log: Permission denied\n\n[sysadmin@server ~]$ sudo less \/var\/log\/audit\/audit.log<\/strong>\ntype=USER_AUTH msg=audit(1546124135.971:451246): pid=30238 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=? acct=\"root\" exe=\"\/usr\/sbin\/sshd\" hostname=112.85.42.88 addr=112.85.42.88 terminal=ssh res=failed'\ntype=USER_AUTH msg=audit(1546124138.373:451247): pid=30238 uid=0 auid=4294967295 ses=4294967295 msg='op=password acct=\"root\" exe=\"\/usr\/sbin\/sshd\" hostname=? addr=112.85.42.88 terminal=ssh res=failed'\n<...><\/pre>\nOn the plus side, everything you need is in one place. On the negative side, this file can get quite large, contains a log of messages unrelated to SELinux, and the output is a little cryptic.<\/p>\n
Filtering Logs<\/h5>\n
As a first step we can just filter down to the relevant logs, which will contain the text “type=AVC”. Filtering on just “AVC” will also work:<\/p>\n
[sysadmin@server ~]$ sudo grep \"AVC\" \/var\/log\/audit\/audit.log | less<\/pre>\nAVC stands for Access Vector Cache<\/em>. This is basically an in-memory cache of all SELinux decisions and is primarily used to improve performance. It also handles the logging of those decisions.<\/p>\nOn some of my systems there were no “AVC” entries in the audit file.\u00a0 On another, most of the entries were generated from activity on the internet-facing web server.<\/p>\n
I suggest running this command on some systems your administer and getting a feel for the number of messages being logged on each.<\/p>\n
In Part 3…<\/h4>\n
In the next part we’ll get down in the weeds and troubleshoot some real world examples.<\/p>\n
In doing so we’ll start with basic Linux tools, and progress to using some of the more specific SELinux tools. These tools can interpret raw logs for us and even make usable recommendations on how to resolve issues.<\/p>\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Flashback In Part 1 of this series we gave a practical overview of Security Enhanced Linux and a simplified explanation of the key terms and concepts. In this post we will learn how to the determine the status and and current mode of operation on a system, and how to change it. Then we’ll touch … <\/p>\n
Continue reading “Troubleshooting SELinux – Part 2”<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":983,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[48],"tags":[51,49,52,50],"class_list":["post-1003","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-sysadmin","tag-centos","tag-linux","tag-security","tag-selinux"],"_links":{"self":[{"href":"https:\/\/airxperts.net\/index.php\/wp-json\/wp\/v2\/posts\/1003","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/airxperts.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/airxperts.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/airxperts.net\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/airxperts.net\/index.php\/wp-json\/wp\/v2\/comments?post=1003"}],"version-history":[{"count":9,"href":"https:\/\/airxperts.net\/index.php\/wp-json\/wp\/v2\/posts\/1003\/revisions"}],"predecessor-version":[{"id":1032,"href":"https:\/\/airxperts.net\/index.php\/wp-json\/wp\/v2\/posts\/1003\/revisions\/1032"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/airxperts.net\/index.php\/wp-json\/wp\/v2\/media\/983"}],"wp:attachment":[{"href":"https:\/\/airxperts.net\/index.php\/wp-json\/wp\/v2\/media?parent=1003"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/airxperts.net\/index.php\/wp-json\/wp\/v2\/categories?post=1003"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/airxperts.net\/index.php\/wp-json\/wp\/v2\/tags?post=1003"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}