wikipedia<\/a>.<\/p>\nPRE-REQUISITES<\/h5>\n
I used Centos 7 for this post. Most of my machines use Centos without a GUI installed. The tools should be identical on Red Hat (RHEL) and very similar on any modern linux distro. Of course the system commands may differ on your platform.<\/p>\n
For the rest of the post I’ll assume you are using Centos 7.<\/p>\n
[sysadmin@imago ~]$ cat \/etc\/centos-release\nCentOS Linux release 7.6.1810 (Core)<\/pre>\nHow SELinux Works<\/h4>\n
For those familiar with networking, SELinux works a little like a firewall, in that it controls activity between sources and targets based on a configured policy. That policy may include definitions of the source and target objects and rules about the types of activity allowed between them.<\/p>\n
SELinux differs from a firewall in that it is interested in the activity within<\/em> your system, not between<\/em> systems on a network. And it does a very good job of this.<\/p>\nKEY CONCEPT: Objects<\/h5>\n
Objects are those “sources” or “targets” in our firewall analogy, either performing an action, or having an action performed on them.<\/p>\n
Objects include a whole range of linux “things”, such as processes, files, directories, devices and sockets. But typically we’ll be dealing with processes and the filesystem.<\/p>\n
SELinux has total visibiility and control of the activity between any of these objects. For example, when a process tries to read a file, or open a network socket, SELinux has the power to permit or deny this action.<\/p>\n
KEY CONCEPT: CONTEXTS<\/h5>\n
While SELinux can is very flexible and can get very complicated, the basics are actually quite simple.<\/p>\n
Every object on the system is labelled with an SELinux context<\/em>. The context is stored in a label,<\/em> so the terms ‘context’ and ‘label’ are often used interchangably.<\/p>\nA label has four fields: user, role, type and security level.<\/p>\n
KEY CONCEPT: TYPES<\/h5>\n
In this series we will mainly be concerned with the type<\/em> field. The type is what’s usually used to construct the default policy on most linux distributions. And for most situations that’s all that’s required.<\/p>\nThe user<\/em> and role<\/em> fields are generally not used except in the most hardened environments. They are there to allow an ever richer set of SELinux policies, termed Role-Based Access Control (RBAC)<\/em>. This sounds similar to the tradional DAC but is much more powerful, and we won’t cover it in this series.<\/p>\nViewing Contexts<\/h4>\n
SELinux labels are already there, whether you are using them or not.<\/p>\n
If you were to look at the files in a directory with the “-Z” option, you will see the SELinux context associated with each object (file or directory), including the type.<\/p>\n
Filesystem CONTEXTS<\/h5>\n
Here is how my home directory looks:<\/p>\n
[sysadmin@server ~]$ ls -aZ\ndrwx------. sysadmin sysadmin system_u:object_r:user_home_dir_t:s0 .\ndrwxr-xr-x. root root system_u:object_r:home_root_t:s0 ..\n-rw-------. sysadmin sysadmin system_u:object_r:user_home_t:s0 .bash_history\n-rw-r--r--. sysadmin sysadmin system_u:object_r:user_home_t:s0 .bash_logout\n-rw-r--r--. sysadmin sysadmin system_u:object_r:user_home_t:s0 .bash_profile\n-rw-r--r--. sysadmin sysadmin system_u:object_r:user_home_t:s0 .bashrc\n-rw-------. sysadmin sysadmin system_u:object_r:user_home_t:s0 .lesshst\ndrwx------. sysadmin sysadmin system_u:object_r:ssh_home_t:s0 .ssh\n-rw-rw-r--. sysadmin sysadmin system_u:object_r:user_home_t:s0 tmp1\n-rw-rw-r--. sysadmin sysadmin system_u:object_r:user_home_t:s0 tmp2\n-rw-------. sysadmin sysadmin unconfined_u:object_r:user_home_t:s0 .viminfo\n-rw-r--r--. sysadmin sysadmin system_u:object_r:user_home_t:s0 .vimrc<\/pre>\nThe context for this directory is ‘system_u:object_r:user_home_dir_t:s0’, and this contains the four field previously mentioned.<\/p>\n
Type are easily spotted by ending in “_t”. The type of this directory and most of the files within is “user_home_t”.<\/p>\n
Process CONTEXTs<\/h5>\n
Processes also have a context and a type, and simillarly, these can be shown with the “-Z” switch. Most of the standard utilities that use permissions have adopted this switch:<\/p>\n
[sysadmin@server ~]$ ps -aZ\nLABEL PID TTY TIME CMD\nunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2744 pts\/0 00:00:00 sudo\nunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2748 pts\/0 00:00:00 su\nunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2749 pts\/0 00:00:00 bash\nunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3648 pts\/0 00:00:00 tail\nunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3649 pts\/0 00:00:00 grep\nunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5524 pts\/1 00:00:00 ps<\/pre>\nHere, all the processes my user has initiated are of type “unconfined_t”.<\/p>\n
Actually, the correct term for a process is domain<\/em>, not type. But the ‘_t’ naming convention is still used. I suspect this is because processes are more complex that files and would be assoicated with particular addresses in RAM for example. But be aware that type and domain could be used interchangably in respect to processes.<\/p>\nSELinux Policies<\/h4>\n
Unlike a network firewall, which comes with either no rules or a ‘allow everything’ rule, SELinux comes with a default policy and a rich set of default rules that are a workable starting point for most systems. Remember SELinux is mandatory<\/em> access control. Similar to context labels which are already there, so is a policy.<\/p>\nWe’ll see how to determine which policy is in effect below.<\/p>\n
POLICY Rules<\/h5>\n
Rules basically boil down to which type of objects <\/em>can do what actions<\/em> to which types of objects.<\/em><\/p>\nFor example can a process of type “unconfined_t” write to a directory with the “user_home_dir_t” type? Can it read from the same directory? Or modify a particular file in that directory?<\/p>\n
How SELinux\u00a0 Rules Are Applied<\/h4>\n
SELinux is loaded into the kernel at boot, so it’s able to be right at the core of all activity on your system.<\/p>\n
TRADITIONAL SECURITY CONTROLS<\/h5>\n
You may already be familiar with the regular user+group filesystem permissions system used on Linux. This system is known as Discretionary Access Control (DAC)<\/em>.<\/p>\nWhen you are using SELinux, DAC remains in effect. In fact DAC is applied before<\/em> SELinux. If for example DAC blocks an action, then SELinux will not see the attempted action or log it. SELinux does not modify DAC’s filesystem permissions or behaviour in any way. It runs in series.<\/p>\nSELinux interoperates similarly with other security controls, such as the host firewall.<\/p>\n
Generally SELinux does not replace other controls, it supplements them.<\/p>\n
SELinux Benefits<\/h5>\n
SELinux is a kind of Mandatory Access Control (MAC)<\/em>. Everything<\/em> is policed by SELinux once it’s enforcing.<\/p>\nFurther, all policies are defined at the administrator level. DAC allows regular users to change permission on files and directories they have write access to.<\/p>\n
SELInux improves the separation between processes, so successful privilege escalation attacks on one process are less likley to lead to other parts of the system being compromised.<\/p>\n
SELinux is also offer much more fine-grained control, even without using the RBAC features.<\/p>\n
The default action is deny<\/em>. If there is no rule explicitly allowing access, actions are blocked. This limits the damage from both malicious and accidental activity.<\/p>\nIn Part 2…<\/h4>\n
And that’s pretty much all we need to know to get started with some hands-on.<\/p>\n
In the next post we will learn how to the determine the status and and current mode of operation on a system, and how to change it.\u00a0 Then we’ll touch on where and how SELinux logs information.<\/p>\n
Join me in Troubleshooting SELinux \u2013 Part 2<\/a>.<\/p>\n\n\n<\/p>\n","protected":false},"excerpt":{"rendered":"
Hardening with SELinux I finally got around to hardening my web server over the holiday break. Well, hardening more. A very important step in hardening linux is ensuring selinux is both enabled and enforcing. Of course the risk is that Security Enhanced Linux starts blocking things that should not be blocked…<\/p>\n","protected":false},"author":2,"featured_media":983,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[48],"tags":[51,49,52,50],"class_list":["post-949","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-sysadmin","tag-centos","tag-linux","tag-security","tag-selinux"],"_links":{"self":[{"href":"https:\/\/airxperts.net\/index.php\/wp-json\/wp\/v2\/posts\/949","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/airxperts.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/airxperts.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/airxperts.net\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/airxperts.net\/index.php\/wp-json\/wp\/v2\/comments?post=949"}],"version-history":[{"count":30,"href":"https:\/\/airxperts.net\/index.php\/wp-json\/wp\/v2\/posts\/949\/revisions"}],"predecessor-version":[{"id":1008,"href":"https:\/\/airxperts.net\/index.php\/wp-json\/wp\/v2\/posts\/949\/revisions\/1008"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/airxperts.net\/index.php\/wp-json\/wp\/v2\/media\/983"}],"wp:attachment":[{"href":"https:\/\/airxperts.net\/index.php\/wp-json\/wp\/v2\/media?parent=949"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/airxperts.net\/index.php\/wp-json\/wp\/v2\/categories?post=949"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/airxperts.net\/index.php\/wp-json\/wp\/v2\/tags?post=949"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}