SELinux Overview
Security-Enhanced Linux (SELinux) is a security architecture integrated into the 2.6.x kernel using the Linux Security Modules (LSM). It is a project of the United States National Security Agency (NSA) and the SELinux community.
Security Enhanced Linux (SELinux) provides an additional layer of system security. SELinux fundamentally answers the question: "May
SELinux Architectrue
SELinux is a Linux Security Module (LSM) that is built into the Linux kernel. The SELinux subsystem in the kernel is driven by a security policy which is controlled by the administrator and loaded at boot. All security-relevant, kernel-level access operations on the system are intercepted by SELinux and examined in the context of the loaded security policy. If the loaded policy allows the operation, it
continues. Otherwise, the operation is blocked and the process receives an error. SELinux decisions, such as allowing or disallowing access, are cached. This cache is known as the Access Vector Cache (AVC). When using these cached decisions, SELinux policy rules need to be checked less, which increases performance. Remember that SELinux policy rules have no effect if DAC rules deny access first.
SELinux Package
policycoreutils: provides utilities, such as semanage, restorecon, audit2allow, semodule, load_policy, and setsebool, for operating and managing SELinux.
selinux-policy: provides the SELinux Reference Policy. Provides a basic directory structure, the selinux-policy.conf file, and RPM
macros
selinux-policy-targeted: provides the SELinux targeted policy
selinux-policy-targeted: provides the SELinux targeted policy.
libselinux: provides an API for SELinux applications.
libselinux-utils: provides the avcstat, getenforce, getsebool, matchpathcon, selinuxconlist, selinuxdefcon, selinuxenabled, and setenforce utilities.
libselinux-python: provides Python bindings for developing SELinux applications.
selinux-policy-devel: provides utilities for creating a custom SELinux policy and policy modules.
selinux-policy-doc: provides manual pages that describe how to configure SELinux altogether with various services.
selinux-policy-mls: provides the MLS (Multi-Level Security) SELinux policy. setroubleshoot-server translates denial messages, produced when access is denied by SELinux, into detailed descriptions that can be viewed with the sealert utility, also provided in this
package.
setools-console: provides the Tresys Technology SETools distribution , a number of utilities and libraries for analyzing and querying policy, audit log monitoring and reporting, and file context management. The setools package is a meta-package for SETools. The setools-gui package provides the apol and seaudit utilities. The setools-console package provides the sechecker, sediff, seinfo, sesearch, and findcon command-line utilities. See the Tresys Technology SETools page for information about these utilities. Note that setools and setools-gui packages are available only when the Red Hat Network Optional channel is enabled. For further
information, see Scope of Coverage Details. mcstrans translates levels, such as s0-s0:c0.c1023, to a form that is easier to read, such as SystemLow-SystemHigh.
setools, setools-gui, and setools-console: these packages provide the Tresys Technology SETools distribution, a number of tools and libraries for analyzing and querying policy, audit log monitoring and reporting, and file context management.
libselinux-utils: provides the avcstat, getenforce, getsebool, matchpathcon, selinuxconlist, selinuxdefcon, selinuxenabled, setenforce, togglesebool tools.
mcstrans: translates levels, such as s0-s0:c0.c1023, to an easier to read form, such as SystemLow-SystemHigh. This package is not installed by default.
policycoreutils-python: provides utilities such as semanage, audit2allow, audit2why, and chcat, for operating and managing SELinux.
policycoreutils-gui: provides system-config-selinux, a graphical utility for managing SELinux.
SELinux States And Modes
SELinux can run in one of three modes: disabled, permissive, or enforcing.
Disabled mode is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future.
In permissive mode, the system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development.
Enforcing mode is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system.
$ cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# default - equivalent to the old strict and targeted policies
# mls - Multi-Level Security (for military and educational use)
# src - Custom policy built from source
SELINUXTYPE=default
# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0
Use the setenforce utility to change between enforcing and permissive mode.
# Use Enforcing or 1 to put SELinux in enforcing mode.
# Use Permissive or 0 to put SELinux in permissive mode.
$ setenforce [Enforcing|Permissive|1|0]
Use the getenforce or sestatus commands to check in which mode SELinux is running. The getenforce command returns Enforcing, Permissive, or Disabled.
$ getenforce
$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 32
Set individual domains to permissive mode while the system runs in enforcing mode.
semanage permissive -a container_t
Enable/Disable SELinux On Linux
Ubuntu
## Enable SELinux
# Install SELinux package
$ sudo apt install policycoreutils selinux-utils selinux-basics
# Activate SELinux
$ sudo selinux-activate
# Set SELinux to enforcing mode
$ sudo selinux-config-enforcing
# Reboot system
$ reboot
# Check SELinux states
$ sestatus
## Disable SELinux
# set states
sed -i "s/SELINUX=enforcing/SELINUX=disabled" /etc/selinux/config
# reboot system
$ reboot
Fedora
## Enable SELinux
# Install SELinux package
$ sudo dnf install policycoreutils selinux-policy setools setools-console libselinux-utils setroubleshoot selinux-policy-targeted selinux-policy libselinux libselinux-python policycoreutils-python
# set states
$ vim /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=pass:quotes[*enforcing*]
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
# reboot system
$ reboot
## Disable SELinux
# set states
sed -i "s/SELINUX=enforcing/SELINUX=disabled" /etc/selinux/config
# reboot system
$ reboot
SELinux Context
Processes and files are labeled with an SELinux context that contains additional information, such as an SELinux user, role, type, and, optionally, a level. When running SELinux, all of this information is used to make access control decisions. SELinux provides a combination of RoleBased Access Control (RBAC), Type Enforcement (TE), and, optionally, Multi-Level Security (MLS).
SELinux contexts follow the SELinux user:role:type:level syntax.
$ ls -Z /etc/adjtime
-rw-r--r--. root root system_u:object_r:adjtime_t:s0 /etc/adjtime
$ stat -c "%C" /etc/adjtime
system_u:object_r:adjtime_t:s0
SELinux user
The SELinux user identity is an identity known to the policy that is authorized for a specific set of
roles, and for a specific MLS/MCS range.
$ semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
root unconfined_u s0-s0:c0.c1023 *
$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
$ seinfo -u
Users: 6
root
staff_u
sysadm_u
system_u
unconfined_u
user_u
SELinux Role
Part of SELinux is the Role-Based Access Control (RBAC) security model. The role is an attribute of RBAC. SELinux users are authorized for roles, and roles are authorized for domains. The role serves as an intermediary between domains and SELinux users. The roles that can be entered determine which domains can be entered; ultimately, this controls which object types can be accessed. This helps reduce vulnerability to privilege escalation attacks.
To list all available roles, enter the following command:
$ seinfo -r
SELinux Type
The type is an attribute of Type Enforcement. The type defines a domain for processes, and a type for files. SELinux policy rules define how types can access each other, whether it be a domain accessing a type, or a domain accessing another domain. Access is only allowed if a specific SELinux policy rule exists that allows it.
SELinux Level
The level is an attribute of MLS and MCS. An MLS range is a pair of levels, written as lowlevelhighlevel if the levels differ, or lowlevel if the levels are identical ( s0-s0 is the same as s0). Each level is a sensitivity-category pair, with categories being optional. If there are categories, the level is written as sensitivity:category-set. If there are no categories, it is written as sensitivity. If the category set is a contiguous series, it can be abbreviated. For example, c0.c3 is the same as c0,c1,c2,c3. The /etc/selinux/targeted/setrans.conf file maps levels (s0:c0) to human-readable form (that is CompanyConfidential). In Red Hat Enterprise Linux, targeted policy enforces MCS, and in MCS, there is just one sensitivity, s0. MCS in Red Hat Enterprise Linux supports 1024 different categories: c0 through to c1023. s0-s0:c0.c1023 is sensitivity s0 and authorized for all categories.
SELinux Relabel File
The chcon command changes the SELinux context for files (Temporary Changes )
chcon -R -t container_ro_file_t /var/lib/isulad/storage/overlay2
restorecon command reads the files in the /etc/selinux/targeted/contexts/files/ directory, to see which SELinux context files should have.
$ restorecon -R -v /var/lib/isulad/storage/overlay2
restorecon reset /var/lib/isulad/storage/overlay2 context unconfined_u:object_r:container_ro_file_t:s0-
>system_u:object_r:var_lib_t:s0
The semanage fcontext command is used to change the SELinux context of files. (Persistent Changes )
$ sudo semanage fcontext -a options file-name|directory-name
Use the ·restorecon· utility to apply the context changes:
$ sudo restorecon -v file-name|directory-name
Deleting an added Context
$ sudo semanage fcontext -d file-name|directory-name
Checking the Default SELinux Context
$ chcon -R system_u:object_r:container_ro_file_t:s0 /var/lib/isulad/storage/overlay
$ matchpathcon -V /var/lib/isulad/storage/overlay
/var/lib/isulad/storage/overlay has context system_u:object_r:container_ro_file_t:s0, should be system_u:object_r:var_lib_t:s0
SELinux Context Process
Use the ps -eZ command to view the SELinux context for processes.
$ ps -eZ | grep passwd
unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 13212 pts/1 00:00:00 passwd
SELinux Boolean
Booleans allow parts of SELinux policy to be changed at runtime, without any knowledge of SELinux
policy writing. This allows changes, such as allowing services access to NFS volumes, without reloading
or recompiling SELinux policy.
$ semanage boolean -l
SELinux boolean State Default Description
allow_cvs_read_shadow (off , off) Determine whether cvs can read shadow password files.
...
$ getsebool -a
allow_cvs_read_shadow->off
...
$ getsebool allow_cvs_read_shadow
allow_cvs_read_shadow->off
$ setsebool allow_cvs_read_shadow [on/off]
# setsebool -P boolean-name on, To make changes persistent across reboots
SELinux Information Gathering Tools
$ man seinfo
$ man sesearch
$ sesearch -A -s var_lib_t
allow file_type fs_t:filesystem associate;
allow file_type hugetlbfs_t:filesystem associate;
allow file_type noxattrfs:filesystem associate;
allow file_type ramfs_t:filesystem associate;
allow file_type tmp_t:filesystem associate;
allow file_type tmpfs_t:filesystem associate;
allow var_lib_t var_lib_t:filesystem associate;
To see which objects are labeled as type
$ semanage fcontext -l | grep httpd_log_t
/var/log/httpd(/.)? all files system_u:object_r:httpd_log_t:s0
/var/log/nginx(/.)? all files system_u:object_r:httpd_log_t:s0
...
Prioritizing And Disabling SELinux Policy Modules
Install the module with the semodule -i command and set the priority of the module to 400
$ semodule -X 400 -i sandbox.pp
$ semodule --list-modules=full | grep sandbox
400 sandbox pp
100 sandbox pp
Disabling a System Policy Module
semodule -d sandbox
Writing SELinux Policy
The Guide to Writing SELinux Policy
https://www.linuxtopia.org/online_books/writing_SELinux_policy_guide
SELinux Policy for Container Runtimes
https://github.com/containers/container-selinux
Understanding Denials
When SELinux prevents any software from accessing a particular resource, it generates a message and logs it in /var/log/audit/audit.log or /var/log/messages if audit service is disabled.
| Daemon | Log Location |
|---|---|
| auditd on | /var/log/audit/audit.log |
| auditd off; rsyslogd on | /var/log/messages |
| setroubleshootd, rsyslogd, and auditd on | /var/log/audit/audit.log. Easier-to-read denial messages also sent to /var/log/messages |
if DAC rules (standard Linux permissions) allow access, check /var/log/messages and /var/log/audit/audit.log for "SELinux is preventing" and "denied" errors respectively. This can be done by running the following commands as the root user:
$ ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today
$ sudo grep "SELinux is preventing" /var/log/messages
$ sudo grep "denied" /var/log/audit/audit.log
$ aureport -a
| Searching For Command | |
|---|---|
| all denials | ausearch -m avc,user_avc,selinux_err,user_selinux_err |
| denials for that today | ausearch -m avc -ts today |
| denials from the last 10 minutes | ausearch -m avc -ts recent |