SELinux (Security Enhanced Linux)

Linux

Security

Published

June 21, 2016

Modified

February 6, 2023

SELinux (Security Enhanced Linux)…

…implements a robust Mandatory Access Control (MAC)
Applies after DAC (Discretionary Access Control)…
- …operated with UID or SUID (Set Owner User Id) rights
- …evaluate permissions (on files, sockets, processes) according to this user
Security context is defined by…
- Identity…depends directly on his Linux account
- An identity is assigned one or more roles…
- …each role corresponds to one domain
Rights of a user on a resource evaluated according to the domain
Naming convention is…user_u:role_r:type_t

# context information about a file
>>> ls -Z $(mktemp)
unconfined_u:object_r:user_tmp_t:s0 /tmp/tmp.bF245MJELg
|          | |      | |        | ``----------------------- level
|          | |      | `--------`-------------------------- domaine
|          | `------`------------------------------------- role
`----------`---------------------------------------------- identity

Display of security contexts

id -Z                    # the user's context
ls -Z                    # those of the current files
ps -eZ                   # those of the processes
netstat –Z               # for network connections
lsof -Z                  # for open files
matchpathcon $path       # context of a directory

Service

SELinux…

…logs to /var/log/audit/audit.log
…configuration in /etc/selinux/config
Operating modes…
- Enforcing…access restricted according to the rules
- Permissive…
  - …rules are polled, access errors are logged
  - …access will not be blocked
- Disabled…no restrictions…no logging

Current operations mode…

getenforce
sestatus | grep mode
# temporary switch to permissiv mode...
sudo setenforce 0

Permanently disable in the configuration file …requires a node reboot

# Check configuration
>>> grep ^SELINUX= /etc/selinux/config
SELINUX=permissive

# ...modify the configuraion to disable SELinux
>>> sed -i 's/permissive/disabled/' /etc/selinux/config

# ...verify the configuration change
>>> grep ^SELINUX= /etc/selinux/config 
SELINUX=disabled

Commands

chcon (change context) temporary changes…
semanage fcontext persistent changes…

Booleans allow policy to be changed at runtime…

# list & describe available booleans
semanage boolean -l
# enable/disable a boolean
setsebool $boolean_name (on|off)

--- title: SELinux (Security Enhanced Linux) categories: - Linux - Security date: 2016/06/21 date-modified: 2023/02/06 --- SELinux (Security Enhanced Linux)... - ...implements a robust Mandatory Access Control (MAC) - Applies after **DAC** (Discretionary Access Control)... - ...operated with UID or SUID (Set Owner User Id) rights - ...evaluate permissions (on files, sockets, processes) according to this user - Security context is defined by... - **Identity**...depends directly on his Linux account - An identity is assigned one or more **roles**... - ...each role corresponds to one **domain** - Rights of a user on a resource evaluated according to the domain - Naming convention is...`user_u:role_r:type_t` ```sh # context information about a file >>> ls -Z $(mktemp) unconfined_u:object_r:user_tmp_t:s0 /tmp/tmp.bF245MJELg | | | | | | ``----------------------- level | | | | `--------`-------------------------- domaine | | `------`------------------------------------- role `----------`---------------------------------------------- identity ``` Display of security contexts ```sh id -Z # the user's context ls -Z # those of the current files ps -eZ # those of the processes netstat –Z # for network connections lsof -Z # for open files matchpathcon $path # context of a directory ``` ## Service SELinux... - ...logs to `/var/log/audit/audit.log` - ...configuration in `/etc/selinux/config` - Operating modes... - **Enforcing**...access restricted according to the rules - **Permissive**... - ...rules are polled, access errors are logged - ...access will not be blocked - **Disabled**...no restrictions...no logging Current operations mode... ```sh getenforce sestatus | grep mode # temporary switch to permissiv mode... sudo setenforce 0 ``` Permanently disable in the configuration file ...requires a node reboot ```sh # Check configuration >>> grep ^SELINUX= /etc/selinux/config SELINUX=permissive # ...modify the configuraion to disable SELinux >>> sed -i 's/permissive/disabled/' /etc/selinux/config # ...verify the configuration change >>> grep ^SELINUX= /etc/selinux/config SELINUX=disabled ``` ## Commands - `chcon` (change context) temporary changes... - `semanage fcontext` persistent changes... Booleans allow policy to be changed at runtime... ```sh # list & describe available booleans semanage boolean -l # enable/disable a boolean setsebool $boolean_name (on|off) ```