SELinux#

Security-Enhanced Linux (SELinux)

SELinux is an implementation of Mandatory Access Control (MAC) developed by the National Security Agency (NSA).

References#

Gentoo wiki might be the best treatment on this subject that I've found so far... * SELinux - Gentoo wiki * SELinux/Quick introduction - Gentoo wiki - This intro seems to be better than the RHCSA textbooks I have... this is a solid primer * SELinux/Tutorials - Gentoo wiki - Seems like a relatively complete/helpful guide to SELinux * What is SELinux? * Using SELinux | Red Hat Enterprise Linux | 9 | Red Hat Documentation * Security-Enhanced Linux - Wikipedia

How it works#

SELinux is a security subsystem that works inside the Linux kernel. It uses LSM hooks. SELinux permission checks happen after the DAC checks.

Terminology#

  • LSM: Linux Security Module.
  • Subject: Any user or process that accesses an object.
  • Object: A resource such as a file, dir, hw device, network interface, etc
  • Access: Action performed by the subject on an object
  • Policy: A defined ruleset enforced system-wide
  • Context (a.k.a label): A tag that stores security attributes for subjects and objects.
  • Labeling: A mapping of files with their stored contexts.
  • SELinux User: Predefined user identities that are authorized for particular roles.
  • Role (RBAC): Classifies what subjects (who) are allowed to access what domains or types.
  • Type enforcement (TE): Limits a subjects access to domains for processes and types for files.
  • Type: A group of objects (files, dirs, ect.) that share the same context.
  • Domain: Determines what access processes have (context they're allowed to run in).
  • Level (MLS and MCS): sensitivity:category values that defines the level of security in the context.

SELinux commands#

SELinux state and mode:

  • getenforce
  • sestatus

Listing contexts:

  • ls -ldZ, ls -lZ
  • id -Z
  • ps -eZ
  • seinfo --portcon=80
  • seinfo

SELinux administration:

  • setenforce
  • semanage

Managing labels:

  • chcon -t net_conf_t /etc/resolv.conf
  • restorecon /etc/resolv.conf
  • semanage fcontext -l | grep resolv
  • semanage fcontext -a -t net_conf_t /etc/puppet-resolv\.conf
  • restorecon /etc/puppet-resolv.conf

User management:

  • semanage login -a -s staff_u john

Common#

How do I list all of the SELinux users?

seinfo -u

How do I show Linux and SELinux user mappings?

semanage login -l

How do I list SELinux contexts for ports?

semanage port -l

How do I list the SELinux context for all running processes?

ps -eZ
ps -efZ

How do I list the SELinux context of a file?

ls -lZ /etc/password

What file do I need to edit to configure SELinux to either enforcing or permissive persistently?

vim /etc/selinux/config

What command do I need to run to show the current SELinux operating mode?

getenforce
# or
sestatus

What command do I use to temporarily change the context of a directory and it's contents recursively?

chcon -vu user_u -t public_content_t /tmp/sedir1 -R

What command do I use to permanently set the file context of a directory and it's contents recursively?

semanage fcontext -a -s user_u -t public_content_t '/tmp/sedir1(/.*)?'

How do I restore the file context of a directory and it's contents recursively?

restorecon -Rv /tmp/sedir1

How do I add port 8010 with type http_port_t and protocol tcp to the policy?

semanage port -at http_port_t -p tcp 8010

How do I copy a file and preserve it's SELinux context?

cp --preserve=context file .

How do I list all of the current selinux boolean settings?

getsebool -a
sestatus -b
semanage boolean -l

How do I persistently set a selinux boolean?

setsebool -P nfs_export_all_rw off
semanage boolean -m -0 nfs_export_all_rw

How do I analyze all of the AVC records in the audit.log file?

sealert -a /var/log/audit/audit.log

How do I search the audit.log for recent selinux denies?

ausearch -m avc -ts recent

What command do I need to run to ensure that SELinux is fully disabled in the kernel at boot?

grubby --update-kernal ALL --args selinux=0

How do I look for selinux denies in the systemd journal?

journalctl | grep sealert

Troubleshooting denials#

  • ausearch -m avc -ts recent

SELinux/Logging - Gentoo wiki

SELinux packages#

SELinux packages that need to be installed to run the commands above.

  • setools-console - provides seinfo and sesearch commands
  • selinux-policy-doc - provides selinux boolean man pages
  • setroubleshoot-server - provides sealert command, and other graphical tools for troubleshooting selinux