About SELinux Getting Started

Posted in: Linux, Security | Author: blog leader

Almost certainly everyone has heard of SELinux (more accurately, tried to shut down), and even some past experience has made you biased against SELinux. But with the growing 0-day security hole, perhaps it's time to learn about the 8-year-old mandatory access control system (MAC) in the Linux kernel.

SELinux and mandatory access control system

The SELinux full name Security Enhanced Linux (Secure hardened Linux) is an implementation of the MAC (Mandatory access control, mandatory access controls) to explicitly indicate which resources a process can access (file, network port, etc.).

The purpose of the mandatory access control system is to enhance the ability of the system to defend against 0-day attacks (exploits that exploit the vulnerabilities that have not been exposed) . So it is not a substitute for network firewalls or ACLs, nor is it duplicated in purpose .

For example, Apache on the system was found to have a vulnerability that would allow a remote user to access sensitive files on the system (for example /etc/passwd , to obtain a user on the system), while the Apache update patch to fix the security vulnerability had not been released. At this point , SELinux can be a mitigation solution to compensate for the vulnerability . Because/ETC/PASSWD does not have Apache access tags, Apache /etc/passwd will block access to it.

SELinux has the following advantages over other mandatory access control systems:

• Control policies are queryable, not program-visible.
• You can hot-change the policy without restarting or stopping the service.
• You can control the policy from three aspects of process initialization, inheritance, and program execution.
• The control scope overrides the file system, directory, file, file launch descriptor, port, message interface, and network interface .

So what is the impact of SELinux on system performance? According to Phoronix's horizontal comparison with Fedora 11 in 2009, enabling SELinux only in a few cases resulted in a reduction in system performance by about 5% .

Does SELinux affect general desktop applications and program development? Originally, because SELinux's strategy was primarily for the server environment. However, with the extensive application of SELinux over the past 8 years, the SELinux strategy can still meet the requirements of security and convenience in the General desktop and program development environment . With the release of Fedora 15 as an example, the author is in the process of building complete entertainment (including a variety of third-party native Linux games and Wine games) and development environment (Android SDK + Eclipse), only the first time the Wine program is run by the SELinux default policy block, with the help of the graphical "SELinux Troubleshooter", click on the button to resolve it.

Understanding and configuring SELinux

1. Get the current SELinux run status

getenforce

There are three possible return results: Enforcing , Permissive and Disabled . Disabled on behalf of SELinux is disabled,Permissive represents only security warnings but does not block suspicious behavior , enforcing represents logging warnings and blocking suspicious behavior.

In the current common release, RHEL and Fedora are set by default to enforcing, while the rest are Permissive such as OpenSUSE.

2. Change the SELinux operating state

setenforce [ Enforcing | Permissive | 1 | 0 ]

This command can immediately change the SELinux running state, switch between enforcing and Permissive, and keep the results to shutdown. A typical use is to see whether or not SELinux causes a service or program to run. if the service or the program is still not working after Setenforce 0, then it is certainly not the result of SELinux.

If you want to permanently change the system SELinux Runtime environment, you can change the configuration file /etc/sysconfig/selinux implementation . Note When you switch from Disabled to Permissive or enforcing mode, you need to restart your computer and re-create the security label () for the entire file system touch /.autorelabel && reboot .

3. SELinux Operation Policy

The configuration file /etc/sysconfig/selinux also contains information about the SELinux run policy, which can be implemented by changing SELINUXTYPE the value of the variable, which has two possibilities: the targeted use of SELinux protection on behalf of only a few pre-fabricated network services and access requests, on strict behalf of all network services and access requests SELinux.

RHEL and Fedora are set by default to targeted include SELinux policy configurations for almost all common network services, which are installed by default and can be used without modification.

If you want to edit the SELinux policy yourself, you can also provide the policy Editor under the command line seedit and the edit plugin under Eclipse eclipse-slide .

4. SELinux mode for Coreutils tools

Common tools belonging to coreutils such as ps , ls etc., can be learned by adding options to the Z SELinux information.

Such asps auxZ | grep lldpad

system_u:system_r:initrc_t:s0 root 1000 8.9 0.0 3040 668 ? Ss 21:01 6:08 /usr/sbin/lldpad -d

Such asls -Z /usr/lib/xulrunner-2/libmozjs.so

-rwxr-xr-x. root root system_u:object_r:lib_t:s0 /usr/lib/xulrunner-2/libmozjs.so

And so Z on, the options can be applied to almost all coreutils tools.

Apache SELinux Configuration Instance

1. Allow Apache to access Web site files located in non-default directories

First, use semanage fcontext -l | grep ‘/var/www‘ /var/www the SELinux context to learn the default directory:

/var/www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0

From there you can see that Apache can only access httpd_sys_content_t files that contain tags.

If you want Apache to /srv/www be used as a Web site file directory, then you need to add tags to the files in this directory httpd_sys_content_t , in two-step implementation.

First, add the default label type to the file in the/srv/www directory: then label the semanage fcontext -a -t httpd_sys_content_t ‘/srv/www(/.*)?‘ existing file with the new label type: restorecon -Rv /srv/www Apache can then use the files in that directory to build the site.

restorecon it is common in SELinux management to restore the file default label function. For example, when copying a file from the user's home directory to the Apache site Directory, Apache is not accessible by default because the file tag under the owner's directory is user_home_t . You will need to restorecon  revert to a type that can be accessed by Apache at this point httpd_sys_content_t :

restorecon reset /srv/www/foo.com/html/file.html context unconfined_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0

2. Allow Apache to listen on non-standard ports

By default, Apache listens to only 80 and 4,432 ports, and if it is directly specified to listen on port 888, the error will be service httpd restart as follows:

Starting httpd: (13)Permission denied: make_sock: could not bind to address [::]:888

(13)Permission denied: make_sock: could not bind to address 0.0.0.0:888

no listening sockets available, shutting down

Unable to open logs

This time, if the SELinux Troubleshooting tool should have been bounced out of the desktop environment. If you are under terminal, you can view the /var/log/messages log and then use sealert-l to view it, or sealert -b browse directly. Either way, the content is similar to the following:

SELinux is preventing /usr/sbin/httpd from name_bind access on the tcp_socket port 888.

***** Plugin bind_ports (92.2 confidence) suggests *************************

If you want to allow /usr/sbin/httpd to bind to network port 888

Then you need to modify the port type.

Do

# semanage port -a -t PORT_TYPE -p tcp 888

`where PORT_TYPE is one of the following: ntop_port_t, http_cache_port_t, http_port_t.`

***** Plugin catchall_boolean (7.83 confidence) suggests *******************

If you want to allow system to run with NIS

Then you must tell SELinux about this by enabling the ‘allow_ypbind‘ boolean.

Do

setsebool -P allow_ypbind 1

***** Plugin catchall (1.41 confidence) suggests ***************************

If you believe that httpd should be allowed name_bind access on the port 888 tcp_socket by default.

Then you should report this as a bug.

You can generate a local policy module to allow this access.

Do

allow this access for now by executing:

# grep httpd /var/log/audit/audit.log | audit2allow -M mypol

# semodule -i mypol.pp

We can see that SELinux gives the corresponding solution according to three different situations. Here, the first case is what we want, so we enter it as suggested:

semanage port -a -t http_port_t -p tcp 888

Then start the Apache service again and there will be no problem.

semanageThe SELinux Management Configuration tool can be seen here. Its first option represents the type that you want to change, and then immediately follows the action you want to make. Refer to the man manual for detailed information

3. Allow Apache access to create a private website

If you want users to be able to ~/public_html/ create their own personal sites by placing files in the same way, then you need to allow the operation to execute in Apache policy. Use:

setsebool httpd_enable_homedirs 1

setseboolis used to toggle the SELinux policy controlled by a Boolean value, and the status of the current Boolean policy can be getsebool learned.

By default, the settings for Setsebool are reserved until the next restart, and if you want to be permanently active, you need to add -P parameters, such as:

setsebool -P httpd_enable_homedirs 1

Summarize

With this short tutorial, I hope to eliminate your misunderstanding and even fear of SELinux, and personally feel that it is no more complex than the iptables strategy. If you want your server to be able to effectively withstand 0-day attacks, then SELinux may be a mitigation solution worth considering.

Thanks

This article is extensively referenced from the SELinux series of Vincent Danen published on TechRepublic. Pay tribute to Vincent Danen here.

Permanent Link: http://www.ha97.com/4336.html

About SELinux Getting Started