Getting started with SELinux: learn about and configure SELinux

It is almost certain that everyone has heard of SELinux (more accurately, tried to disable it), and even some past experiences have caused you to be biased against SELinux. However, with the increasing 0-day security vulnerability, it may be time to find out the eight-year-old Mandatory Access Control System (MAC) in the Linux kernel.

SELinux and Mandatory Access Control System

SELinux, short for Security Enhanced Linux (Security Enhanced Linux), is an implementation of Mandatory Access Control (Mandatory Access Control System, the purpose is to explicitly specify the resources (files, network ports, etc.) that a process can access ).

The purpose of the mandatory access control system is to enhance the system's ability to defend against 0-Day attacks (Attacks implemented by exploiting undisclosed vulnerabilities. Therefore, it is not a substitute for the network firewall or ACL, and is not used repeatedly.

For example, Apache on the system is found to have a vulnerability that allows a remote user to access sensitive files on the system (such as/etc/passwd to obtain existing users in the system ), however, the Apache update Patch for fixing this security vulnerability has not been released yet. In this case, SELinux can mitigate the vulnerability. Because/etc/passwd does not have the Apache access tag, Apache's access to/etc/passwd will be blocked by SELinux.

Compared with other mandatory access control systems,SELinux has the following advantages:

● The control policy is queryable rather than invisible to the program.

● You can hot change the policy without restarting or stopping the service.

● Process initialization, inheritance, and program execution can be controlled through policies.

● The control scope covers the file system, directory, file, file start descriptor, port, message interface, and network interface.

So what is the impact of SELinux on the system? According to the horizontal comparison made by Phoronix using Fedora 11 in 2009, enabling SELinux only reduces system performance by about 5% in a few cases.

Does SELinux affect general desktop application and program development? Originally, SELinux policies mainly target the server environment. However, with the extensive application of SELinux over the past eight years, the current SELinux policy can still meet the security and convenience requirements in general desktop and program development environments. Taking the just-released Fedora 15 as an example, the author builds a complete entertainment environment (including multiple third-party native Linux games and Wine games) and development environment (Android SDK + Eclipse, the default SELinux policy is blocked only when the Wine program runs for the first time. With the help of the graphic "SELinux troubleshooting program", click the button to solve the problem.

Understanding and configuring SELinux

1. Get the current SELinux running status

getenforce

Three possible results are returned: Enforcing, Permissive, and Disabled. Disabled indicates that SELinux is Disabled, Permissive indicates that only security warnings are recorded but suspicious behaviors are not blocked, and Enforcing indicates that warnings are recorded and suspicious behaviors are blocked.

Currently, in common releases, RHEL and Fedora are set to Enforcing by default, while others, such as openSUSE, are set to Permissive.

2. Change the running status of SELinux

setenforce [ Enforcing | Permissive | 1 | 0 ]

This command can immediately change the running status of SELinux, switch between Enforcing and Permissive, and keep the result to shutdown. A typical purpose is to check whether a service or program cannot run due to SELinux. If the service or program still fails to run after setenforce 0, it is certainly not caused by SELinux.

If you want to change the operating environment of the system SELinux permanently, you can change the configuration file/etc/sysconfig/selinux. Note: After switching from Disabled to Permissive or Enforcing mode, restart the computer and re-create the security tag (touch/. autorelabel & reboot) for the entire file system ).

3. SELinux running Policy

The configuration file/etc/sysconfig/selinux also contains information about the SELinux running policy, which can be achieved by changing the value of the SELINUXTYPE variable: targeted indicates that SELinux is only used for pre-fabricated network services and access requests, and strict indicates that all network services and access requests must go through SELinux.

RHEL and Fedora are set to targeted by default, which includes SELinux policy configurations for almost all common network services. They are installed by default and can be directly used without modification.

If you want to edit the SELinux policy, you can also provide the Policy Editor seedit under the command line and the Eclipse-slide editing plug-in.

4. SELinux mode of coreutils Tool

Commonly used coreutils tools such as ps and ls can be used to obtain information about SELinux by adding the Z option.

For example

ps auxZ | grep lldpadsystem_u:system_r:initrc_t:s0 root 1000 8.9 0.0 3040 668 ? Ss 21:01 6:08 /usr/sbin/lldpad -d

For example

ls -Z /usr/lib/xulrunner-2/libmozjs.so-rwxr-xr-x. root root system_u:object_r:lib_t:s0 /usr/lib/xulrunner-2/libmozjs.so

Similarly, the Z option can be applied to almost all coreutils tools.

Apache SELinux configuration instance

1. Enable Apache to access website files in non-default Directories

First, use semanage fcontext-l | grep '/var/www' to obtain the SELinux context of the default/var/www directory:

/var/www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0

Apache can only access files containing the httpdsyscontent_t tag.

If you want Apache to use/srv/www as the website file directory, you need to add the httpdsyscontent_t tag to the file under this Directory, which is implemented in two steps.

First, add the default tag type for the files in the/srv/www directory: semanage fcontext-a-t httpd_sys_content_t '/srv/www (/.*)? 'And then mark the existing file with the new tag type: restorecon-Rv/srv/www. Then Apache can use the files in this directory to build the website.

Restorecon is common in SELinux management and serves to restore the default file tag. For example, if you copy a file from the user's home directory to the Apache website directory, Apache cannot be accessed by default because the file tag in the user's home directory is userhomet. In this case, You Need To restorecon to restore it to the httpdsyscontent_t type accessed by Apache:

restorecon reset /srv/www/foo.com/html/file.html context unconfined_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0

2. Let Apache listen on non-standard ports

By default, Apache only listens on port 80 and port 443. If you directly specify port 888, an error will be reported during service httpd restart:

Starting httpd: (13)Permission denied: make_sock: could not bind to address [::]:888(13)Permission denied: make_sock: could not bind to address 0.0.0.0:888no listening sockets available, shutting downUnable to open logs

At this time, if the SELinux troubleshooting tool is on the desktop, an error should be reported. If you are on a terminal, you can view/var/log/messages logs and then use sealert-l to add numbers, or directly use sealert-B to browse. Either way, the content is similar to the following:

SELinux is preventing /usr/sbin/httpd from name_bind access on the tcp_socket port 888.***** Plugin bind_ports (92.2 confidence) suggests *************************If you want to allow /usr/sbin/httpd to bind to network port 888Then you need to modify the port type.Do# semanage port -a -t PORT_TYPE -p tcp 888`where PORT_TYPE is one of the following: ntop_port_t, http_cache_port_t, http_port_t.`***** Plugin catchall_boolean (7.83 confidence) suggests *******************If you want to allow system to run with NISThen you must tell SELinux about this by enabling the 'allow_ypbind' boolean.Dosetsebool -P allow_ypbind 1***** Plugin catchall (1.41 confidence) suggests ***************************If you believe that httpd should be allowed name_bind access on the port 888 tcp_socket by default.Then you should report this as a bug.You can generate a local policy module to allow this access.Doallow this access for now by executing:# grep httpd /var/log/audit/audit.log | audit2allow -M mypol# semodule -i mypol.pp

We can see that SELinux provides corresponding solutions based on three different situations. Here, the first case is what we want, so follow the suggestions to enter:

semanage port -a -t http_port_t -p tcp 888

And then start the Apache service again.

Here we can see the SELinux Management Configuration tool semanage. Its first option indicates the type to be changed, and then follows the action. For more information, see the Man manual.

3. Allow Apache to access and create a private website

If you want ~ /Public_html/If you create your own personal website by placing files, you must allow this operation in the Apache policy. Usage:

setsebool httpd_enable_homedirs 1

Setsebool is used to switch the SELinux policy controlled by the Boolean value. The status of the current Boolean policy can be known through getsebool.

By default, the setsebool settings are retained until the next restart. To take effect permanently, you need to add the-P parameter, for example:

setsebool -P httpd_enable_homedirs 1

Summary

I hope to use this short tutorial to eliminate your misunderstanding or fear of SELinux. I personally feel that it is not more complicated than iptables policy. If you want your server to effectively defend against the 0-day attack, SELinux may be an easing solution worth consideration.

Original article: http://linuxtoy.org/archives/selinux-introduction.html