Getting started with SELinux

Almost certainly everyone has heard of SELinux (more accurately, tried to disable it), or even some past experience that allows you
This produces bias. However, with the increasing 0-day security vulnerability, it may be time to solve this problem in Linux
The kernel has an eight-year-old Mandatory Access Control System (MAC.

SELinux and Mandatory Access Control System

SELinux, short for security enhanced Linux (security enhanced Linux), is an implementation of mandatory access control (Mandatory Access Control System ).Specify the resources (files, network ports, etc.) that a process can access).

The purpose of the mandatory access control system isEnhance the system's ability to defend against 0-day attacks (Attacks implemented by exploiting undisclosed vulnerabilities). SoIt is not a substitute for network firewall or ACL, and is not used repeatedly..

For example, Apache on the system is found to have a vulnerability that allows a remote user to access sensitive files on the system (such/etc/passwdTo obtain the existing users of the system), but the Apache update Patch for fixing this security vulnerability has not been released. In this caseSELinux can mitigate the vulnerability.. Because/etc/passwd does not have the Apache access tag, Apache/etc/passwdWill be blocked by SELinux.

Compared with other mandatory access control systems, SELinux has the following advantages:

• The control policy is queryable rather than invisible to the program.
• YesHot change policyYou do not need to restart or stop the service.
• The policy can be used to control process initialization, inheritance, and program execution.
• Control scopeCovers file systems, directories, files, file start descriptors, ports, message interfaces, and network interfaces..

So what is the impact of SELinux on the system? According to the horizontal comparison made by phoronix using fedora 11 in 2009,When SELinux is enabled, the system performance is reduced by about 5% only in a few cases..

Does SELinux affect general desktop application and program development? Originally, SELinux policies mainly target the server environment. However, with the extensive application of SELinux over the past eight yearsIn general desktop and program development environments, SELinux policies can meet the security and convenience requirements at the same time..
Taking the just-released fedora 15 as an example, the author builds a complete entertainment environment (including multiple third-party native Linux games and wine games) and development environment (Android
SDK + eclipse), only the first running of the wine program is blocked by the default SELinux policy.
With the help of the troubleshooting program, click the button to solve the problem.

Understanding and configuring SELinux

1. Get the current SELinux running status

getenforce

There may be three types of returned results:Enforcing,PermissiveAndDisabled. Disabled indicates that SELinux is disabled,Permissive indicates that only security warnings are recorded, but suspicious behaviors are not blocked., Enforcing indicates logging warnings and blocking suspicious behaviors.

Currently, in common releases, RHEL and Fedora are set to enforcing by default, while others, such as opensuse, are set to permissive.

2. Change the running status of SELinux

setenforce [ Enforcing | Permissive | 1 | 0 ]

This command can immediately change the running status of SELinux, switch between enforcing and permissive, and keep the result to shutdown. A typical purpose is to check whether a service or program cannot run due to SELinux.If the service or program still fails to run after setenforce 0, it is certainly not caused by SELinux.

If you wantChange the operating environment of SELinux permanently. You can change the configuration file/etc/sysconfig/selinuxImplementation. Note: After switching from disabled to permissive or enforcing mode, restart the computer and re-create a security tag for the entire file system (touch /.autorelabel && reboot).

3. SELinux running Policy

Configuration File/etc/sysconfig/selinuxIt also contains information about SELinux running policies.SELINUXTYPEValue implementation. This value has two possibilities:targetedSELinux is only used for pre-fabricated network services and access requests,strictAll network services and access requests must go through SELinux.

RHEL and Fedora are settargeted, Including SELinux policy configuration for almost all common network services, which has been installed by default and can be directly used without modification.

If you want to edit the SELinux policy, you can also provide the Policy Editor under the command line.seeditAnd editing plug-ins in eclipseeclipse-slide.

4. SELinux mode of coreutils Tool

Common coreutils tools suchps,lsAnd so on. You can addZSELinux information.

For exampleps auxZ | grep lldpad

system_u:system_r:initrc_t:s0 root 1000 8.9 0.0 3040 668 ? Ss 21:01 6:08 /usr/sbin/lldpad -d

For examplels -Z /usr/lib/xulrunner-2/libmozjs.so

-rwxr-xr-x. root root system_u:object_r:lib_t:s0 /usr/lib/xulrunner-2/libmozjs.so

And so on,ZOptions can be applied in almost allcoreutilsTool.

Apache SELinux configuration instance

1. Enable Apache to access website files in non-default Directories

First, usesemanage fcontext -l | grep '/var/www'Learn the default/var/wwwDirectory SELinux context:

/var/www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0

From this we can see that Apache can only accesshttpd_sys_content_tTag file.

Suppose you want Apache to use/srv/wwwAs a website file directory, you need to add files under this directoryhttpd_sys_content_tTag, which is implemented in two steps.

First, add the default tag type for the files in the/srv/WWW directory:semanage fcontext -a -t httpd_sys_content_t '/srv/www(/.*)?'
Then, use the new tag type to mark existing files:restorecon -Rv /srv/www
Then Apache can use the files in this directory to build the website.

Whererestorecon It is common in SELinux management to restore the default file tag. For example, if you copy a file from the user's home directory to the Apache website directory, Apache cannot be accessed by default because the file tag in the user's home directory isuser_home_t. In this caserestorecon Restore it to an Apache-accessedhttpd_sys_content_tType:

restorecon reset /srv/www/foo.com/html/file.html context unconfined_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0

2. Let Apache listen on non-standard ports

By default, Apache only listens on port 80 and port 443.service httpd restartError:

Starting httpd: (13)Permission denied: make_sock: could not bind to address [::]:888

(13)Permission denied: make_sock: could not bind to address 0.0.0.0:888

no listening sockets available, shutting down

Unable to open logs

In this caseSELinux troubleshooting ToolAn error should have been reported. If it is under the terminal, you can view/Var/log/messagesLog and then useSealert-lAdd a serial number to view, or directly usesealert -bBrowse. Either way, the content is similar to the following:

SELinux is preventing /usr/sbin/httpd from name_bind access on the tcp_socket port 888.

***** Plugin bind_ports (92.2 confidence) suggests *************************

If you want to allow /usr/sbin/httpd to bind to network port 888

Then you need to modify the port type.

Do

# semanage port -a -t PORT_TYPE -p tcp 888

`where PORT_TYPE is one of the following: ntop_port_t, http_cache_port_t, http_port_t.` 

***** Plugin catchall_boolean (7.83 confidence) suggests *******************

If you want to allow system to run with NIS

Then you must tell SELinux about this by enabling the 'allow_ypbind' boolean.

Do

setsebool -P allow_ypbind 1

***** Plugin catchall (1.41 confidence) suggests ***************************

If you believe that httpd should be allowed name_bind access on the port 888 tcp_socket by default.

Then you should report this as a bug.

You can generate a local policy module to allow this access.

Do

allow this access for now by executing:

# grep httpd /var/log/audit/audit.log | audit2allow -M mypol

# semodule -i mypol.pp

We can see that SELinux provides corresponding solutions based on three different situations. Here, the first case is what we want, so follow the suggestions to enter:

semanage port -a -t http_port_t -p tcp 888

And then start the apache service again.

Here we can seesemanageThis SELinux Management Configuration tool. Its first option indicates the type to be changed, and then follows the action. For more information, see the man manual.

3. Allow Apache to access and create a private website

If you want~/public_html/To create your own personal website by placing files, you must allow this operation in the Apache policy. Usage:

setsebool httpd_enable_homedirs 1

setseboolIs used to switch the SELinux policy controlled by the Boolean value. The current Boolean policy status can be passed throughgetsebool.

By default, the setsebool settings are retained until the next restart. If you want to take effect permanently, you need to add-PParameters, such:

setsebool -P httpd_enable_homedirs 1

Summary

I hope to use this short tutorial to eliminate your misunderstanding or fear of SELinux. I personally feel that it is not more complicated than iptables policy. If you want your server to effectively defend against the 0-day attack, SELinux may be an easing solution worth consideration.

Thank you

This article provides a lot of reference to The SELinux series tutorials published by Vincent danen on techrepublic, 1, 2, and 3. We would like to pay tribute to Vincent danen.