SELinux Introductory "Go"

First, preface

Security-Enhanced Linux (security-enhanced Linux) abbreviated as SELinux, which is a Linux kernel module and a security subsystem for Linux. SELinux is primarily developed by the National Security Agency, and the 2.6 and later versions of the Linux kernel have integrated the SELinux module. The structure and configuration of SELinux is very complex, and there are a lot of conceptual things, it is difficult to learn fine. Many Linux system administrators have bothered to shut down SELinux. If you can master SELinux and use it correctly, I think the whole system can basically reach the point of "indestructible" (please always remember that there is no absolute security). Mastering the basic concepts of SELinux and simple configuration methods is a required course for every Linux system administrator.

Here to learn from the experience with you to share the exchange, error is unavoidable, for reference only! If you find the wrong place, you can trouble pointing under, special thanks! The test environment in this paper is operated in the CentOS 7.4.1708 system.

Second, the role of SELinux and authority management mechanism

2.1 The role of SELinux:

The primary role of SELinux is to minimize the resources that the service process can access in the system (the principle of least privilege).

Imagine a 0day vulnerability in which a network service running as root could exploit the vulnerability to do whatever it takes to be root on your server. Isn't it scary?

SELinux is here to solve the problem.

2.2 DAC:

In operating systems that do not use SELinux, the factors that determine whether a resource can be accessed are whether a resource has the corresponding user's permissions (read, write, execute).

As long as the process accessing this resource meets the above criteria, it can be accessed.

The most deadly problem is that the root user is not under any control and unlimited access to any resources on the system.

The principal of this authority management mechanism is the user, also known as the Discretionary access control (DAC).

2.3 MAC:

In the operating system using SELinux, determining whether a resource can be accessed in addition to the above factors, it is also necessary to determine whether each type of process has access to a particular class of resources.

This way, even if the process is running as root, you need to determine the type of the process and the type of resource that is allowed to access it to determine whether to allow access to a resource. The activity space of the process can also be compressed to a minimum. Even a service process running as root can generally access only the resources it needs. Even if the program has a vulnerability, the scope of the impact is only within the resources it is allowed to access. Security is greatly increased.

The principal of this authority management mechanism is the process, also known as mandatory access control (MAC). And MAC is subdivided into two ways, one is called category Security (MCS) mode, the other is called Multilevel security (MLS) mode. The operations below are MCS mode without special instructions. In DAC mode, it can be accessed as long as the corresponding directory has the appropriate user's permissions. In MAC mode, however, the process allows access to directory-wide limits.

Iii. Basic concepts of SELinux

SELinux decision-making process

3.1 Body (Subject): Can be exactly the same as a process. Note: For the convenience of understanding, if no special instructions are provided, the following processes are considered as subjects.

3.2 Object: The resource accessed by the principal. Can be files, directories, ports, devices, and so on. Note: For ease of understanding, if no special instructions are provided, the following documents or directories are considered objects.

3.3 Policies and Rules (Policy & rule): There are usually a large number of files and processes in the system, in order to save time and expense, we usually only selectively control certain processes. And what processes need to be regulated and how they are regulated is determined by the strategy. There are multiple rules within a set of policies. Some rules can be enabled or disabled as required (the following rules for that type are called Boolean rules). The rules are modular and extensible. When you install a new application, the application adds the rules by adding new modules. Users can also manually add and subtract rules.

In the CentOS 7 system, there are three sets of strategies, namely:

1. Targeted: The majority of network service processes are regulated. This is the default policy used by the system (this policy is used below).

2. Minimum: Based on targeted, only the selected network service processes are regulated. Generally not.

3. MLS: Multilevel security. Control of all processes. This is the most stringent strategy and is very difficult to configure. Generally not, unless there is an extremely high level of security requirements.

The policy can be set in/etc/selinux/config.

3.4 Security Context

The security context is the core of SELinux. Security Context I myself divide it into "process security context" and "File security context".

A "process security context" typically corresponds to multiple "file security contexts." The process can access the file only if the security context of the two corresponds. Their correspondence is determined by the rules in the policy.

The file security context is determined by the location where the file was created and the process that created the file. And the system has a default value, the user can also set the default value. It is important to note that the simple move file operation does not change the security context of the file.

• Structure and meaning of security context

The security context has four fields, separated by a colon. Form: System_u:object_r:admin_home_t:s0.

	User (	role)	type (type)	level
Process Security Context	• There are two main categories. System_u Process for system services, subject to control. Unconfined_u As an uncontrolled process, it is usually the user's own opening, such as bash.	• There are two main categories. System_r Process for system services, subject to control. Unconfined_r As an uncontrolled process, it is usually the user's own opening, such as bash.	• In targeted mode The only field that needs attention. • In targeted mode, only the type of the two corresponds (not the same), the process can access the file.	MLS Security level. Only makes sense in MLS mode.
File Security Context	• There are two main categories. System_u The file created for the system service. Unconfined_u A file created for the user himself.	• Both are Object_r, representing a file.	• In targeted mode The only field that needs attention. • In targeted mode, only the type of the two corresponds (not the same), the process can access the file.	MLS Security level. Only makes sense in MLS mode.

3.5 SELinux Mode of operation

SELinux has three modes of operation, namely:

1. Enforcing: Forced mode. Violations of the SELinux rules are blocked and recorded in the log.

2. Permissive: Tolerant mode. Actions that violate the SELinux rules are only logged in the log. Generally for the tune trial.

3. Disabled: Turn off SELinux.

The SELinux mode of operation can be set in/etc/selinux/config.

If you want to switch from disabled to enforcing or permissive, you need to restart the system. The reverse is the same. The enforcing and permissive modes can be quickly switched through the Setenforce 1|0 command.

It is important to note that if the system has been running for a period of time with SELinux turned off, the first reboot after the SELinux is turned on may be slow. Because the system must create a security context for the files on the disk (I said I rebooted for about 10 minutes and thought it was freezing ...). ）。

The records of SELinux logs need to be auditd.service this service, please do not disable it.

Iv. Basic operation of SELinux

4.1 Querying the security context of a file or directory

• Command Basic usage

Ls-z < files or directories >

• Examples of usage

Query the security context for/etc/hosts. Ls-z/etc/hosts

• Execution results

-rw-r--r--. Root root system_u:object_r:net_conf_t:s0/etc/hosts

4.2 Security context for the query process

• Command Basic usage

PS Auxz | Grep-v grep | grep < process name >

• Examples of usage

Query the security context for Nginx-related processes.

PS Auxz | Grep-v grep | grep nginx

• Execution results

SYSTEM_U:SYSTEM_R:HTTPD_T:S0 root 7997 0.0 0.0 122784 2156? Ss 14:31 0:00 nginx:master process/usr/sbin/nginxsystem_u:system_r:httpd_t:s0 nginx 7998 0.0 0.0 125332 7560? S 14:31 0:00 Nginx:worker Process

4.3 Manually modifying the security context of a file or directory

• Command Basic usage

Chcon < options > < files or directories 1> [< files or directories 2> ...]

Options	function
-u <值>	Modify the user field of the security context
-r <值>	Modify the Role field of the security context
-t <值>	Modify the Type field of the security context
-l <值>	Modify the Level field of the security context
--reference <文件或目录>	Modify the security context that is consistent with the specified file or directory
-R	Recursive operation
-h	Modify the security context of a soft link (without this option, modify the soft link file)

• Examples of usage

The security context for modifying test is AAA_U:BBB_R:CCC_T:S0:

Chcon-u aaa_u-r bbb_r-t ccc_t test

4.4 Restore the security context of a file or directory to its default value

• Command Basic usage

Restorecon [Options] < files or directories 1> [< files or directories 2> ...]

• Examples of usage

After adding some Web page files to the Nginx server directory, set the correct security context for these new files.

Restorecon-r/usr/share/nginx/html/

4.5 Boolean rules and their states in the query system

• Command Basic usage

Getsebool-a

Since the command either queries all rules or queries only one rule, it is common to query all rules first and then filter with grep.

• Examples of usage

Query for Boolean rules related to httpd.

getsebool-a | grep httpd

• Execution results

Httpd_anon_write--offhttpd_builtin_scripting--onhttpd_can_check_spam--offhttpd_can_connect_ftp-- > off# following omitted

4.6 Switch A Boolean rule

• Command Basic usage

Setsebool [Options] < rule name > <on|off>

• Examples of usage

Open the Httpd_anon_write rule.

Setsebool-p Httpd_anon_write on

4.7 Adding the default security context for a directory

• Command Basic usage

Semanage fcontext-a-T < file security context Type field > < directory (trailing slash) > (/.*)? "

Note: The default security context for a directory or file can be viewed by using the Semanage fcontext-l command with grep filtering.

• Examples of usage

After adding a site directory/usr/share/nginx/html2 for Nginx, you need to set it to the same default security context as the original directory.

Semanage fcontext-a-T httpd_sys_content_t "/USR/SHARE/NGINX/HTML2 (/.*)?"

4.8 Adding a port that a class of processes allows access to

• Command Basic usage

Semanage port-a-T < service type >-P < protocol > < port number >

Note: The port numbers allowed for various service types can be viewed with grep filtering through the semanage port-l command.

• Examples of usage

For Nginx, you need to use port 10080 for the HTTP service.

Semanage port-a-t http_port_t-p TCP 10080

Five, SELinux error analysis and resolution

5.1 Understanding SELinux Logs

When SELinux is turned on, some of the normal behavior of many services is considered a violation (the title and the errors below refer to violations).

At this point we need to use the SELinux violation log to analyze the resolution.

The SELinux violation log is saved in/var/log/audit/audit.log. /var/log/audit/audit.log's content is probably the case.

Type=login Msg=audit (1507898701.391:515): pid=8523 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old-auid= 4294967295 auid=0 tty= (none) old-ses=4294967295 ses=25 Res=1type=user_start msg=audit (1507898701.421:516): pid=8523 Uid=0 auid=0 ses=25 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg= ' Op=pam:session_open grantors=pam_loginuid, Pam_keyinit,pam_limits,pam_systemd acct= "root" exe= "/usr/sbin/crond" Hostname=? Addr=? Terminal=cron res=success ' ...

The file has a lot of content and is mixed with a lot of system audit logs unrelated to SELinux errors. We're going to use Sealert as a utility to help with the analysis (install the Setroubleshoot package if you don't see the command).

5.2 Parsing errors using Sealert

• Command Basic usage

Sealert-a/var/log/audit/audit.log

After executing the command, it takes a while for the system to analyze the violations in the log and give an analysis report.

5.3 People to solve SELinux error ideas

When you find a service error, check the Sealert analysis report for the name of the service process keyword. If not, the description is not an error caused by SELinux, please check other aspects.

The next step is to read the Sealert Analysis report.

The first thing you need to know is the reason for the violation. If there are files or resources that the service should not access in the event of a violation, be careful. There may be a problem with the configuration of the service or there is a vulnerability in the service itself, please prioritize the service's configuration file.

In the analysis report, there are usually two or three solutions for a violation. Choose a simple, easy-to-understand solution such as modifying a Boolean value, setting a default security context, and so on.

If there is no such simple, easy-to-understand solution, please go to search engine first to find out if there are other better solutions.

It is important to note that credibility is only a reference value and does not mean that a solution with the highest level of confidence will solve the problem. I personally feel that the higher the reliability of the solution, the smaller the changes to the system.

Keep in mind, however, that before implementing a solution, be sure to understand what the commands in the solution are!

Finally, use the Audit2allow command with caution. The function of this command is very simple and rude, that is, forcing the error to be encountered and then encapsulating it into a selinux module, and then letting SELinux load the module to eliminate the error. It is not a last resort to recommend Audit2allow.

SELinux Introductory "Go"