James's Ramblings

SELinux

Created: August 13, 2020

Quick Reference

Description Command
Reports if SELinux is enforcing, permissive, or disabled. getenforce
Put SELinux in enforcing mode. setenforce {Enforcing | 1}
Put SELinux in permissive mode. setenforce {Permissive | 0}
Basic information about SELinux status. sestatus
Display contexts of files and processes in sestatus.conf. sestatus -v
Display the current state of SELinux booleans. sestatus -b
   
  • /etc/sestatus.conf can be customised to show the contexts of additional files and processes.

Theory

Basics and Jargon

  • A subject initiates an action.
  • An object is the target of an action.
  • SELinux makes decisions based on context.
  • Labels are a representation of contexts.

  • SELinux only cares about labels/context, not PID, user, etc.

  • The -Z switch is the standard for returning Linux Security Module information. e.g. ls -Z, ps -Z, and id -Z.

Contexts and Labels

SELinuxUser:SELinuxRole:SELinuxType:SensivityLevel
  • SensitivityLevel may contain an additional colon; nevertheless there are only four fields.

  • SELinuxType, also called the domain, is the field that most rules relate to.

  • Example: 
    unconfied_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

SELinux Types

  • The SELinux Type determines the actions an application is allowed to take based on how it was executed.

  • By convention, SELinux type names end in _t.

SELinux Roles

  • The SELinux Role determines what a user can and cannot do.
  • By convention, SELinux role names end in _r.
  • Roles are somewhat distribution dependant, although user_r, staff_r, sysadm_r, secadm_r, and system_r are a soft standard.
Role Description
user_r Restricted users. End-user applications only.
staff_r Non-critical uses. Everything that user_r can do plus role switching.
sysadm_r System administrators. Allows most tasks.
secadm_r Security administrators. Can only make changes to SELinux.
system_r Daemons and background processes. Quite a few privileges.
unconfined_r Little to no interference from SELinux.
  • seinfo -r lists available roles. On RHEL 8 this is provided by setools-console.
  • seinfo -r ROLE_NAME -x outputs all the types allowed by a role.
RHEL 8

  • webadm_r can only administrate SELinux types related to the Apache HTTP Server.

  • dbadm_r can only administrate SELinux types related to the MariaDB database and the PostgreSQL database management system.
  • logadm_r can only administrate SELinux types related to the syslog and auditlog processes.
  • secadm_r can only administrate SELinux.
  • auditadm_r can only administrate processes related to the Audit subsystem.

Source: RHEL 8 Documentation

SELinux Users

  • Different from Linux users.
  • Once set, prevents a user switching to a disallowed role.
  • By convention, SELinux user names end in _u.

Sensitivity Levels

  • Often not used.
  • Necessary for multilevel security (MLS).
  • Processes cannot read a resource with a higher confidentially level or write to a resource with a lower confidentially level.

Policies

  • Distributed in compiled form as policy modules.

Run sealert

sealert -a /var/log/audit/audit.log

To-do

  • sestatus

  • chcon

  • restorecon

  • SELinux & GRUB

  • /etc/selinux/config

  • semodule

  • semanage

  • booleans

  • https://github.com/fedora-selinux

  • https://github.com/SELinuxProject/selinux/wiki

  • setroubleshoot-server

  • audit2allow

  • autdit2why

  • sealert

  • ausearch

  • aureport

  • setroubleshootd

  • policyoreutils-python

  • policycoreuitls

  • setools-console: sesearch, sediff, and seinfo

  • “In Red Hat Enterprise Linux 8, you can query the installed SELinux policy and generate new policy modules using the sepolicy tool.” policycoreutils-devel

  • /etc/selinux/targeted/contexts/files semanage fcontext

    https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-selinux_contexts_labeling_files-persistent_changes_semanage_fcontext