selinux cheatsheet

1 selinux "Security Enhanced Linux"

selinux is a kernel security module that provides access controls including manadatory access controls (MAC).

A Linux kernel integrating SELinux enforces mandatory access control policies that confine user programs and system services, as well as access to files and network resources. Limiting privilege to the minimum required to work reduces or eliminates the ability of these programs and daemons to cause harm if faulty or compromised (for example via buffer overflows or misconfigurations).

SELinux confinement mechanism operates independently of the traditional Linux (discretionary) access control (DAC) mechanisms. has no concept of a "root" superuser, and does not share the well-known shortcomings of the traditional Linux security mechanisms, such as a dependence on setuid/setgid binaries.

From a purist perspective, SELinux provides a hybrid of concepts and capabilities drawn from mandatory access controls, mandatory integrity controls, role-based access control (RBAC), and type enforcement architecture.

From access.redhat.com docs, SELinux fundamentally answers the question:

May <Subject> *do* =<action> to <object> ?
May <Subject> *do* =<action> to <object> ?
May <Subject> *do* =<action> to <object> ?

1.1 SELinux Context (a.k.a.SELinux label)

Every process and system resource, (file, port, interface etc.) has a special security label called a SELinux context. The context is an identifier, that abstracts the system level details, and focuses on the security properties of the entity.

I like to think of them analogous to Cisco Trustsec that adds tags that allow one to abstract the details of the specific subnets/addresses in a network, and lets you focus on just the security posture of the entity.

1.2 SELinux Context fields:

SELinux contexts have several fields. For every current user or process, SELinux assigns a three string context consisting of a username, role, and domain (or type). The four field, level is used for more complex MLS (Multi Level Security) deployements.

user
role
type (domain)
security level. a.k.a. "full SELinux context"

Of these, the type is the most important. The most common policy rules use type.

types end in -t.

Most users share the same selinux username, and all access is managed through the third tag, 'domain'.

1.3 SELinux policy

A series of rules defined around the SELinux contexts, which define how processes can interact with each other and system resources.

The SELinux policy is a whitelist policy, where by default everything is denied, and specific whitelist rules permit specific subjects do specific actions to specific objects, based on the contexts.

2 Commands (cheats)

You can display this list from the command line using: - semanage boolean -l | less - semanage boolean -l | less This shows the different switches that can be turned on or off, what they do, and their current statuses:


ftp_home_dir                   (off  ,  off)  Allow ftp to home dir
smartmon_3ware                 (off  ,  off)  Allow smartmon to 3ware
mpd_enable_homedirs            (off  ,  off)  Allow mpd to enable homedirs
xdm_sysadm_login               (off  ,  off)  Allow xdm to sysadm login
xen_use_nfs                    (off  ,  off)  Allow xen to use nfs
mozilla_read_content           (off  ,  off)  Allow mozilla to read content
ssh_chroot_rw_homedirs         (off  ,  off)  Allow ssh to chroot rw homedirs
mount_anyfile                  (on   ,   on)  Allow mount to anyfile
...
...

We can see the first option allows the FTP daemon to access users’ home directories. The setting is turned off at the moment.

You can also use the getsebool command to list all Booleans. This command displays statuses but no descriptions. To display all Booleans and their statuses:

getsebool -a
getsebool -a

For example, getsebool =a | grep httpd to see all boolean settings of httpd.

To change any of the settings, we can use the setsebool command. As an example, let’s consider the anonymous FTP write access:

getsebool ftpd_anon_write This shows us the switch is off at the moment:

ftpd_anon_write --> off

Next we change the boolean to enable it:

setsebool ftpd_anon_write on

Checking the value again should show the change as it is not on:

ftpd_anon_write --> on

Changed booleans are not permanent. They revert to their old values after a reboot. To make things permanent, we can use the -P switch with setsebool command.

You can also list multiple entries as so: getsebool xen_use_nfs allow_ftpd_use_nfs mozilla_read_content

3 SELinux files and processes

To see SELinux status of a file, use the -Z flag in the list command.

ls -Z /etc/named.conf

which will give you output similar to this: (from /etc directory)

system_u:object_r:etc_t:s0 motd.d system_u:object_r:etc_t:s0 mtab system_u:object_r:lvm_metadata_t:s0 multipath system_u:object_r:etc_t:s0 named unconfined_u:object_r:etc_t:s0 named.conf system_u:object_r:etc_t:s0 nanorc system_u:object_r:etc_t:s0 ndctl system_u:object_r:etc_t:s0 netconfig system_u:object_r:NetworkManager_etc_t:s0 NetworkManager system_u:object_r:etc_t:s0 networks system_u:object_r:etc_t:s0 nfs.conf

3.1 User, Role, Type

SELinux provides a user (unconfined_u), a role (object_r), a type (user_home_t), and a level (s0). This information is used to make access control decisions.

On DAC systems, access is controlled based on Linux user and group IDs. SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first.

3.2 inheritance

By default, newly-created files and directories inherit the SELinux type of their parent directories

4 Commands to manage

There are multiple commands for managing the SELinux context for files such as

chcon
semanage
fcontext
restorecon

4.1 chcon

chcon [OPTION] -u USER -r ROLE -t TYPE file and others. See man chcon

So, if you want to set the security context of file1 to be the same as filex the command is chcon --reference=filex file1 or to change all html files try

chcon --reference=filex *.html

This command fixed an nginx 403 Forbidden error I was getting on my web pages

5 setsebool

Booleans setsebool in Secure Enterprise Linux.

From the man page: setsebool sets the current state of a particular SELinux boolean or a list of booleans to a given value. The value may be 1 or true or on to enable the boolean, or 0 or false or off to disable it. Without the -P option, only the current boolean value is affected; the boot-time default settings are not changed.

If the -P option is given, all pending values are written to the policy file on disk. So they will be persistant across reboots.

For example, to tell SELinux to allow samba access to home directories;

setsebool -PV use_samba_home_dirs off
setsebool -P samba_enable_dirs 1
-P all pending values are written to the policy file on disk. So they will be persistent across reboots.
-N the policy on disk is not reloaded into the kernel
-V verbose

Here are the setsebool settings related to SAMBA to consider:

setsebool -P samba_share_fusefs 1
setsebool -P samba_export_all_ro 1 If you want to allow samba to share any file/directory read only, you must turn on the samba_export_all_ro boolean.
setsebool -P virt_use_samba 1 If you want to allow virt to manage cifs files, you must turn on the virt_use_samba boolean.
setsebool -P samba_create_home_dirs 1 If you want to allow samba to create new home directories (e.g. via PAM), you must turn on the samba_create_home_dirs boolean.
setsebool -P samba_enable_home_dirs 1 If you want to allow samba to share users home directories, you must turn on the samba_enable_home_dirs boolean.
setsebool -P samba_share_nfs 1 If you want to allow samba to export NFS volumes, you must turn on the samba_share_nfs boolean.
setsebool -P sanlock_use_samba 1 If you want to allow sanlock to manage cifs files, you must turn on the sanlock_use_samba boolean.
setsebool -P samba_run_unconfined 1 If you want to allow samba to run unconfined scripts, you must turn on the samba_run_unconfined boolean.
setsebool -P samba_domain_controller 1 If you want to allow samba to act as the domain controller, add users, groups and change passwords, you must turn on the samba_domain_controller boolean.
setsebool -P samba_export_all_rw 1 If you want to allow samba to share any file/directory read/write, you must turn on the samba_export_all_rw boolean.
setsebool -P samba_portmapper 1 If you want to allow samba to act as a portmapper, you must turn on the samba_portmapper boolean.
setsebool -P use_samba_home_dirs 1 If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean.
setsebool -P allow_smbd_anon_write 1 If you want to allow samba to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t, you must turn on the allow_smbd_anon_write boolean.

6 getsebool -a

You can read off all the SELinux boolean values with the command:

sudo getsebool -a and then set individual booleans. getsebool gets you this:

Or, getsebool -a | grep -i samba

root@southamerica~[1001] $
getsebool -a | grep -i samba
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> on     # <<<< 
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_load_libgfapi --> off
samba_portmapper --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_use_samba --> off
tmpreaper_use_samba --> off
use_samba_home_dirs --> off
virt_use_samba --> off
root@southamerica~[1002] $

7 semanage

You can list all the available booleans, including a short description of their function:

semanage boolean -l .
semanage boolean -l .

Other semanage boolean commands allow for manipulation of the variables, similar to what setsebool does in the previous releases.

7.1 semanage boolean -l

lists all SELinux boolean values

See: wiki.centos.org for what seboolean variables most Centos systems have.

7.2 semanage port

To tell SELinux that you have changed the default ssh port from 22 to 3525 you would use:

semanage port -a -t ssh_port_t -p tcp 3525

Now list what ports semanage has configured for ssh:

semanage port -l | grep ssh

8 Monitoring and turn on/off

A simple and easy command to run on login, is sestatus which shows you this:

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

A subset of that is the command getenforce that displays the current mode:

$ getenforce
Enforcing

To turn enforcing off (for everthing) but keep the same configuration use:

setenforce 0

To turn back on:

setenforce 1

The above two commands are useful to temporarily turn off and back on SELinux when you are troubleshooting permissions problems on some deployment or app.

Easy to confirm or discount SELinux as your source of problems. Just do it briefly as setenforce 0 leaves everything wide open.

8.1 SElinux config file

The file /etc/selinux/config

zintis@zintis.net /home/zintis[1003]:
$ cat /etc/selinux/config 

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

8.2 grub config to set selinux enforcing

Overriding the above /etc/selinux/config file is the grub.conf file, on boot. The line in question is below, and the parameter is enforcing=0 or =1

kernel /kernel root=/dev/md3 real_rootflags=data=journal enforcing=0 dolvm domdadm rootfstype=ext4 devtmpfs.mount=0

8.3 semanage to alter one domain at a time

The above enforcing state applies to all of SElinux, but with semanage you can selectively set one domain enforcing while *another domain is permissive.

First list the current settings for all domains with

semanage permissive -l # to list only

sudo semanage permissive -l
[sudo] password for zintis: 

Builtin Permissive Types 

snappy_confine_t
snappy_t
snappy_unconfined_snap_t
snappy_cli_t
snappy_mount_t

Customized Permissive Types

httpd_t

8.4 SELinux aware applications.

Some applications are linked to libselinux.so directly, which means that the setenforce settings of selinux may not have an affect on the app. You can confirm that by listing open files used by an app, with lsof. For example:

-a and all the options. i.e. all of the options must be met to display something
-c c display only files that begin with the letter 'c'
-p for process with PID (can be a csv list of PIDs)
-P show numeric port numbers for network files
-t use terse output
+|-r repeat displaying lsof output, +r stop when no more open files, -r stop only when interrupted C-c, or ^c

ps -aux | grep nginx
# get list of PIDS first
sudo lsof -P -T -p '17589,17590'