selinux cheatsheet
1 selinux "Security Enhanced Linux"
selinux is a kernel security module that provides access controls including
manadatory access controls (MAC)
.
From wikipedia
A Linux kernel integrating SELinux
enforces mandatory access control policies
that confine user programs and system services, as well as access to files and
network resources. Limiting privilege to the minimum required to work reduces
or eliminates the ability of these programs and daemons to cause harm if
faulty or compromised (for example via buffer overflows or misconfigurations).
SELinux
confinement mechanism operates independently of the traditional Linux
(discretionary) access control (DAC)
mechanisms. has no concept of a "root
"
superuser
, and does not share the well-known shortcomings of the traditional
Linux security mechanisms, such as a dependence on setuid/setgid binaries.
From a purist perspective, SELinux provides a hybrid of concepts and capabilities drawn from mandatory access controls, mandatory integrity controls, role-based access control (RBAC), and type enforcement architecture.
From access.redhat.com docs, SELinux fundamentally answers the question:
- May
<Subject> *do* =<action>
to<object>
? - May
<Subject> *do* =<action>
to<object>
? - May
<Subject> *do* =<action>
to<object>
?
1.1 SELinux Context (a.k.a.SELinux label)
Every process and system resource, (file, port, interface etc.) has a special
security label
called a SELinux context. The context is an identifier
, that
abstracts the system level details, and focuses on the security properties
of the entity.
I like to think of them analogous to Cisco Trustsec
that adds tags that
allow one to abstract the details of the specific subnets/addresses in a
network, and lets you focus on just the security posture of the entity.
1.2 SELinux Context fields:
SELinux contexts have several fields. For every current user or process,
SELinux
assigns a three string context
consisting of a username
, role
, and
domain
(or type). The four field, level is used for more complex MLS
(Multi Level Security) deployements.
user
role
- type (
domain
) - security
level
. a.k.a. "full SELinux context"
Of these, the type
is the most important. The most common policy rules use
type
.
types
end in -t
.
Most users share the same selinux username
, and all access is managed through
the third tag, 'domain'.
1.3 SELinux policy
A series of rules
defined around the SELinux contexts, which define how
processes can interact with each other and system resources.
The SELinux policy
is a whitelist
policy, where by default everything is
denied, and specific whitelist rules
permit specific subjects do specific
actions to specific objects, based on the contexts.
2 Commands (cheats)
You can display this list
from the command line using:
- semanage boolean -l | less
- semanage boolean -l | less
This shows the different switches
that can be turned on
or off
, what they do,
and their current statuses:
ftp_home_dir (off , off) Allow ftp to home dir smartmon_3ware (off , off) Allow smartmon to 3ware mpd_enable_homedirs (off , off) Allow mpd to enable homedirs xdm_sysadm_login (off , off) Allow xdm to sysadm login xen_use_nfs (off , off) Allow xen to use nfs mozilla_read_content (off , off) Allow mozilla to read content ssh_chroot_rw_homedirs (off , off) Allow ssh to chroot rw homedirs mount_anyfile (on , on) Allow mount to anyfile ... ...
We can see the first option allows the FTP daemon to access users’ home directories. The setting is turned off at the moment.
You can also use the getsebool
command to list all Booleans
. This command displays
statuses but no descriptions. To display all Booleans and their statuses:
- getsebool -a
- getsebool -a
For example, getsebool =a | grep httpd
to see all boolean settings of
httpd
.
To change
any of the settings, we can use the setsebool
command. As an
example, let’s consider the anonymous FTP write access:
getsebool ftpd_anon_write
This shows us the switch is off at the moment:
ftpd_anon_write --> off
Next we change the boolean to enable it:
setsebool ftpd_anon_write on
Checking the value again should show the change as it is not on:
ftpd_anon_write --> on
Changed booleans are not permanent. They revert to their old values after a
reboot. To make things permanent, we can use the -P
switch with setsebool
command.
You can also list multiple entries as so:
getsebool xen_use_nfs allow_ftpd_use_nfs mozilla_read_content
3 SELinux files and processes
To see SELinux status of a file, use the -Z flag in the list command.
ls -Z /etc/named.conf
which will give you output similar to this: (from /etc directory)
systemu:objectr:etct:s0 motd.d systemu:objectr:etct:s0 mtab systemu:objectr:lvmmetadatat:s0 multipath systemu:objectr:etct:s0 named unconfinedu:objectr:etct:s0 named.conf systemu:objectr:etct:s0 nanorc systemu:objectr:etct:s0 ndctl systemu:objectr:etct:s0 netconfig systemu:objectr:NetworkManageretct:s0 NetworkManager systemu:objectr:etct:s0 networks systemu:objectr:etct:s0 nfs.conf
3.1 User, Role, Type
SELinux
provides a user
(unconfinedu), a role
(objectr), a type
(userhomet), and a level
(s0). This information is used to make access
control decisions.
On DAC systems, access is controlled based on Linux user and group IDs. SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first.
3.2 inheritance
By default, newly-created
files
and directories
inherit the SELinux type
of their parent directories
4 Commands to manage
There are multiple commands for managing the SELinux context for files such as
chcon
semanage
fcontext
restorecon
4.1 chcon
chcon [OPTION] -u USER -r ROLE -t TYPE file
and others. Seeman chcon
So, if you want to set the security context of file1 to be the same as filex
the command is chcon --reference=filex file1
or to change all html files try
chcon --reference=filex *.html
This command fixed an nginx 403 Forbidden
error I was getting on my web pages
5 setsebool
Booleans setsebool
in Secure Enterprise Linux.
From the man page:
setsebool sets the current state of a particular SELinux boolean
or a list of
booleans to a given value. The value may be 1
or true
or on
to enable the
boolean, or 0
or false
or off
to disable it. Without the -P
option, only
the current boolean value is affected; the boot-time default settings are not
changed.
If the -P
option is given, all pending values are written to the policy file
on disk. So they will be persistant across reboots.
For example, to tell SELinux to allow samba access to home directories;
setsebool -PV use_samba_home_dirs off
setsebool -P samba_enable_dirs 1
-P
all pending values are written to the policy file on disk. So they will be persistent across reboots.-N
the policy on disk is not reloaded into the kernel-V
verbose
Here are the setsebool settings related to SAMBA to consider:
setsebool -P samba_share_fusefs 1
setsebool -P samba_export_all_ro 1
If you want to allow samba to share any file/directory read only, you must turn on the sambaexportallro boolean.setsebool -P virt_use_samba 1
If you want to allow virt to manage cifs files, you must turn on the virtusesamba boolean.setsebool -P samba_create_home_dirs 1
If you want to allow samba to create new home directories (e.g. via PAM), you must turn on the sambacreatehomedirs boolean.setsebool -P samba_enable_home_dirs 1
If you want to allow samba to share users home directories, you must turn on the sambaenablehomedirs boolean.setsebool -P samba_share_nfs 1
If you want to allow samba to export NFS volumes, you must turn on the sambasharenfs boolean.setsebool -P sanlock_use_samba 1
If you want to allow sanlock to manage cifs files, you must turn on the sanlockusesamba boolean.setsebool -P samba_run_unconfined 1
If you want to allow samba to run unconfined scripts, you must turn on the sambarununconfined boolean.setsebool -P samba_domain_controller 1
If you want to allow samba to act as the domain controller, add users, groups and change passwords, you must turn on the sambadomaincontroller boolean.setsebool -P samba_export_all_rw 1
If you want to allow samba to share any file/directory read/write, you must turn on the sambaexportallrw boolean.setsebool -P samba_portmapper 1
If you want to allow samba to act as a portmapper, you must turn on the sambaportmapper boolean.setsebool -P use_samba_home_dirs 1
If you want to support SAMBA home directories, you must turn on the usesambahomedirs boolean.setsebool -P allow_smbd_anon_write 1
If you want to allow samba to modify public files used for public file transfer services. Files/Directories must be labeled publiccontentrwt, you must turn on the allowsmbdanonwrite boolean.
6 getsebool -a
You can read off all the SELinux boolean values with the command:
sudo getsebool -a
and then set individual booleans.getsebool
gets you this:
Or, getsebool -a | grep -i samba
root@southamerica~[1001] $ getsebool -a | grep -i samba samba_create_home_dirs --> off samba_domain_controller --> off samba_enable_home_dirs --> on # <<<< samba_export_all_ro --> off samba_export_all_rw --> off samba_load_libgfapi --> off samba_portmapper --> off samba_run_unconfined --> off samba_share_fusefs --> off samba_share_nfs --> off sanlock_use_samba --> off tmpreaper_use_samba --> off use_samba_home_dirs --> off virt_use_samba --> off root@southamerica~[1002] $
7 semanage
You can list all the available booleans, including a short description of their function:
semanage boolean -l
.semanage boolean -l
.
Other semanage boolean commands allow for manipulation of the variables, similar to what setsebool does in the previous releases.
7.1 semanage boolean -l
lists all SELinux boolean values
See: wiki.centos.org for what seboolean variables most Centos systems have.
7.2 semanage port
To tell SELinux that you have changed the default ssh port from 22 to 3525 you would use:
semanage port -a -t ssh_port_t -p tcp 3525
Now list what ports semanage has configured for ssh:
semanage port -l | grep ssh
8 Monitoring and turn on/off
A simple and easy command to run on login, is sestatus
which shows you this:
$ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33
A subset of that is the command getenforce
that displays the current mode:
$ getenforce Enforcing
To turn enforcing off (for everthing) but keep the same configuration use:
setenforce 0
To turn back on:
setenforce 1
The above two commands are useful to temporarily turn off and back on SELinux when you are troubleshooting permissions problems on some deployment or app.
Easy to confirm or discount SELinux as your source of problems. Just do it briefly as setenforce 0 leaves everything wide open.
8.1 SElinux config file
The file /etc/selinux/config
zintis@zintis.net /home/zintis[1003]: $ cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
8.2 grub config to set selinux enforcing
Overriding the above /etc/selinux/config
file is the grub.conf
file, on boot.
The line in question is below, and the parameter is enforcing=0
or =1
kernel /kernel root=/dev/md3 real_rootflags=data=journal enforcing=0 dolvm domdadm rootfstype=ext4 devtmpfs.mount=0
8.3 semanage to alter one domain at a time
The above enforcing state applies to all of SElinux, but with semanage
you can
selectively set one domain enforcing
while *another domain is permissive
.
First list the current settings for all domains with
semanage permissive -l
# to list only
sudo semanage permissive -l [sudo] password for zintis: Builtin Permissive Types snappy_confine_t snappy_t snappy_unconfined_snap_t snappy_cli_t snappy_mount_t Customized Permissive Types httpd_t
8.4 SELinux aware applications.
Some applications are linked to libselinux.so
directly, which means that the
setenforce
settings of selinux may not have an affect on the app. You can
confirm that by listing open files used by an app, with lsof
. For example:
-a
andall
the options. i.e.all
of the options must be met to display something-c c
display only files thatbegin
with the letter 'c'-p
for process withPID
(can be a csv list of PIDs)-P
shownumeric port
numbers for network files-t
useterse
output+|-r
repeat
displaying lsof output,+r
stop when no more open files,-r
stop only when interruptedC-c
, or^c
ps -aux | grep nginx # get list of PIDS first sudo lsof -P -T -p '17589,17590'