SELinux 101 — Getting started securing systems with SELinux
SELinux — As a Top class security
If you found this article interesting, your support by following steps will help me spread the knowledge to others:
👏 Give the article 50 claps
💻 Follow me
Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies.[1]
It was created by one of those three letters organization , then later released under “General Public License” GPL to the public open source community as a set of patches to the Linux Kernel.
SELinux is implemented to provide an additional layer of protection, increase the control over processes execution, and protects against exploits by using multi level security.
SELinux works by using Labels and Type Enforcement.This can be also described in the format :
[SELinux User =system_u]:[SELinux Role=object_r]:[SELinux Domain/Type label=ssh_exec_t]:[SELinux MCS/MLS Label=s0]
For example , “sshd” service executable configuration directory is labeled ssh_exec_t as seen below using the command utility ls -Z as shown below:
Type Enforcement its the part where the policy dictates if for example within ssh process context running label ssh_exec_t to interact with a ssh file label.
There are two policies that can be used :
- Targeted Policy : The default policy
- Minimum
- Multi-Level/Multi Category Security-(MLS) Policy: Can be enabled.
SElinux has three modes of operation:
- Enforcing
- Disabled
- Permissive
The modes of operation and the policy types are embedded inside “config” file which controls the state of the SELinux on the system.
The file can be accessed using vim tool at
vi /etc/selinux/config
Troubleshooting SELinux
SELinux errors and problems occur as result of the following miss-configurations:
Wrong Labeling : Different tools can be used to fix this issue such as chcon and restorecon.
SELinux Policy Tuning : Creating and updating policy modules and working with booleans.
Bugs: post about it in Linux forums , or create tickets with Redhat technical support or Bugzilla.
SELinux Folder Structure
Below are some snippets of the SELinux folder structure and some of the files utilized by the application.
The /etc/selinux directory is the main location for all policy and configuration files.
Based on SELinux type on /etc/selinux/config we could also have addition folders. Since SElinuxType is set to Targeted a targeted folder is created.
The directory targeted or strict depending on your SElinuxType are the locations where their policy files are contained.
The screen shot below shows the directory structure of selinux.
SELinux Troubleshoot
There are different command utilities and tools that can help you manage and configure this whole dilemma.
Some of the tools that can allow us to achieve this task are “setroubleshoot” and “setools”.
yum install -y setroubleshoot attr policycoreutils policycoreutils-python selinux-policy selinux-policy-targeted libselinux-utils setroubleshoot-server setools setools-console mcstrans
Installing troubleshooting tools will allow us to audit , investigate the SELinux generated audit logs and use those logs to configure a policy that can tweak those rules based on your organization requirements.
The “audit.log” file can be found at :
tail -f /var/log/audit/audit.log | grep avc
Another location that can store denial messages is the avc.log file, if auditd is not running which can be located at :
tail -f /var/log/avc.log
A nice way also to look for selinux errors is sealert
sealert -a /var/log/audit/audit.log
Disclaimer
Although he information on this article is composed and maintained with continuous care and attention, I , the author cannot give any warranty as to the correctness or completeness of the information on this website. The information is furthermore not intended as any other professional and personal advice in any way. The consequences of decisions, solely based on the information on this website, remain at one’s own risk. The author is therefore under no circumstances liable for damages of whatever nature, in anyway resulting from or related to the use of information presented on or made available through this website.The article includes references and hyperlinks to third party websites, which are not controlled by Author. These references and hyperlinks are included for information purposes only. In no event Author gives any guarantee or accepts any liability in relation to the content, use and accessibility of such websites.
Conclusion
In this article , we presented an overview of SELinux. We also learnt about the folder structure and the different ways on how to troubleshoot the software.
SELinux is great protection tool at everyone’s disposal. It can be used to run programs with minimal privileges, protection from exploits , and protecting User Data.