SELinux – extended security model in Enterprise Linux 8

Security Enhanced Linux (SELinux) is an advanced access control mechanism built into most modern Linux distributions. Initially, it was developed by the US National Security Agency (NSA) to better protect computer systems. Then it was made available in the public domain and since then various distributions have included it in their code. SELinux is configured […]

Security Enhanced Linux (SELinux) is an advanced access control mechanism built into most modern Linux distributions. Initially, it was developed by the US National Security Agency (NSA) to better protect computer systems. Then it was made available in the public domain and since then various distributions have included it in their code. SELinux is configured and active by default in all systems from the Enterprise Linux family (Rocky Linux, AlmaLinux, RHEL, Oracle Linux …)

SELinux is an implementation of several models of security policies, including:

  • Access Control mandators (MAC) – model for protecting and protecting processes, data and system devices against harmful abuse or use. MAC expands the DAC model that is currently used as the basic security model in Linux
  • Flux Advanced Security Kernel (FLASK) – support for MAC, i.e. support for security contexts
  • Role-based access control (RBAC) – limiting access to system resources based on the role that the user plays in the system
  • Type Enforcement (TE) – assigning security attributes (types or domains) to system objects.

Thanks to SELinux, you can define the user’s field of activity or processes. It limits each process to its own scope, thanks to which this process can interact only with specific types of files and other processes.

Properly configured SELinux significantly increases server security. For example: if the hacker uses the vulnerability of the FTP server and takes control of it, it will not be able to take over the HTTP server, and will not pose a threat to the system as a whole.

SELinux policy

The main security mechanism of SELinux is politics, i.e. a set of rules defining security and access rights for individual elements of the – system users, roles, processes and files. Politics defines how each of these elements is related to each other.

The SELinux policy defines users’ access to roles, role access to domains, and domain access to types. The object in SELinux is everything that can be the subject of action. It can be a file, directory, socket, port etc. Activities that an entity can perform on an object are its rights.

First, the user must be entitled to enter the role, and then the role must be entitled to access the domain. The domain, in turn, limits access to specific file types only. The alternative is the model deny-by-default in which all access is rejected, unless it is approved by the policy.

Command sestatus also displays the name of the politician’s magazine, and the command sudo semodule -l displays a list of SELinux policy modules currently loaded into memory.

Contextiveness

Default policy included in Enterprise Linux 8 bases its rules on the context of type. Type context names usually end in t. For example: the context of the web server type is httpdtfor files and directories located in / tmp and / var / tmp is tmp_tfor files and directories located in / var / www / html is httpd_sys_content_t. The type context for web server ports is http_port_t.

We can interact with the SELinux context using popular commands: lspscp and mkdirusing options -Z.

An example of a command result below: ls -Z /www/index.html

selinux

We make context changes using the command chcon or semanage. Below was a permanent change in the context for the catalog / wwwwhose default context is default_t. As a result of the following commands, SELinux will allow serving websites from this directory via an httpd server:

    sudo semanage fcontext -a -t httpd_sys_content_t "/www(/.*)?"
    sudo restorecon -R -v /www

The following command should display the updated directory context / www and its content:

    ls -dZ /www && ls -Z /www

SELinux switches

Command semanage boolean displays the current status of boolean switches that can be turned on or off, as well as brief descriptions of their functionality. Let’s look at the current SELinux boolean flags:

    [eurolinux@el84 ~]$ sudo semanage boolean -l

    SELinux boolean                State  Default Description
    (...)
    httpd_enable_cgi               (on   ,   on)  Allow httpd to enable cgi
    httpd_enable_ftp_server        (off  ,  off)  Allow httpd to enable ftp server
    httpd_enable_homedirs          (off  ,  off)  Allow httpd to enable homedirs
    httpd_execmem                  (off  ,  off)  Allow httpd to execmem
    httpd_graceful_shutdown        (off  ,  off)  Allow httpd to graceful shutdown
    httpd_manage_ipa               (off  ,  off)  Allow httpd to manage ipa
    httpd_mod_auth_ntlm_winbind    (off  ,  off)  Allow httpd to mod auth ntlm winbind
    httpd_mod_auth_pam             (off  ,  off)  Allow httpd to mod auth pam
    httpd_read_user_content        (off  ,  off)  Allow httpd to read user content
    httpd_run_ipa                  (off  ,  off)  Allow httpd to run ipa
    (...)

The first entry in the list above allows the httpd daemon to run CGI scripts. To disable this option, we will use the command setsebool.

    [eurolinux@el84 ~]$ getsebool httpd_enable_cgi
    httpd_enable_cgi --> on

The result indicates that the switch is currently active. We change the boolean value to deactivate the ability to run scripts:

    [eurolinux@el84 ~]$ sudo setsebool httpd_enable_cgi 0

Re-checking the value should show a change:

    [eurolinux@el84 ~]$ getsebool httpd_enable_cgi
    httpd_enable_cgi --> off

SELinux boolean flags changed in this way are not permanent. After the system is restarted, they return to previous values. To make these changes permanent, you must follow the instructions setsebool use the switch -P.

Operating modes

SELinux can be in one of three possible modes:

  • enforcing (forced) – enforces its policy and ensures that all attempts of unauthorized access by users and processes are rejected. Access denied is saved to the appropriate log files
  • Permissive (indulgent) – is a semi-active state. SELinux does not apply its policy in this mode, so access is not rejected, however any violations are recorded in the audit log
  • Disabled – disabled.

To check the current SELinux mode, we can use the command getenforce. However, we will get a much more detailed result after using the command sestatus:

    [eurolinux@el84 ~]$ sestatus

    SELinux status:                 enabled
    SELinuxfs mount:                /sys/fs/selinux
    SELinux root directory:         /etc/selinux
    Loaded policy name:             targeted
    Current mode:                   permissive
    Mode from config file:          enforcing
    Policy MLS status:              enabled
    Policy deny_unknown status:     allowed
    Memory protection checking:     actual (secure)
    Max kernel policy version:      33

Temporary transition to permissive mode will be obtained with the command:

    setenforce 0

To return to enforcing mode, simply use:

    setenforce 1

We can permanently change the mode in the SELinux configuration file / etc / selinux / config:

    # This file controls the state of SELinux on the system.
    # SELINUX= can take one of these three values:
    #     enforcing - SELinux security policy is enforced.
    #     permissive - SELinux prints warnings instead of enforcing.
    #     disabled - No SELinux policy is loaded.
    SELINUX=enforcing
    # SELINUXTYPE= can take one of these three values:
    #     targeted - Targeted processes are protected,
    #     minimum - Modification of targeted policy. Only selected processes are protected. 
    #     mls - Multi Level Security protection.
    SELINUXTYPE=targeted

There are two directives in this file. Directive SELINUX specifies the SELinux mode and can take the three previously mentioned values.

Directive SELINUXTYPE defines the policy that will be used. In Enterprise Linux 8, the default value is targeted. This means that SELinux will limit only some processes in the system, i.e. only some processes will be the goal. Those that are not „targeted ” will operate without restrictions. Another possible value is MLS – multi-level security, i.e. advanced protection mode.

Summary

The article presents the basic capabilities of SELinux – more information about this software can be found in the manuals: selinux, booleans, setsebool, sepolicy, system-config-selinux, restorecon, setfiles, semanage, seinfo and research. SELinux configuration from scratch is quite time consuming, fortunately this software is by default present and pre-configured on Enterprise-class Linux systems.

blank Authors

The blog articles are written by people from the EuroLinux team. We owe 80% of the content to our developers, the rest is prepared by the sales or marketing department. We make every effort to ensure that the content is the best in terms of content and language, but we are not infallible. If you see anything that needs to be corrected or clarified, we'd love to hear from you.