Basic SELinux security concepts !!

Pre-requisite: Apache Server Installation.
Security Enhanced Linux (SELinux) is an additional layer of system security. A primary goal of SELinux is to protect user data from system services that have been compromised.
For example, to allow anonymous remote access to a web server, firewall ports must be opened. However, this gives malicious people an opportunity to crack the system through a security exploit, and if they compromise the web server process, gain its permissions: the permissions of the apache user and the Apache group. The user/group has read access to things like the documents root (/var/www/html), as well as write access to /tmp, /var/tmp, and any other files/directories that are world-writable.
Solution: SELinux is a set of security rules that determine which process can access which files, directories and ports. Every file, process, directory, and port has a special security label called a SELinux context. A context is a name that is used by the SELinux policy to determine whether a process can access a file, directory, or port. By default, the policy does not allow any interaction unless an explicit rule grants access. If there is no allow rule, no access is allowed.

♥ What is the difference between discretionary access control and mandatory access control?

  • Discretionary Access Control (DAC) defines the basic access controls for objects in a filesystem. This is the typical access control provided by file permissions, sharing, etc. Such access is generally at the discretion of the owner of the object (file, directory, device, etc.).
  • Mandatory Access Control (MAC) is a security mechanism that restricts the level of control that users (subjects) have over the objects that they create. Unlike in a DAC implementation, where users have full control over their own files, directories, etc.
    *MAC provides access based on levels while DAC provides access based on identity
    *DAC is more labor intensive than MAC
    *DAC is more flexible than MAC
    *MAC access can only be changed by admins while DAC access can be provided by other users.

♥ State the difference between standard user/group/other permission security model and SELinux in terms of MAC and DAC.

In a traditional security model, we have three entities: User, Group, and Other (u,g,o) who can have a combination of Read, Write, and Execute (r,w,x) permissions on a file or directory. If a user jo creates a file in their home directory, that user will have read/write access to it.

♥ What are the types of contexts in SELinux? What is the default policy?

SELinux requires a security context to be associated with every process (or subject) and object that are used by the security server to decide whether access is allowed or not as defined by the policy.
The security context is also known as a ‘security label’ or just label that can cause confusion as there are many types of label depending on the context.

♥ What is the option used to display or set SELinux contexts? Use commands ps, ls, cp, and mkdir to display the current SELinux contexts.

This is viewed using the ls -Z command


♥ What is the use of seinfo command?

Query and get information about a policy, analyze a binary or a source policy file under SELinux.


SELinux modes

For troubleshooting purposes, SELinux protection can be temporarily disabled using SELinux modes.

♥ What are the three modes in SELinux?

  1. Enforcing
  2. Permissive
  3. Disabled

♥ How to display the current SELinux mode in effect?


SELinux Booleans

♥ What is the purpose of SELinux Booleans?

Although you can’t read the policy module files, there’s a simple way to tweak their settings. That’s done through SELinux booleans.


♥ What is the purpose of the getsebool command? Interpret the output.

To change any of the settings, we can use the setsebool command. As an example, let’s consider the anonymous FTP write access.


Changing SELinux Modes

⊕ Changing the current SELinux mode

♥ Is SELinux set by default or not?there by default have to enforce                                          ♥ How to change the current SELinux mode?


⊕ Setting the default SELinux mode

♥ How to set the default SELinux mode?


Changing SELinux Contexts

⊕ Initial SELinux context

♥ Typically the SELinux context of a file’s parent directory determines its initial SELinux context. The content of the parent directory is assigned to the newly created files. This works for commands like vim, cp and touch. However is this the case if the file was created elsewhere (as with mv or cp –a)?

⊕ Changing the SELinux context of a file

♥ Show the usage of the two commands chcon and restorecon that you can use to change the SELinux contexts of folders. Is using chcon permanent?
♥ What is the option you should use to define the default file context rules?

Running chcon is a temporary measure. You can use it to temporarily change file or directory contexts for troubleshooting access denial errors. However, this method is only temporary: a file system relabel or running the restorecon command will revert the file back to its original context.
⇒ Also, running chcon requires you to know the correct context for the file; the –type flag specifies the context for the target. restorecon doesn’t need this specified. If you run restorecon, the file will have the correct context re-applied and the changes will be made permanent.
⇒ But if you don’t know the file’s correct context, how does the system know which context to apply when it runs restorecon?
⇒ Conveniently, SELinux “remembers” the context of every file or directory in the server. In CentOS 7, contexts of files already existing in the system are listed in the /etc/selinux/targeted/contexts/files/file_contexts file.


Practice Exercise:

** Create a new document root for apache, called /custom.
** Create the index.html file with some recognizable content.
** Configure Apache to use the new location. You need to replace the two occurrences of “/var/www/html” with “/custom: in the Apache configuration file, /etc/httpd/conf/httpd.conf.
** Start the Apache Web Service.
** You are not able to access the Web Page. Why is this, explain in terms of security contexts. (Use the command ls -Zd).

⇒ By changing the context of the file. We will use the chcon command for it. The –type flag for the command allows us to specify a new type for the target resource. Here, we are changing the file type to var_t.
⇒ Next, when we try to access the web page (i.e. the httpd daemon tries to read the file), you may get a Forbidden error, or you may see the generic CentOS “Testing 123” page.
⇒ Obviously some access is now being denied, but whose access is it? As far as SELinux is concerned, the web server is authorized to access only certain types of files and vart is not one of those contexts. Since we changed the context of the index.html file to vart, Apache can no longer read it and we get an error.
⇒ To make things work again, let’s change the file type with the restorecon command. The -v switch shows the change of context labels:

** Define a SELinux file context rule that sets the context type to httpd_sys_content_t for /custom and all the files below it.
** Use restorecon to change their contexts.






Changing SELinux Booleans

SELinux Booleans are switches that change behavior of the SELinux Policy. SELinux Booleans are rules that can be enabled and disabled. They can be used be security administrators to tune the policy and make selective adjustments.

♥ What is the purpose of the semanage Boolean –l command?
Although you can’t read the policy module files, there’s a simple way to tweak their settings. That’s done through SELinux booleans.
To see how it works, let’s run the semanage boolean -l command.


♥ Specify a scenario where using SELinux Booleans is helpful?

SELinux policy writers are encouraged to make the policy optional. And optional in SELinux world means that allowing the access should be triggered through a SELinux boolean. A SELinux boolean is a single string (hopefully sufficiently interpretable) that changes how SELinux reacts.
⇒ SELinux supports booleans to dynamically update the run-time policy
⇒ the values of these booleans can be persisted across reboots
⇒ you can use sesearch to display the consequences of a boolean or to see if a boolean is available to allow certain statement

Practice Exercise:

** Enable the Apache feature that permits users to publish web content from their home directories. Edit the /etc/httpd/conf.d/userdir.conf configuration file and change the line with the UserDir directive to read as UserDir public_html.
** Restart Apache Service.
** Login as another user and create a folder named public_html in the user’s home directory.
** Create some index.html file.
** Change the permissions on student’s home directory so Apache can access the public_html subdirectory.
** Open browser and try to view content.
** Use getsebool to see if there are any Booleans that restrict access to home directories.
** User setsebool to enable home directory access persistently.
** Now try viewing the content again




S.H.M Lahiru Prabath Balasuriya.













Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s