SCAR-iT/LWM-Linux

Fork 0

ganome 07eaea381b

Initial Commit - Taking my own code to my repository - No longer a fork of LinuxLightHouse

2024-09-02 16:42:08 -06:00

3.4 KiB

Raw Blame History

Understanding SELinux

1. Introduction to SELinux

SELinux is a mandatory access control (MAC) security mechanism implemented in the Linux kernel. Developed by the NSA and Red Hat, it provides an additional layer of system security to complement the traditional discretionary access control (DAC) model used in most Linux distributions.

Key concepts:

Mandatory Access Control (MAC)
Security policies
Security contexts
Access decisions based on security contexts

2. SELinux Modes

SELinux operates in three modes:

Enforcing: SELinux policy is enforced
Permissive: SELinux prints warnings but does not enforce policy
Disabled: SELinux is turned off

To check the current mode:

getenforce

To change modes temporarily:

setenforce 0 # Set to permissive

setenforce 1 # Set to enforcing

To change modes permanently, edit /etc/selinux/config and reboot.

3. SELinux Contexts

SELinux assigns a context to every process, file, and system object. A context consists of four fields: user:role:type:level

Example:

system_u:object_r:httpd_sys_content_t:s0

To view contexts:

ls -Z # For files
ps auxZ # For processes

4. SELinux Policies

SELinux uses policies to define allowed actions. Two main policy types:

Targeted (default): Focuses on protecting network daemons
MLS (Multi-Level Security): More complex, used in high-security environments

5. Booleans

Booleans are on/off switches that allow runtime customization of SELinux policies.

To list all booleans:

getsebool -a

To change a boolean:

setsebool httpd_can_network_connect on

To make the change persistent:

setsebool -P httpd_can_network_connect on

6. Troubleshooting SELinux

Check for denials:

ausearch -m AVC,USER_AVC,SELINUX_ERR -ts recent

Use SELinux troubleshooter:

sealert -a /var/log/audit/audit.log

Analyze SELinux logs:

grep "SELinux" /var/log/messages

7. File and Directory Labeling

To change the SELinux context of a file or directory:

chcon -t httpd_sys_content_t /path/to/file

To restore the default context:

restorecon -v /path/to/file

8. Managing SELinux Modules

List available modules:

semodule -l

Enable a module:

semodule -e modulename

Disable a module:

semodule -d modulename

9. Creating Custom SELinux Policies

For complex environments, you may need to create custom policies:

Install policy development tools:

yum install selinux-policy-devel

Write a policy module (.te file)
Compile and package the module:

make -f /usr/share/selinux/devel/Makefile

Install the module:

semodule -i mymodule.pp

10. SELinux and Containers

SELinux provides strong isolation for containers:

Each container runs with its own SELinux context
Prevents container processes from accessing host resources

To run a container with a specific SELinux context:

docker run --security-opt label=type:svirt_lxc_net_t my_image

11. Best Practices

Keep SELinux enabled and in enforcing mode
Use SELinux booleans instead of custom policies when possible
Regularly review and update SELinux policies
Use SELinux MLS for high-security environments
Educate system administrators about SELinux

12. Additional Resources

SELinux Project: https://github.com/SELinuxProject
Red Hat SELinux Guide: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/index

3.4 KiB Raw Blame History