Complete guide to improving security in Linux

Cloud
Share on Pinterest Share on LinkedIn

SELinux (Security-Enhanced Linux) is a security access control policy system that provides an additional layer of protection on Linux systems. It is especially useful for high-security environments or servers exposed to the internet. Below are the key aspects of an advanced SELinux configuration, including policies, modes, and troubleshooting tips.

1. SELinux Modes

SELinux has three main operation modes:

  • Enforcing: The mode where SELinux is active and enforces all policies. It blocks any action not explicitly allowed.
  • Permissive: In this mode, SELinux does not block actions, but records all policy violations on the system. It is useful for debugging and policy adjustments before implementing a production mode.
  • Disabled: SELinux is turned off. Policies are not applied or recorded.

To check the current SELinux mode:

sestatus

To change the SELinux mode temporarily (without restarting):

setenforce 0  # Change to Permissive
setenforce 1  # Change to Enforcing

To change the SELinux mode permanently, edit the configuration file in /etc/selinux/config:

SELINUX=enforcing  # Change to permissive or disabled as needed

2. SELinux Policies

Policies in SELinux define which actions are allowed and which are not. There are three main types of policies:

  • Targeted: The default policy on most Linux distributions. It protects common system services, while leaving other processes in a more permissive mode.
  • MLS (Multi-Level Security): A stricter policy that uses classification and categorization levels, typically for high-security systems.
  • MCS (Multi-Category Security): Similar to MLS, but with security categories instead of strict levels. It is useful for virtualization and container systems.

To check the active policy:

sestatus | grep "Policy"

3. SELinux Contexts

Every file, process, and port in SELinux has a security context, which typically includes:

  • User
  • Role
  • Type
  • Level, for MLS/MCS policies.

For example, in a file context, system_u:object_r:httpd_sys_content_t:s0, the type (httpd_sys_content_t) determines what actions a service can perform on the file.

To view the context of a file:

ls -Z /path/to/file

To change the context of a file:

chcon -t new_type /path/to/file

Example of changing a file to be accessible by Apache:

chcon -t httpd_sys_content_t /var/www/html/index.html

For the change to be permanent, semanage must be used:

semanage fcontext -a -t httpd_sys_content_t "/var/www/html(/.*)?"
restorecon -Rv /var/www/html

4. SELinux Management Tools

  • semanage: Configures persistent SELinux settings such as file contexts, ports, and more.
    semanage fcontext -l # List file contexts semanage port -l # List ports and their types
  • restorecon: Restores file contexts to their default values according to policy.
    restorecon -Rv /path/to/directory
  • getsebool and setsebool: Manage booleans, which allow enabling or disabling specific SELinux rules without directly modifying policies.
    getsebool -a # List all booleans setsebool httpd_enable_homedirs on # Allow Apache to access home directories

5. Configuring Booleans in SELinux

Booleans are a way to customize SELinux behavior without directly changing policies. For example, to allow Apache to access user files:

setsebool -P httpd_enable_homedirs on

To list specific booleans for a service (like httpd):

getsebool -a | grep httpd

6. Troubleshooting in SELinux

When SELinux blocks an action, it generates a message in the system log (/var/log/audit/audit.log). To interpret these messages and generate suggested solutions, use ausearch or audit2why:

ausearch -m avc -ts today # View violations from today cat /var/log/audit/audit.log | audit2why # Explain recent violations

If you want to turn these violations into policy exceptions for SELinux, use audit2allow:

cat /var/log/audit/audit.log | audit2allow -M module_name
semodule -i module_name.pp

7. Creating Custom Policy Modules

In advanced cases, it may be necessary to create custom policy modules to allow specific actions without disabling SELinux. Modules are created using audit2allow and then installed with semodule:

cat /var/log/audit/audit.log | audit2allow -M custom_policy
semodule -i custom_policy.pp

8. Recommendations for Advanced SELinux Configuration

  • Regularly monitor SELinux logs: Use ausearch or audit2why to identify and analyze incidents.
  • Implement booleans for common configurations: Booleans are an effective way to make adjustments without creating custom policies.
  • Test in permissive mode: Before applying restrictive policies in enforcing mode, test in permissive to evaluate the impact without disrupting services.
  • Use custom policies when necessary: For special configurations or specific software, custom modules allow tailoring SELinux to the exact needs of the system.

With an advanced SELinux configuration, it is possible to protect critical systems, ensuring granular control over who and what can access system resources. By following these steps, administrators and security teams can leverage the full potential of SELinux to maintain integrity and security in high-demand Linux environments.

via: SELinux on Administración de Sistemas

Share on Pinterest Share on LinkedIn
Scroll to Top