[go: up one dir, main page]
Scribd
Upload
15 views6 pages

SELinux Security

SELinux is a security mechanism that controls access to files and processes on a server, particularly when connected to the internet. It operates in three modes: enforcing, permissive, and disabled, with policies that define access rights based on security contexts. The document details how to manage SELinux policies, configure services like Apache, and analyze SELinux logs to ensure proper security configurations.

Uploaded by

ahmed mohamed ali
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
15 views6 pages

SELinux Security

SELinux is a security mechanism that controls access to files and processes on a server, particularly when connected to the internet. It operates in three modes: enforcing, permissive, and disabled, with policies that define access rights based on security contexts. The document details how to manage SELinux policies, configure services like Apache, and analyze SELinux logs to ensure proper security configurations.

Uploaded by

ahmed mohamed ali
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

SElinux:

It will tell us which application have which type of access and user used to which
directories in our computers.

We use SElinux if our server is connected to the internet to avoid attacks but if we
are in our data center and the server is protected we do not have to use it.

Protection from Users and Services from any security risk. SELinux Depends on
Mandatory access control (MAC). SELinux implemented in the kernel.

SElinux modes and policies:


1. System calls are sent to the SELinux
2. If the service is enables it will run perfect and check the policy, if it is denied by
the SElinux policy.
3. The service is logged by the auditd service which is in /etc/audit/auditd.conf and
written to /var/log/audit/audit.log
4. If SElinux in the Enforcing mode it will deny the service and write in the auditd
but if SEliux in permissive mode it will run the service and audit in the log file.
5. Disable mode will disable the SElinux service and the auditd service.

Note: to move from disabled mode to either Permissive or enforcing mode you
have to restart the machine and vice versa.

Understanding SElinux modes and policies:


To edit SElinux we use it file in /etc/sysconfig/selinux it is softlink to
/etc/selinux/config

[root@server ~]#getenforce ==> tell me the mode SELinux Mode


[root@server ~]#sestatus
[root@server ~]#setenforce ==> it will change the mode (1 for enforcing, 0 for
permissive)

We toggle between enforce and permissive for troubleshooting mode because


when we start service like FTP may be the problem with the SElinux or the FTP
Server, the same for the webserver.

Everything in the RHEL have security context (label).

It is composed of subject and object where subject can be (users or services) trying
to access object (files, folders, ports and sockets).

The context protects process, file and ports form any change not match with the
policy set.

[root@server ~]#ls –Z /var/www/html/web1.html ==> to display file context


[root@server ~]#ps –auxZ | grep httpd ==> to display process httpd context
[root@server ~]#netstat –utlpnZ | grep httpd ==> display the port number and its
security context it match the process that we access.

Context consist of 3 parts on (files, folders, process and ports)


1. User part
2. Role part
3. Type part
User Section:
1. file or directory: system_u
2. Process: system_u
3. Port: system_u

Role Section:
1. file or directory: object_r
2. Process: system_r
3. Port: system_r

Type:
1. file or directory: httd_sys_content_t
2. Process: httpd_t
3. Port: httpd_t

Note: any change in the above the context, that is means the policy do not match
and the service will break down. The service protects itself with context and the
files in the directories inherit this context form the directory.

Note: each service have its own context on the system, so to let service access the
other service we must make policy. Any service components (files, process and
port)

To set context we have semanage utility:


This utility make changes on the SEliunx policy then to the file system
Semanage ===> policy ===> file system
Restorecon ===> file system
So semanage ===> restorecon ===> file system

[root@server ~]#semanage --help

port ==> Manage network port type definitions


fcontext ==> Manage file context mapping definitions
boolean ==> Manage Booleans to selectively enable functionality

[root@server ~]#man semanage ==> man page for semanage


[root@server ~]#man semanage-fcontext ==> it makes redirection to each option
in man pages. here we can find examples for files we can also copy and paste the
example as we need it.
Using File system labels:
In RHEL 7 the context must be generated from semanage, in RHEL 6 the context
already available.

It is a very nice utility when something goes wrong because it check the context of
the directory and make sure that it matches the policy.

To modify the context, we need to know which context we should use easy
solution see the configuration of service because there is many contexts.

[root@server ~]#semanage fcontext –l | less ==> will display all contexts of the
system.
[root@server ~]# semanage fcontext –l | grep httpd

[root@server ~]#semanage fcontext -a add -t type /directory


[root@server ~]#restorecon -R recursive -v verbous /directory

Analyzing Selinux log files:


[root@server ~]#systemctl status auditd ==> it is working fine
[root@server ~]#less /var/log/messages ==> log file of service
[root@server ~]#less /var/log/audit/audit.log

Configuring Selinux for apache:


We now move to the web document root to see the context is correct or not
[root@server ~]#cd /var/www
[root@server www]#ls –Z ==> in the line there is policy which tell us httpd_t;s0
source contact that are allowed to get the target context (Target Context)
httpd_sys_content_t and it is good.
drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 cgi-bin
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html
So we will change the location of DocumentRoot:
[root@server ~]#mkdir /web ==> new document root
[root@server ~]#vim index.html
[root@server ~]#vim /etc/httpd/conf/httpd.conf ==> to change apache
configuration for the new document root
DocumentRoot “/web”
<Directory “/web”>
AllowOverride None
Require all granted
</Directory>
<Directory “web”>
[root@server ~]#systemctl start httpd
[root@server ~]#grep AVC /var/log/audit/audit.log

[root@srv1 ~]# sealert -a /var/log/audit/audit.log | less ==> view the selinux report
error
[root@server ~]#man semanage-fcontext
# semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?”
[root@server ~]#semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
[root@server ~]#restorecon –R –v /web ==> it writes to the sepolicy not to the
files system
Managing SELinux Port Labeling:
[root@server tmp]# man semanage-port
[root@srv1 ~]# semanage port -l ==> list all ports and service names
[root@srv1 ~]# semanage port -l | grep http ==> list http service ports either
udp/tcp
[root@srv1 ~]# semanage port -a -t http_port_t -p tcp 8095 ==> add port to http
service 8095
[root@srv1 ~]# semanage port -d -t http_port_t -p tcp 8095 ==> delete port from
the label
[root@srv1 ~]# semanage port -m -t http_port_t -p tcp 8095 ==> modify port from
the label

Note: do not forget to add the port to the firewalld

You might also like