On a system without Security-Enhanced Linux (SELinux) enabled, discretionary access control (DAC) is used for file security. Basic file permissions are used to grant file access to users. Users and programs alike are allowed to grant insecure file permissions to others. For users, there is no way for an administrator to prevent a user from granting world-readable and world writable permissions to his files. For programs, the file operations are performed as the owner of the process, which can be the root user, giving the program access to any file on the system.
SELinux is a mandatory access control (MAC) mechanism, implemented in the kernel. Programs protected by SELinux are only allowed access to parts of the filesystem they require to function properly, meaning that if a program intentionally or unintentionally tries to access or modify a file not necessary for it to function or a file not in a directory controlled by the program, file access is denied and the action is logged. The ability to protect files with SELinux is implemented in the kernel. Exactly what files and directories are protected and to what extent they are protected is defined by the SELinux policy. This section gives instructions on how to enable the SELinux protection mechanism, describes the SELinux policies available in Red Hat Enterprise Linux, tells you how to read the SELinux permissions of a file, shows how the SELinux Troubleshooting Tool alerts you of SELinux errors, and steps you through how to change the security context of files.
Selecting an SELinux Mode
When your Red Hat Enterprise Linux system is booted for the first time, When you reach the SELinux step, the SELinux mode is set to Enforcing by default. The following modes are available:
. Enforcing: Enable and enforce the SELinux security mechanism on the system, logging any actions denied because of it.
. Permissive: Enable SELinux but don’t enforce the policy. Only warn about files protected by SELinux.
. Disabled: Turn off SELinux.
The SELinux mode can be changed at a later time by using the SELinux Management Tool, a graphical application for customizing SELinux. The policycoreutils-gui RPM package must be installed to use this program. Start the tool by executing the system-config-selinux command or selecting Administration, SELinux Management from the System menu of the top panel of the desktop. If you are not the root user, you are prompted to enter the root password before continuing. Choose the SELinux mode for the following two options:
. System Default Enforcing Mode: The mode to use when the system is booted. Choose between Enforcing, Permissive, and Disabled (described earlier in this section). The mode change does not take place immediately. This preference is written to the /etc//selinux/config file. The next time the system is rebooted, this mode is used.
If the mode is changed from Disabled to Permissive or Enforcing, the filesystem must be relabeled for SELinux during the reboot, which can be quite time-consuming depending on the size of the filesystem. It is highly recommended that the filesystem be backed up before changing modes in case of disk failure or other errors during the conversion process.
. Current Enforcing Mode: The SELinux mode current being implemented. If the system was booted into the enforcing or permissive mode, the current mode can be immediately changed between the two without a reboot.
If you do not have a graphical desktop, are logged in remotely without X forwarding, or just prefer the command line, these mode preferences can be made using the command line.
To change the currently running SELinux mode, use the setenforce command as the root user, replacing <mode> with either Enforcing or Permissive:
To confirm the change, execute the getenforce command, which displays the current SELinux mode.
The SELinux mode used at boot time can be set in the /etc/selinux/config file. As the root user, set the SELINUX option to enforcing, permissive, or disabled such as the following:
After the reboot, verify the mode was changed with the sestatus command. The output should look similar to Listing 23.1.
LISTING SELinux Status with sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
Selecting and Customizing the SELinux Policy
If permissive or enforcing mode is enabled, an SELinux policy must be selected to determine which programs are governed by SELinux and which are run in unconfined space.
The SELinux policy sets what programs are protected under SELinux. The default policy, called the targeted policy, in Red Hat Enterprise Linux is designed to protect the system without being intrusive to the users.
The following policies are available:
. targeted (default): Works for most server and client systems. Protects users from applications and system processes while leaving userspace unconfined so the security measures are mostly undetectable to most users. Requires the selinux-policy-targeted package to be installed.
. strict: Very controlled environment in which most system and user processes have very limited access to the filesystem. Users are only granted access to specific directories for maximum security, and system processes are only granted access to directories to which they need access to run. If an application is configured to use nondefault directories, the policy must be changed to allow the application to access the nondefault directories. Requires the selinux-policy-strict package to be installed.
. mls: Allows security to be mapped out according to multiple levels of security. Developed for servers requiring EAL4+/LSPP certification. Useful for organizations that grant security rights based on a user’s security level. Requires the selinux-policy-mls package to be installed.
To change the SELinux policy, first install the corresponding package. To change the policy from the SELinux Management Tool, go to the Status view and select the desired policy from the System Default Policy Type pull-down menu. Only installed policies are available for selection.
To change from the command line, set the SELINUXTYPE option in the /etc/selinux/config file to targeted, strict, or mls such as the following:
A reboot is required after selecting a different policy so that the filesystem can be relabeled. Remember to back up the filesystem before changing the SELinux policy. After the reboot, verify the policy was changed by executing the sestatus command.
When changing the policy, setting the mode to permissive allows the administrator to test the policy without enabling it at first. After reviewing the SELinux alerts and system log files for any errors or warnings for a testing period, the mode can be changed from permissive to enforcing as described in the “Selecting an SELinux Mode” section. Major modifications to the policy require the policy source to be modified and the source to be recompiled. However, policies do allow minor changes to it without recompiling by setting the boolean value (0 or 1) for optional features. For example, by default, the SELinux targeted policy does not allow the Apache HTTP Server to serve files from home directories. The value of the httpd_enable_homedirs boolean can be set to 1 to explicitly allow it. Changes to boolean values can be made with the SELinux Management Tool or the setsebool command.
Start the graphical tool with the system-config-selinux command or the Administration, SELinux Management menu item in the System menu of the top panel of the desktop. Select the Boolean view from the list on the left. A tree view of possible boolean modifications can now be seen. Click the triangle icon next to each category to view a list of boolean options. Boolean options with a checkmark beside them are enabled. Check an option to enable it, and uncheck an option to disable it. The changes take place immediately.
Descriptions of each available boolean values can be found in the BOOLEANS section of the man page for the specific policy. For example, the nfs_selinux man page describes the use_nfs_home_dirs boolean, which translates to the Support NFS home directories option under the NFS category in the graphical application.
Alternatively, use the setsebool command to set the boolean to the desired value:
setsebool -P <boolean> <value>
To view the status of a boolean via the command line, execute the getsebool command:
To completely disable SELinux for a specific service, place a checkmark next to the corresponding boolean under the SELinux Service Protection category or the category for the specific service such as Kerberos. While this will allow the service to work with SELinux enabled, the service will no longer be protected by SELinux and is not recommended. If a service can not be started because of SELinux, look at the boolean values that can be changed for it. The SELinux Troubleshooting Tool summarizes why the action was blocked by the SELinux policy. It also offers possible solutions for the problem. Refer to the “Utilizing the SELinux Troubleshooting Tool” for details.
Utilizing the SELinux Troubleshooting Tool
Log messages for SELinux are written to /var/log/messages unless the Linux Auditing System is used. If audit is enabled, messages are written to the /var/log/audit/audit.log file. The log messages are labeled with the AVC keyword so they can be easily filtered from other messages.
Starting with Red Hat Enterprise Linux, instead of having to read through log files to determine why SELinux is preventing an action, the SELinux Troubleshooting Tool can be used to analyze the SELinux AVC messages. It consists of a graphical interface for displaying these messages and possible solutions, a desktop notification icon that appears when there are messages to view, and a daemon that checks for new SELinux AVC messages so that you are alerted by the notification icon of them as soon as they occur. The tool is provided by the setroubleshoot RPM package, which is installed by default.
The daemon, setroubleshootd, is started by default with the /etc/rc.d/init.d/setroubleshoot initialization script. The /var/log/setroubleshootd.log file contains any log messages concerning the tool. This log file is automatically rotated on a weekly basis, and old log files for the previous two weeks are kept.
If you are working on the local desktop for the system(sitting at the computer), a star icon appears in the notification area of the top desktop panel when SELinux AVC messages are available for viewing. Click on it to view the SELinux Troubleshooting Tool.
If you are not working on the local desktop but have SSH access to the system with X forwarding, you can execute the sealert -b command to remotely view the graphical troubleshooting browser.
Working with Security Contexts
When SELinux is enabled, all files and objects have a security context. Security contexts for processes are called domains such as httpd_t for the Apache web server daemon processes. Security contexts for files are called file contexts and are stored in the extended attributes of the files. The security context has four parts to it separated by colons:
Unless the MLS policy is being used, the last mls field is not used. The user field is the SELinux user who created the file. The role field is the role of the object or file, and the type field is the type of rule associated with the object or file. An example of a security context for the targeted policy would be the following:
In this example, the file is a system file as indicated by the system_u user field, is a file object labeled with object_r, and is governed by the etc_r rule type because it is a file in the /etc/ directory.
Viewing Security Contexts
File utilities such as ls and ps do not display SELinux security context by default. Use the -Z option for most file utilities to view this content such as ls -Z and ps -Z. For example, when the -Z option is used with ls to view the /etc/sysconfig/ directory, the security context is shown such as the following:
-rw-r—r— root root system_u:object_r:etc_t apmd
drwxr-xr-x root root system_u:object_r:etc_t apm-scripts
-rw-r——- root root system_u:object_r:etc_t auditd
-rw-r—r— root root system_u:object_r:etc_t authconfig
-rw-r—r— root root system_u:object_r:etc_t autofs
-rw-r—r— root root system_u:object_r:etc_t bluetooth
The cp and mv commands for copying and moving files handle file contexts differently. By default, the cp command creates a new file in the desired location with a type based on the creating process and the parent directory of the desired location. For example, if the file is copied from the /etc/ directory to a backup directory, the type field of the file changes from etc_t to whatever the default type is for the target directory. The -Z option to cp can be used to specify a type to use when copying the file:
cp -Z <context> file /new/location
The mv command to move files preserves the file context of the files by default. If the file needs a different type in the new location, be sure to relabel the file with the chcon command:
chcon -t <context> <file>
Modifying Security Contexts
To better understand the impact and usage of security contexts, consider an example concerning the Apache HTTP Server. It is common to change the default DocumentRoot to something other than /var/www/html/. Perhaps you need files to come from network storage mounted in a different directory. SELinux protects the httpd process and only allows the web server to serve files and directories with a specific security context.
The security context of the default files in the /var/www/ directory is shown in Listing. The output is from the ls -d -Z /var/www;ls -Z /var/www command.
LISTING Security Context of Default DocumentRoot
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t /var/www
drwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t cgi-bin
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t error
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t html
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t icons
Security Context for Multiple File Sharing Protocols
If more than one file sharing protocol (FTP, HTTP, NFS, rsync, and Samba) is used to share the same set of files, the security context must be set to public_content_t or public_content_rw_t instead of the security context specific to the protocol such as samba_share_t for Samba.
The public_content_t context only allows read access to the files. The public_content_rw_t context allows read and write access. To allow read and write access, you must also enable the allow_<protocol>_anon_write boolean, where <protocol> is one of ftpd, httpd, nfsd, rsync, or smbd. For example, to allow FTP and the Apache HTTP Server to share the same files, execute the following commands as root:
setsebool -P allow_ftpd_anon_write=1
setsebool -P allow_httpd_anon_write=1
Making Security Context Changes Permanent
Modifying the security context of files such as discussed in the previous section persists between reboots unless the filesystem is relabeled. A filesystem is relabeled for a variety of reasons including changing the SELinux policy. To make sure the security context of your files are not changed, you must set the default security context of the files by adding the file specification, file type, and SELinux security context to the /etc/selinux/<policy>/contexts/files/file_contexts.local file. Do not create or modify this file manually.
Use the SELinux Management Tool or the semanage command.
After starting the SELinux Management Tool as previously described, click on File Labeling in the list on the left. Click the Add button and enter the following information:
. File Specification: Enter /home/html(/.*)? to represent the /home/html/ directory
and all the files and directories in it.
. File Type: Leave as the default, all files.
. SELinux Type: Enter httpd_sys_content_t as the security context.
. MLS: Leave as default if you are not using the MLS policy.
To perform the same action on the command line, execute the following command as the root user:
semanage fcontext -a -t httpd_sys_content_t ‘/home/html(/.*)?’
Either method creates the /etc/selinux/<policy>/contexts/files/file_contexts.local
file if it doesn’t already exist and adds the following line to it:
If you require additional security contexts such as httpd_sys_script_exec_t for a cgi_bin directory, add those as well.