On a system without Security-Enhanced Linux (SELinux) enabled,
discretionary access control (DAC) is used for file security. Basic file
permissions are used to grant file access to users. Users and programs alike
are allowed to grant insecure file permissions to others. For users, there is
no way for an administrator to prevent a user from granting world-readable and
world writable permissions to his files. For programs, the file operations are
performed as the owner of the process, which can be the root user, giving the
program access to any file on the system.
SELinux is a mandatory access control (MAC) mechanism, implemented in
the kernel. Programs protected by SELinux are only allowed access to parts of
the filesystem they require to function properly, meaning that if a program intentionally
or unintentionally tries to access or modify a file not necessary for it to function
or a file not in a directory controlled by the program, file access is denied
and the action is logged. The ability to protect files with SELinux is
implemented in the kernel. Exactly what files and directories are protected and
to what extent they are protected is defined by the SELinux policy. This section
gives instructions on how to enable the SELinux protection mechanism, describes
the SELinux policies available in Red Hat Enterprise Linux, tells you how to
read the SELinux permissions of a file, shows how the SELinux Troubleshooting
Tool alerts you of SELinux errors, and steps you through how to change the security
context of files.
Selecting an SELinux Mode
When your Red Hat Enterprise Linux system is booted for the first
time, When you reach the SELinux step, the SELinux mode is set to Enforcing by
default. The following modes are available:
. Enforcing: Enable and
enforce the SELinux security mechanism on the system, logging any actions
denied because of it.
. Permissive: Enable
SELinux but don’t enforce the policy. Only warn about files protected by
SELinux.
. Disabled: Turn off
SELinux.
The SELinux mode can be changed at a later time by using the SELinux
Management Tool, a graphical application for customizing SELinux. The
policycoreutils-gui RPM package must be installed to use this program. Start the
tool by executing the system-config-selinux command or selecting
Administration, SELinux Management from the System menu of the top panel of the
desktop. If you are not the root user, you are prompted to enter the root
password before continuing. Choose the SELinux mode for the following two
options:
. System Default Enforcing
Mode: The mode to use when the system is booted. Choose between Enforcing,
Permissive, and Disabled (described earlier in this section). The mode change
does not take place immediately. This preference is written to the /etc//selinux/config
file. The next time the system is rebooted, this mode is used.
If the mode is changed from Disabled to Permissive or Enforcing, the
filesystem must be relabeled for SELinux during the reboot, which can be quite
time-consuming depending on the size of the filesystem. It is highly
recommended that the filesystem be backed up before changing modes in case of
disk failure or other errors during the conversion process.
. Current Enforcing Mode:
The SELinux mode current being implemented. If the system was booted into the
enforcing or permissive mode, the current mode can be immediately changed
between the two without a reboot.
If you do not have a graphical desktop, are logged in remotely without
X forwarding, or just prefer the command line, these mode preferences can be
made using the command line.
To change the currently running SELinux mode, use the setenforce
command as the root user, replacing <mode> with either Enforcing or
Permissive:
setenforce <mode>
To confirm the change, execute the getenforce command, which displays
the current SELinux mode.
The SELinux mode used at boot time can be set in the
/etc/selinux/config file. As the root user, set the SELINUX option to
enforcing, permissive, or disabled such as the following:
SELINUX=enforcing
After the reboot, verify the mode was changed with the sestatus
command. The output should look similar to Listing 23.1.
LISTING
SELinux Status with sestatus
SELinux
status: enabled
SELinuxfs
mount: /selinux
Current
mode: enforcing
Mode from
config file: enforcing
Policy
version: 21
Policy from
config file: targeted
Selecting and Customizing the
SELinux Policy
If permissive or enforcing mode is enabled, an SELinux policy must be
selected to determine which programs are governed by SELinux and which are run
in unconfined space.
The SELinux policy sets what programs are protected under SELinux. The
default policy, called the targeted policy, in Red Hat Enterprise Linux is
designed to protect the system without being intrusive to the users.
The following policies are available:
. targeted (default): Works
for most server and client systems. Protects users from applications and system
processes while leaving userspace unconfined so the security measures are
mostly undetectable to most users. Requires the selinux-policy-targeted package
to be installed.
. strict: Very controlled
environment in which most system and user processes have very limited access to
the filesystem. Users are only granted access to specific directories for
maximum security, and system processes are only granted access to directories to
which they need access to run. If an application is configured to use
nondefault directories, the policy must be changed to allow the application to
access the nondefault directories. Requires the selinux-policy-strict package
to be installed.
. mls: Allows security to
be mapped out according to multiple levels of security. Developed for servers
requiring EAL4+/LSPP certification. Useful for organizations that grant
security rights based on a user’s security level. Requires the
selinux-policy-mls package to be installed.
To change the SELinux policy, first install the corresponding package.
To change the policy from the SELinux Management Tool, go to the Status view
and select the desired policy from the System Default Policy Type pull-down
menu. Only installed policies are available for selection.
To change from the command line, set the SELINUXTYPE option in the /etc/selinux/config
file to targeted, strict, or mls such as the following:
SELINUXTYPE=targeted
A reboot is required after selecting a different policy so that the
filesystem can be relabeled. Remember to back up the filesystem before changing
the SELinux policy. After the reboot, verify the policy was changed by
executing the sestatus command.
When changing the policy, setting the mode to permissive allows the
administrator to test the policy without enabling it at first. After reviewing
the SELinux alerts and system log files for any errors or warnings for a
testing period, the mode can be changed from permissive to enforcing as
described in the “Selecting an SELinux Mode” section. Major modifications to
the policy require the policy source to be modified and the source to be
recompiled. However, policies do allow minor changes to it without recompiling
by setting the boolean value (0 or 1) for optional features. For example, by
default, the SELinux targeted policy does not allow the Apache HTTP Server to
serve files from home directories. The value of the httpd_enable_homedirs
boolean can be set to 1 to explicitly allow it. Changes to boolean values can
be made with the SELinux Management Tool or the setsebool command.
Start the graphical tool with the system-config-selinux command or the
Administration, SELinux Management menu item in the System menu of the top
panel of the desktop. Select the Boolean view from the list on the left. A tree
view of possible boolean modifications can now be seen. Click the triangle icon
next to each category to view a list of boolean options. Boolean options with a
checkmark beside them are enabled. Check an option to enable it, and uncheck an
option to disable it. The changes take place immediately.
Descriptions of each available boolean values can be found in the
BOOLEANS section of the man page for the specific policy. For example, the
nfs_selinux man page describes the use_nfs_home_dirs boolean, which translates
to the Support NFS home directories option under the NFS category in the graphical
application.
Alternatively, use the setsebool command to set the boolean to the
desired value:
setsebool -P <boolean> <value>
To view the status of a boolean via the command line, execute the
getsebool command:
getsebool use_nfs_home_dirs
To completely disable SELinux for a specific service, place a
checkmark next to the corresponding boolean under the SELinux Service
Protection category or the category for the specific service such as Kerberos.
While this will allow the service to work with SELinux enabled, the service
will no longer be protected by SELinux and is not recommended. If a service can
not be started because of SELinux, look at the boolean values that can be changed
for it. The SELinux Troubleshooting Tool summarizes why the action was blocked
by the SELinux policy. It also offers possible solutions for the problem. Refer
to the “Utilizing the SELinux Troubleshooting Tool” for details.
Utilizing the SELinux
Troubleshooting Tool
Log messages for SELinux are written to /var/log/messages unless the
Linux Auditing System is used. If audit is enabled, messages are written to the
/var/log/audit/audit.log file. The log messages are labeled with the AVC
keyword so they can be easily filtered from other messages.
Starting with Red Hat Enterprise Linux, instead of having to read
through log files to determine why SELinux is preventing an action, the SELinux
Troubleshooting Tool can be used to analyze the SELinux AVC messages. It
consists of a graphical interface for displaying these messages and possible
solutions, a desktop notification icon that appears when there are messages to
view, and a daemon that checks for new SELinux AVC messages so that you are
alerted by the notification icon of them as soon as they occur. The tool is provided
by the setroubleshoot RPM package, which is installed by default.
The daemon, setroubleshootd, is started by default with the
/etc/rc.d/init.d/setroubleshoot initialization script. The
/var/log/setroubleshootd.log file contains any log messages concerning the
tool. This log file is automatically rotated on a weekly basis, and old log
files for the previous two weeks are kept.
If you are working on the local desktop for the system(sitting at the
computer), a star icon appears in the notification area of the top desktop
panel when SELinux AVC messages are available for viewing. Click on it to view
the SELinux Troubleshooting Tool.
If you are not working on the local desktop but have SSH access to the
system with X forwarding, you can execute the sealert -b command to remotely
view the graphical troubleshooting browser.
Working with Security Contexts
When SELinux is enabled, all files and objects have a security
context. Security contexts for processes are called domains such as httpd_t for
the Apache web server daemon processes. Security contexts for files are called
file contexts and are stored in the extended attributes of the files. The
security context has four parts to it separated by colons:
user:role:type:mls
Unless the MLS policy is being used, the last mls field is not used.
The user field is the SELinux user who created the file. The role field is the
role of the object or file, and the type field is the type of rule associated
with the object or file. An example of a security context for the targeted
policy would be the following:
system_u:object_r:etc_t
In this example, the file is a system file as indicated by the
system_u user field, is a file object labeled with object_r, and is governed by
the etc_r rule type because it is a file in the /etc/ directory.
Viewing Security Contexts
File utilities such as ls and ps do not display SELinux security
context by default. Use the -Z option for most file utilities to view this
content such as ls -Z and ps -Z. For example, when the -Z option is used with ls
to view the /etc/sysconfig/ directory, the security context is shown such as
the following:
-rw-r—r— root root system_u:object_r:etc_t apmd
drwxr-xr-x root root system_u:object_r:etc_t apm-scripts
-rw-r——- root root system_u:object_r:etc_t auditd
-rw-r—r— root root system_u:object_r:etc_t authconfig
-rw-r—r— root root system_u:object_r:etc_t autofs
-rw-r—r— root root system_u:object_r:etc_t bluetooth
The cp and mv commands for copying and moving files handle file
contexts differently. By default, the cp command creates a new file in the
desired location with a type based on the creating process and the parent
directory of the desired location. For example, if the file is copied from the
/etc/ directory to a backup directory, the type field of the file changes from
etc_t to whatever the default type is for the target directory. The -Z option to
cp can be used to specify a type to use when copying the file:
cp -Z <context> file /new/location
The mv command to move files preserves the file context of the files
by default. If the file needs a different type in the new location, be sure to
relabel the file with the chcon command:
chcon -t <context> <file>
Modifying Security Contexts
To better understand the impact and usage of security contexts,
consider an example concerning the Apache HTTP Server. It is common to change
the default DocumentRoot to something other than /var/www/html/. Perhaps you
need files to come from network storage mounted in a different directory.
SELinux protects the httpd process and only allows the web server to serve
files and directories with a specific security context.
The security context of the default files in the /var/www/ directory
is shown in Listing. The output is from the ls -d -Z /var/www;ls -Z /var/www
command.
LISTING Security Context of Default DocumentRoot
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t /var/www
drwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t cgi-bin
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t error
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t html
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t icons
Security Context for Multiple
File Sharing Protocols
If more than one file sharing protocol (FTP, HTTP, NFS, rsync, and
Samba) is used to share the same set of files, the security context must be set
to public_content_t or public_content_rw_t instead of the security context
specific to the protocol such as samba_share_t for Samba.
The public_content_t context only allows read access to the files. The
public_content_rw_t context allows read and write access. To allow read and
write access, you must also enable the allow_<protocol>_anon_write
boolean, where <protocol> is one of ftpd, httpd, nfsd, rsync, or smbd.
For example, to allow FTP and the Apache HTTP Server to share the same files,
execute the following commands as root:
setsebool -P allow_ftpd_anon_write=1
setsebool -P allow_httpd_anon_write=1
Making Security Context Changes
Permanent
Modifying the security context of files such as discussed in the
previous section persists between reboots unless the filesystem is relabeled. A
filesystem is relabeled for a variety of reasons including changing the SELinux
policy. To make sure the security context of your files are not changed, you
must set the default security context of the files by adding the file
specification, file type, and SELinux security context to the
/etc/selinux/<policy>/contexts/files/file_contexts.local file. Do not
create or modify this file manually.
Use the SELinux Management Tool or the semanage command.
After starting the SELinux Management Tool as previously described,
click on File Labeling in the list on the left. Click the Add button and enter
the following information:
. File Specification: Enter
/home/html(/.*)? to represent the /home/html/ directory
and all the files and directories in it.
. File Type: Leave as the
default, all files.
. SELinux Type: Enter
httpd_sys_content_t as the security context.
. MLS: Leave as default if
you are not using the MLS policy.
To perform the same action on the command line, execute the following
command as the root user:
semanage fcontext -a -t httpd_sys_content_t ‘/home/html(/.*)?’
Either method creates the
/etc/selinux/<policy>/contexts/files/file_contexts.local
file if it doesn’t already exist and adds the following line to it:
/home/html(/.*)? system_u:object_r:httpd_sys_content_t:s0
If you require additional security contexts such as
httpd_sys_script_exec_t for a cgi_bin directory, add those as well.
0 comments:
Post a Comment