Linux/Security/Selinux
Security-Enhanced Linux comes pre-installed with distro's like Centos. It can be such a large beast to configure all the policies properly, that many people choose to disable it. Here are some recipes for "easy selinux", so the protection can stay on.
Contents
What is selinux?
Selinux can best be seen as a sandbox that prevents programs from access to files and other programs they do not need to use. Does a webserver need to access the complete file system and execute any program it likes? A webserver open to the internet is prone to be compromised, so it would be undesirable that an attacker can get further into the system from within the webserver.
Another way to look at selinux is to see it as permissions for programs, like there are permissions for users.
How it (roughly) works
All resources, files and programs have selinux types. On files they can be made visible with
ls -Z
Between the types there are policies. If a program with type x wants to access a file with type y, there must be a policy that allows for that. Many policies come pre-configured with the installation of the OS. So many things will work out of the box. But sometimes there will be the need for different policies.
Policy tools
Many configuring is done with the policy tools. So if you do not have a tool used on this page, then install the policy tools.
yum install policycoreutils-python
Is selinux the problem?
When a program does not work as expected, there is a chance that selinux prevents access to certain resources. An easy test can be done by temporarily disabling selinux.
setenforce 0
Now run the program again to see if it works as expected. Do not forget to immediately turn selinux on again.
setenforce 1
If selinux is proven to be the problem, then there are several ways to solve it.
Files
When a program can not access files of another program, you can try to change the selinux type of the files or directory tree into a type that is accessible to both programs.
As this is administrative cumbersome, we do not do it. You will have to read the selinux documentation yourself.
Create policies
Instead of changing the selinux types on the files, one could write a policy to allow a program access to the files of another program.
As this is also hard to do, we do not do it. You will have to read the selinux documentation yourself.
Generate policies from log data
Selinux logs every policy result in /var/log/audit/audit.log, whether enforcing is on or off. There is a simple way to feed log lines into audit2allow so that it generates a policy file based on lines where some access is denied.
If there is a problem with ssh, then do:
First "setenforce 0", so the program can do what it must do, and all access denials get written in the log file. And then run the problematic program again. Restore enforcing "setenforce 1".
Now we can find the denials that have to do with ssh in the log file.
grep ssh /var/log/audit/audit.log | audit2allow -M ssh-policy
Review the policy in the file ssh-policy.te. If too many permissions are generated, you may want to run the statement above again with a more restricting grep.
If satisfied with the result, then install the policy.
semodule -i ssh-policy.pp
To remove a policy, lookup the policy first. In this case it is ssh-policy, the same as the file name.
semodule -l
If the policy indeed exists, then it can be removed.
semodule -r ssh-policy
Booleans
Many programs have booleans that can be turned on and off. It is not as fine grained control as creating or generating policies, but it is often adequate enough.
The booleans on your system can be listed. Often piping through grep makes things more readable. Here we want to find booleans with samba in their name.
getsebool -a | grep samba
The meaning of the booleans can often be found in the documentation of the program, in this case samba, or in the documentation of selinux. Here we take samba_export_all_rw as example. If this boolean is on, then samba can access all files on the file system rw. If we think that is safe to do, because we have very restricted access to samba via the firewall, then we can turn it on with -P for permanent.
setsebool -P samba_export_all_rw 1
Most access denials samba gets from selinux are gone now, at the cost that samba could write to the system configuration files. One might consider a more restrictive approach by changing the selinux labels on directory trees that need samba access to a public type. There is more on that in the selinux documentation.
Make a type permissive
The least fine grained method is to take a program completely out of the selinux equation. Lookup the program's type in the selinux log file /var/log/audit/audit.log and declare it permissive. In this case we found the type for the service apcupsd is apcupsd_t.
semanage permissive -a apcupsd_t
Now we have solved problems with the service apcupsd at the cost that it can do anything it likes on the system. It is comparable to "setenforce 0" for this specific program.
