Linux/Security/Selinux
Security-Enhanced Linux comes pre-installed with disto's like Centos. It can be such a large beast to configure all the policies properly, that many people choose to disable it. Here are some recipes for "easy selinux", so the protection can stay on.
Contents
What is selinux?
Selinux can best be seen as a sandbox that prevents programs from access to files and other programs they do not need to use. Does a webserver need to access the complete file system and execute any program it likes? A webserver open to the internet is prone to be compromised, so it would be undesirable that an attacker can get further into the system from within the webserver.
Another way to look at selinux is to see it as permissions for programs, like there are permissions for users.
How it (roughly) works
All resources, files and programs have selinux types. On files they can be made visible with
ls -Z
Between the types there are policies. If a program with type x wants to access a file with type y, there must be a policy that allows for that.
Many policies come pre-configured with the installation of the OS. So many things will work out of the box. But sometimes there will be the need for different policies.
Policy tools
Many configuring is done with the policy tools. So if you do not have a tool used on this page, then install the policy tools.
yum install policycoreutils-python
Is selinux the problem?
When a program does not work as expected, there is a chance that selinux prevents access to certain resources. An easy test can be done by temporarily disabling selinux.
setenforce 0
Now run the program again to see if it works as expected. Do not forget to immediately turn selinux on again.
setenforce 1
If selinux is proven to be the problem, then there are several ways to solve it.
Files
When a program can not access files of another program, you can try to change the selinux type of the files or directory tree into a type that is accessible to both programs.
As this is administrative cumbersome, we do not do it. You will have to read the selinux documentation yourself.
Create policies
Instead of changing the selinux types on the files, one could write a policy to allow a program access to the files of another program.
As this is also hard to do, we do not do it. You will have to read the selinux documentation yourself.
Generate policies from log data
Selinux logs every policy result in /var/log/audit/audit.log, whether enforcing is on or off. There is a simple way to feed log lines into audit2allow so that it generates a policy file based on lines where some access is denied.
If there is a problem with ssh, then do:
First "setenforce 0", so the program can do what it must do, and all access denials get written in the log file. And then run the problematic program again. Restore enforcing "setenforce 1".
Now we can find the denials that have to do with ssh in the log file.
grep ssh /var/log/audit/audit.log | audit2allow -M ssh-policy
Review the policy in the file ssh-policy.te. If too many permissions are generated, you may want to run the statement above again with a more restricting grep.
If satisfied with the result, then install the policy.
semodule -i ssh-policy.pp
To remove a policy, lookup the policy first. In this case it is ssh-policy, the same as the file name.
semodule -l
If the policy indeed exists, then it can be removed.
semodule -r ssh-policy
