Security Enhanced Linux (SELinux)

The world of computers is always changing, and so must the security models.

Note

This article’s information may be outdated. It is kept here for historical reasons.

Why more security?

A Problem

User permissions have been used for a long time now. These permissions allow read, write, and execute access to certain files by certain users. However, this does not solve the main security problem with Linux. The root, or administrative access. Once a attacker has “root” access, the game is up, and the machine is totally compromised. That is because the root user can do anything to the system. Once, on a test system, I deleted the entire system while it was running. That’s how powerful it is.

A Solution

This is where SELinux comes in. Using a context based permissions, it is able to regulate users and programs to operate within defined parameters and areas. For example, it can limit Samba to only have access to user files, deny a crashed Apache Web Server access to Top Secret files, and deny sending the log files to /dev/null (to be erased), a typical method for attackers trying to cover their tracks.

Example

Think of it as taking a house, and dead bolting each door. Of course, you would never do this, but this is just an example. Now, let’s say your front door is bolted shut, but someone left the wash room window open. So some thief sees this vulnerability, and comes through the window in the middle of the night. He walks quietly to the wash room door, and finds the door locked. Thus he is stopped.

Now, we all know that a good thief (huh?) will be able to unlock that door if he really wants to. But that’s going to take time, and make some noise. All the while you will have the police on way. So a real good thief (???) is going to just leave it at that. You’ll just be missing some Tide in the morning.

How It Works

In essence, what’s going on is it’s encasing each program within a certain area to work. In the example above, the intruder may have crashed the web server, and wants it to access files it normally doesn’t touch. This would be the locked door. Of course they could eventually get through, but now that selinux has an access denied error, and has notified the system admin, they won’t have as much time to do damage.

Supported Systems

Currently Fedora, Redhat Enterprise, Centos, and Gentoo support it.

How to use it

Listing/Copying/Moving Files

File management programs like ls, cp, and mv have had their abilities extended made so they can view and manage the context labels of files. Here is a table of programs and their selinux commands.

For example, most of them have a -Z argument for working with SELinux attributes.

ls -Z - shows the selinux contexts of files.
cp -Z u:r:t - the new file is relabeled as it is created based on the command line option. The extended GNU option –context is the same as -Z. u:r:t means user:role:type as in user_u:object_r:user_home_t.
ps -Z - lists all the processes and their context info.
id -Z - Show the current user’s context.

Setroubleshoot

This program notifies the admin of access denials in the system by watching the log files. It can either run as a daemon, or a separate app, as sealert -Sb.

Using system-config-selinux

This is one of the easiest ways to manage the selinux polices.

Issues: can’t change the default file contexts to <<none>>. You have to directly edit the file /etc/selinux/[strict|targeted]/contexts/files/file_contexts.local. See the other file_contexts in that folder for examples.

Chcon and Restorecon

You can change the selinux permissions just like you can for file permissions.

‘‘chcon’’ changes the context. Just remember there are three types:

-u User, usually system_u or user_u
-? Used for multilevel security (Confidential, Top Secret…)
-t Type of file, determining who can use it.

Unlike typical file permissions, you can reset selinux permissions. restorecon restores a file to it’s original context as defined in the file /etc/selinux/[strict|targeted]/contexts/files/file_contexts.

Making a new Policy Module

Policy modules allow you to allow a certain program to do something that other programs aren’t allowed to do. You should always check the file permissions and selinux booleans before you make a module, as incorrect modules can open your system to attack.

We are going to make a policy called “local”.For example, Mozilla Firefox has to do some things that according to strict selinux policy is not allowed. So we would want to write a module for it, rather than allow these action globally.

First, we need to extract the data from the log file. You have two options:

/var/log/audit/audit.log if you are using the audit daemon.
/var/log/messages if the audit daemon isn’t running, or the error is before the audit daemon starts (boot time)

Notice we use -l to retrieve only the errors from the last boot. We assumed using the audit log file, and this outputs to current directory.

audit2allow -l -m local -o local.te -i /var/log/audit/audit.log

Second, edit the file using a text editor, removing any unneeded items: (‘’nano local.te’’)

module local 1.0;

require {
       class sock_file { getattr unlink };
       type device_t;
       type syslogd_t;
       role system_r;
};

allow syslogd_t device_t:sock_file { getattr unlink };

Third, run checkmodule on it

checkmodule -M -m -o local.mod local.te

checkmodule:  loading policy configuration from local.te
checkmodule:  policy configuration loaded
checkmodule:  writing binary representation (version 6) to local.mod

Fourth, package it into a loadable module.

semodule_package -o local.pp -m local.mod

Last, import it into the selinux policy. This may take a while.

semodule -i ./local.pp`

Conclusion

SELinux has a lot of potential to improve security.

Why more security?#

A Problem#

A Solution#

Example#

How It Works#

Supported Systems#

How to use it#

Listing/Copying/Moving Files#

Setroubleshoot#

Using system-config-selinux#

Chcon and Restorecon#

Making a new Policy Module#

Conclusion#