SELinux - Security-Enhanced Linux



Some $0.02 advice about SELinux :

  • when SELinux is in the game,
  • when it's "supposed to be working normally" because it did work normally and you changed nothing related (or think so ),
  • when you're suddenly getting all kinds of access denied errors,
check first with setenforce 0 whether this is or not SELinux blocking the road.

Definitions and concepts :

Security-Enhanced Linux (aka SELinux)
a set of patches to the Linux kernel and utilities to provide a strong, flexible Mandatory Access Control architecture into the major subsystems of the kernel. (source)
Access Control
general term applying to physical security or computer security to describe :
  • a system / process
  • that allows / forbids
  • someone / something (aka a subject)
  • to "consume" : enter / use / access / read /
  • a resource (aka an object) : place / equipment / information / device / file /
There are different kinds of Access Controls : All are governed by authorization rules (aka policies).
Discretionary Access Control (DAC, details)
Access Control system in which users are allowed to make policy decisions for themselves or others. The traditional Unix system of users, groups, and read-write-execute permissions is an example of DAC, since a user can
  • change his own permissions on a file (e.g. making it executable)
  • grant permissions to others (up to his own permissions)
Mandatory Access Control (MAC, details)
Access Control system in which policies are centrally managed and can be altered by administrators only. MAC systems have no notion of a superuser.
security context (source)
the identity + role + domain trio (there is a 4th optional field : "level") :
  • identity : each Linux user account is mapped to a SELinux user, allowing Linux users to inherit grants placed on SELinux users
  • role :
    * intermediary between "identity" and "domain/type"
    * the roles that can be entered determine which domains can be entered : ultimately, this controls which object types can be accessed
    an identity can have multiple roles
  • type / domain :
security context for :
  • a file : a regexp + class(?) + context definition (source) :
    /var/log/audit(/.*)?		all files		system_u:object_r:auditd_log_t
    ^^^^^^^^^^^^^^^^^^^^		^^^^^^^^^		^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    regexp matching			class			context to apply to
    dir + files						matching objects
    see /etc/selinux/targeted/contexts/files/*
  • a user :
    • assigned at the time of his connection, according to his roles
    • see /etc/selinux/targeted/contexts/users/*
  • a process : by default defined by the context of the user who launches it
mode can deny access ? warn ? log ? details
enforcing yes yes yes
permissive no yes yes used mostly for troubleshooting
disabled no no no
  • Logs are :
    • /var/log/messages
    • /var/log/audit/audit.log
    • /var/lib/setroubleshoot/setroubleshoot_database.xml
  • To get the current mode :
    • getenforce
    • sestatus
      SELinux status:                 enabled
      SELinuxfs mount:                /sys/fs/selinux
      SELinux root directory:         /etc/selinux
      Loaded policy name:             targeted
      Current mode:                   enforcing
      Mode from config file:          enforcing
      Policy MLS status:              enabled
      Policy deny_unknown status:     allowed
      Memory protection checking:     actual (secure)
      Max kernel policy version:      33
  • To set the current mode :
    • to permissive mode : setenforce 0
    • to enforcing mode : setenforce 1
  • By default, the policy does not allow any interaction unless a rule explicitly grants access. (i.e. Everything is forbidden unless explicitly authorized).
  • SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first, which means that no SELinux denial is logged if the traditional DAC rules prevent the access.

Putting all this together

SELinux is a system in which :
  • you put labels on everything : users, stuff users may want to play with (files, processes, ), ways of playing with these (read, write, )
  • by default, everything is forbidden
  • each rule defines a type of user + type of stuff + type of play that is allowed. When someone asks to play with something, access is granted if labels mach
In more details, SELinux manages :
  • subjects : those who do things : users, processes,
  • objects : stuff the "subjects" are trying to interact with : files, ports,
  • access : what "subject" does to "object" : read, write, open, connect to,
All these are labelled.
Rules (aka policies) list the subject → access → object relationships.
By default, everything is forbidden, unless an explicit rule allows a "subject + access + object".
SELinux does not handle individual subjects nor individual objects. It works by type enforcement, meaning it deals with :
  • processes with the label user_t
  • files with the label bin_t
  • in rules such as Processes with the label user_t can execute regular files labeled bin_t

Type enforcement explained with cats, dogs and food : Your visual how-to guide for SELinux policy enforcement

allow     cat       cat_chow:food      eat;
allow     dog       dog_chow:food      eat;
          ^^^       ^^^^^^^^^^^^^      ^^^
          subject   object             access
  • only processes of type cat can access cat_chow:food for action eat
  • only processes of type dog can access dog_chow:food for action eat
Multi Category Security (MCS) enforcement
If you own 2 dogs, you may create new types :
  • Fido_dog
  • Fido_dog_chow
  • Spot_dog
  • Spot_dog_chow
But :
  • this will get complex with an increasing number of dogs
  • this added complexity is unnecessary as all dogs basically have the same kind of rules : each dog can only eat its own food

type / domain examples (source) :

type object example
httpd_exec_t binary file /usr/sbin/httpd
httpd_config_t configuration directory /etc/httpd
httpd_log_t logfile directory /var/log/httpd
httpd_sys_content_t content directory /var/www/html
httpd_unit_file_d startup script /usr/lib/systemd/system/httpd.service
httpd_t process /usr/sbin/httpd -DFOREGROUND
httpd_t, http_port_t ports 80/tcp, 443/tcp
A process running in the httpd_t context may interact with an object with the httpd_something_t label.