Thursday, February 16, 2012

SELInux (Security-Enhanced Linux) What?

A. SELInux (Security-Enhanced Linux) What?
Two. What is SELinux policy?
Three. Check SELinux installation
Four. SELinux the default settings - / etc / sysconfig / selinux
5 SELinux service settings - setenforce
6. SELinux service settings - chcon
7 SELinux service settings - setsebool
Eight. How to replace your policy?
Nine. SELinux LOG
10 Audit2allow
11 avc: denied
12 References or URL
A. SELInux (Security-Enhanced Linux) What?

What is SELinux U.S. National boanguk (US National Security Agency), sleep in the open source community rilrijeuhan security-hardened version of Linux (including code) structure as a Linux security module (Linux Security Modules (LSM) framework) mandatory access to the Linux kernel using Control (Mandatory Access Control - MAC) is to implement. From Fedora Core3 began to be applied by default, the current most modern Linux distributions are supported. SELinux to help the understanding of the DAC, MAC and I'll tell you a little bit.

Standard Linux security Discretionary Access Control - DAC model. In a DAC model, file and resource decisions that only the object (objects) of the user (user id) and the ownership (ownership) is done according to the. Each user and program run by that user is assigned to the self-object has complete discretion over. In these circumstances, a malicious general or root user (for example, setuid and setgid) that runs through the faulty software can do anything you want with the given object, there is no way to thwart the system security policy to be implemented across the way do not have.
MAC under SELinux, on the other hand, all subjects (subjects - users, programs, and processes) and objects (files, devices) for a local permit (granular permissions) can give. Unnecessary part of the application, except for features only the necessary permissions is able to secure grants.
SELinux all the principals (users, programs, and processes) and objects (files and devices) to grant each other will allow. Therefore, one application to work properly, the program may be granted to secure the necessary permissions.
Two. What is SELinux policy?

SELinux policies to users, programs, processes and behavior of these devices, including the subject files and the entire system, ie, for every subject and object access permissions (access permissions) tells the package containing the. Policy package is available in Fedora strict, targeted There are two ways.
Fedora Core SELinux policy strict policy of applying because of a variety of users many of the problems causes due to the (regular users using SELinux in order to high-level expertise is required), current RHEL4 a more relaxed policy packages targeted poicy installed is built upon.
The only question is often part of targeted policy takes precedence and the other operates in the same way as the standard Linux security policy is applied to.
Currently, targeted policy in the dhcpd, httpd (apache.te), named, nscd, ntpd, portmap, snmpd, squid, and syslogd daemon to manage for.
this daemon on a policy file / etc / selinux / targeted / src / policy / domains / program can be found at:
Three. Check SELinux installation

Make sure you are using SELinux, how to determine the security context in a way that can be seen.
Files, users, processes, and to determine the context, a new option when using-Z can be found.
ls-lZ / etc / selinux
-Rw-r - r - root root system_u: object_r: selinux_config_t config
drwxr-xr-x root root system_u: object_r: selinux_config_t targeted
The-Z option to show the security context using this result through the "system_u" user, "object_r" role, "selinux_config_t" type can be found. Comparison of these in the context of SELinux policies to allow or deny it, if possible, so check the SELinux context is being used.
In addition to process each file and user security context can be found as shown below. root @ example # PS axZ | grep squid

user_u: system_r: squid_t 3912? Ss 0:00 squid-D
user_u: system_r: squid_t 3 915? S 9:10 (squid)-D
user_u: system_r: squid_t 3,916? Ss 0:01 (unlinkd)
root @ example # id
uid = 0 (root)
gid = 0 (root) groups = 0 (root), 1 (bin), 2 (daemon), 3 (sys), 4 (adm), 6 (disk), 10 (wheel)
context = root: system_r: unconfined_t

If RedHat's SELinux packages using the command sestatus-v with the current state of SELinux can be found below.
[Root @ ns selinux] # sestatus-v
SELinux status: enabled
SELinuxfs mount: / selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 18
Policy from config file: targeted
Policy booleans:
allow_ypbind active
dhcpd_disable_trans inactive
httpd_disable_trans active
httpd_enable_cgi active
httpd_enable_homedirs active
httpd_ssi_exec active
httpd_tty_comm inactive
httpd_unified active
mysqld_disable_trans inactive
named_disable_trans active
nscd_disable_trans active
ntpd_disable_trans inactive
portmap_disable_trans inactive
snmpd_disable_trans inactive
squid_disable_trans inactive
syslogd_disable_trans inactive
winbind_disable_trans inactive
ypbind_disable_trans inactive
Process contexts:
Current context: root: system_r: unconfined_t
Init context: user_u: system_r: unconfined_t
/ Sbin / mingetty user_u: system_r: unconfined_t
/ Usr / sbin / sshd user_u: system_r: unconfined_t
File contexts:
Controlling term: root: object_r: devpts_t
/ Etc / passwd root: object_r: etc_t
/ Etc / shadow system_u: object_r: shadow_t
/ Bin / bash system_u: object_r: shell_exec_t
/ Bin / login system_u: object_r: bin_t
/ Bin / sh system_u: object_r: bin_t -> system_u: object_r: shell_exec_t
/ Sbin / agetty system_u: object_r: sbin_t
/ Sbin / init system_u: object_r: init_exec_t
/ Sbin / mingetty system_u: object_r: sbin_t
/ Usr / sbin / sshd system_u: object_r: sbin_t
/ Lib/ system_u: object_r: lib_t -> system_u: object_r: shlib_t
/ Lib/ system_u: object_r: lib_t -> system_u: object_r: ld_so_t
[Root @ ns selinux] #
Four. SELinux the default settings - / etc / sysconfig / selinux

How to set the distribution is different for each service. Red Hat and Fedora distributions I've tested the file / etc / sysconfig / selinux SELinux on the set of available modes.
/ Etc / sysconfig / selinux file's contents
# This file controls the state of SELinux on the system.
# SELINUX = can take one of these three values:
# Enforcing - SELinux security policy is enforced.
# Permissive - SELinux prints warnings instead of enforcing.
# Disabled - SELinux is fully disabled.
SELINUX = enforcing
# SELINUXTYPE = type of policy in use. Possible values ​​are:
# Targeted - Only targeted network daemons are protected.
# Strict - Full SELinux protection.
SELINUXTYPE = targeted
There are two parts of this file set the status of SELINUX (enforcing, permissive, disabled), set up and activate the part of security policy (strict or targeted one of them) are part of SELINUXTYPE to determine.
Disabled - If you do not want SELinux security controls used to select disalbed options. disalbed set off the security control system to disable the security policy.
permissive - This selection is a denial of service to be notified of the message. When set to permissive conditions for data and program logs, once you assign a name, but does not use security policy. If you are new to the SELinux permissive state from scratch, without having to fully activate this feature, first enable this policy, the general system operations and determine what impact any time if you can be a good starting point.However, sometimes a security warning when the warning options not covered by warnings that the target-detection error (false positive) or a warning that the target does not detect the error (false negative), so the possibility also has to be taken.
enforcing - SELinux enforcing To enable the option to completely let. enforcing an additional option for system security, all security policies (for example, users who do not have permission to access a particular file or program to deny) is used. SELinux is fully executed and no effect, interfere with normal operations of the system can do without getting that select this option if you want to own.

5 SELinux service settings - setenforce

SELinux to be of service when you need to change the status directly / etc / sysconfig / selinux file, SELINUX = enforcing, or modifying SELINUX = permissive as to how to change the command setenforce able to use it, but
"Setenforce 0" as the command to be falling, and the same results as the SELINUX = permissive, "setenforce 1" means the enforcing mode.SELinux on the system completely if you do not want to use the file / etc / sysconfig / selinux SELINUX = disabled at system boot time or set as a boot loader and boot parameter selinux = 0 if he is. (Grub if you're using grub, press e to edit mode on the screen after the kernel line went down at the end selinux = 0 and ESC, and when the boot is pressing b.)
sentenforce command sysadm_r have permission to perform; To do this, newrole command, or, or, su - to root for user switching, you can get permission sysadm_r automatically.
6. SELinux service settings - chcon

You need to change the SELinux security context of the case, the command can use chcon.
Create a directory while you are using Apache even though obviously if you get errors like this http_user_content_t as its DocumentRoot can solve haejum is applied to.
chcon-R-t httpd_user_content_t / home / user account / public_html
7 SELinux service settings - setsebool

S [root @ ns ~] # cat / etc / selinux / targeted / booleans
allow_ypbind = 1
dhcpd_disable_trans = 0
httpd_disable_trans = 1
httpd_enable_cgi = 1
httpd_enable_homedirs = 1
httpd_ssi_exec = 1
httpd_tty_comm = 0
httpd_unified = 1
mysqld_disable_trans = 0
named_disable_trans = 1
named_write_master_zones = 1
nscd_disable_trans = 1
ntpd_disable_trans = 0
portmap_disable_trans = 0
postgresql_disable_trans = 0
snmpd_disable_trans = 0
squid_disable_trans = 0
syslogd_disable_trans = 0
winbind_disable_trans = 0
ypbind_disable_trans = 0
RHEL4 SELinux settings, the transition of a system representing the file / etc / selinux / targeted / booleans file. In the file, each entry in system-config-securitylevel of the application or setsebool a command using the changes are capable setsebools When using the-P option if you do not use the configuration file does not change the current settings have changed, but the-P option, as If you use / etc / selinux / targeted / booleans file to change the content of the system is applied ributinghuedo.
Eight. How to replace your policy?

The issue is not taken lightly baejeongchaek replacement.
Test equipment for research purposes (test machine) to try a new policy in addition, the production system (production system) before replacing it with a different policy on the status should seriously consider.
Replacement operation is simple. This is a very safe way, but try first primary in the test system is desirable.
One way to use system-config-securitylevel to change the policy, rename (relabel) is to set the file system to.
Manual procedures are as follows:
A. / Etc / selinux / config and edit the type of policy change in SELINUXTYPE = policyname.
Two. Be able to return to reboot to make sure that, SELINUX = permissive mode is set . When you do this, SELinux commissioned under the correct policy, but, if the incorrect file naming context (labeling) and would like to log in. If you have a problem.
Three. sysadm_r with the role as root to relabel the file system (relabel):
root: sysadm_r: sysadm_t
fixfiles relabel 

option-l / path / to / logfile log to standard output by using the visible and, option-o / path / to / file by using the Review (checked) or rename (relabel ed) a list of all files can be saved.
Four. Reboot the system. under the new policy, restart all system processes started in the proper context and policy changes should reveal all the problems caused by.
5 sestatus-v command to check the changes took effect. Permissive mode on the new system started up, avc: denied messages in / var / log / messages to check. Under the new policy, they ensure that the system is running without problems indicates the problems that need to be addressed.
6. Under the new policy, when you return the system satisfactorily, SELINUX = enforcing to grant execute permissions to the change. real-time to enable the enforcing reboot or run setenforce 1 to.
Nine. SELinux LOG

SSELinux of the log in / var / log / messages like this appear.
kernel: audit (1114070701.193:0): avc: denied {read} for pid = 24216
exe = / usr / libexec / mysqld name = mysql dev = cciss/c0d0p6 ino = 16408
scontext = user_u: system_r: mysqld_t tcontext = root: object_r: var_lib_t
tclass = dir
This log can be interpreted as follows.
- Read the request was denied.
- PID 24216, a process that tries to read
- The process / usr / libexec / mysqld is
- / Dev/cciss/c0d0p6 is working in
- Inode is the 16408.
- The process of the SELinux context user_u: system_r: mysqld_t is
- Tcontext = root: object_r: var_lib_t: This file is the file attempts to read twelve var_lib_t type is a file owned by root.
SELinux LOG meaning of each item
audit (timestamp) - This field Message from States that it's an SELinux audit and that it WAS logged at time timestamp (in seconds since Jan. 1st, one thousand nine hundred seventy).
AVC - This WAS Message from the SELinux Access vector cache. Pretty much every message you are likely to see is from this cache.
denied | accepted - This field Oppenheim Whether the Action WAS denied or accepted. You may see logs of accepted messages in some cases (like reloading the policy).
{Read | write | unlink | ... } - This Shows the type of field that WAS Attempted Action, such as File are Reading, Writing, unlinking, loading policy, etc.
for pid =  - This is the Process ID that the Action Attempted.
exe =  - This is the path to the Executable that the Process Started.
name =  - This is the name of the target on which the Action Attempted WAS.
dev =  - This is the Device File is Located on which the target.
no =  - This is the target of the Action of the inode.
scontext =  - This is the Process's Security context. This contains user, role, and type.
tcontext = - This is the target of the Security context of this Action, for example, the File, Directory, etc.
tclass =  - This is the class of the target object, such as Directory, File, Device node, or something else.
10 Audit2allow

Useful tool for policy author / usr/bin/audit2allow, which is the / var / log / messages for avc messages that can be used by SELinux allows translation rules. If you can not use yum install policycoreutils policycoreutils package, so as part of the installation is possible.
audit2allow command can be input in three ways. The default standard input (stdin) is If you use the-i option to / var / log / messages can be read from the input using the-d option if you can read input from the output of dmesg.
11 avc: denied

The message that the current run SELinux policy does not allow the behavior of the application because On this there are various reasons. first, an application attempting to access is one of the files found there may be misnamed. See ten thousand and one AVC message, if a particular file, ls-alZ / path / to / file file name to the current reference by performing (current label) See investigate. If you see if it is wrong, restorecon-v / path / to / file, try. Very many associated with a file is denied (denials) If circumstances exist, fixfiles relabel or perform repeatedly in order to relabel the directory path with the-R option to restorecon you may want to perform. At other times, reject (denials ) phenomenon to be rejected by the policy can be generated by changing the settings in the program. For example, if you change port 8800 to Apache, and security policy, apache.te, also related to a change becomes necessary. For detailed information on policy creation, if you want a list of external links (External Link List) see.

12 References or URL

Home of the SELinux Project -
The Un-Official SELinux FAQ -
SELinux link Zoo -
Ubuntu Linux SELinux Pages -
2005.8 Sys Admin Magazine -
SELinux Community page -
Unofficial FAQ -
Writing SE Linux policy HOWTO -
Getting Started with SE Linux HOWTO: the New SE Linux (Debian) -