Sunday, 7 January 2018

How to configure selinux on Cent OS

Introduction

Security Enhanced Linux or SELinux is an advanced access control mechanism built into most modern Linux distributions. It was initially developed by the US National Security Agency to protect computer systems from malicious intrusion and tampering. Over time, SELinux was released in the public domain and various distributions have since incorporated it in their code
Many system administrators find SELinux a somewhat uncharted territory. The topic can seem daunting and at times quite confusing. However, a properly configured SELinux system can greatly reduce security risks, and knowing a bit about it can help you troubleshoot access-related error messages. In this tutorial we will learn about the concepts behind SELinux – its packages, commands, and configuration files

Installing SELinux Packages

A number of packages are used in SELinux. Some are installed by default. Here is a list for Red Hat-based distributions:
  • policycoreutils (provides utilities for managing SELinux)
  • policycoreutils-python (provides utilities for managing SELinux)
  • selinux-policy (provides SELinux reference policy)
  • selinux-policy-targeted (provides SELinux targeted policy)
  • libselinux-utils (provides some tools for managing SELinux)
  • setroubleshoot-server (provides tools for deciphering audit log messages)
  • setools (provides tools for audit log monitoring, querying policy, and file context management)
  • setools-console (provides tools for audit log monitoring, querying policy, and file context management)
  • mcstrans (tools to translate different levels to easy-to-understand format)
Some of these are installed already. To check what SELinux packages are installed on your CentOS 7 system, you can run a few commands like the one below (with different search terms after grep) as the root user:
rpm -qa | grep selinux
The output should look something like this:
libselinux-utils-2.2.2-6.el7.x86_64
libselinux-2.2.2-6.el7.x86_64
selinux-policy-targeted-3.12.1-153.el7.noarch
selinux-policy-3.12.1-153.el7.noarch
libselinux-python-2.2.2-6.el7.x86_64
You can go ahead and install all the packages with the command below (yum will just update any you already have), or just the ones that you find missing from your system:
yum install policycoreutils policycoreutils-python selinux-policy selinux-policy-targeted libselinux-utils setroubleshoot-server setools setools-console mcstrans
Now we should have a system that’s loaded with all the SELinux packages.

SELinux Modes

It’s time to start playing around with SELinux, so let’s begin with SELinux modes. At any one time, SELinux can be in any of three possible modes:
  • Enforcing
  • Permissive
  • Disabled
In enforcing mode SELinux will enforce its policy on the Linux system and make sure any unauthorized access attempts by users and processes are denied. The access denials are also written to relevant log files. We will talk about SELinux policies and audit logs later.
Permissive mode is like a semi-enabled state. SELinux doesn’t apply its policy in permissive mode, so no access is denied. However any policy violation is still logged in the audit logs. It’s a great way to test SELinux before enforcing it.
The disabled mode is self-explanatory – the system won’t be running with enhanced security.

Checking SELinux Modes and Status

We can run the getenforce command to check the current SELinux mode.
getenforce
SELinux should currently be disabled, so the output will look like this:
Disabled
We can also run the sestatus command:
sestatus
When SELinux is disabled the output will show:
SELinux status:        disabled

SELinux Configuration File

The main configuration file for SELinux is /etc/selinux/config. We can run the following command to view its contents:
cat /etc/selinux/config
The output will look something like this:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
There are two directives in this file. The SELINUX directive dictates the SELinux mode and it can have three possible values as we discussed before.

Enabling and Disabling SELinux

Enabling SELinux is fairly simple; but unlike disabling it, should be done in a two-step process. We assume that SELinux is currently disabled, and that you’ve installed all of the SELinux packages from the earlier section.
As a first step, we need to edit the /etc/selinux/config file to change the SELINUX directive to permissive mode.
vi /etc/sysconfig/selinux
...
SELINUX=permissive
...
Setting the status to permissive first is necessary because every file in the system needs to have its context labelled before SELinux can be enforced. Unless all files are properly labelled, processes running in confined domains may fail because they can’t access files with the correct contexts. This can cause the boot process to fail or start with errors. We will introduce contexts and domains later in the tutorial.
Now issue a system reboot:
reboot
The reboot process will see all the files in the server labelled with an SELinux context.
In the second phase, we need to edit the config file to change the SELINUX directive from permissive to enforcing in the /etc/sysconfig/selinux file:
...
SELINUX=enforcing
...
Next, reboot the server again.
reboot
Once the server is back online, we can run the sestatus command to check the SELinux status. It should now show more details about the server:
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          error (Success)
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

No comments:

Step-by-step OpenLDAP Installation and Configuration on server

This tutorial describes how to install and configure an OpenLDAP server and also an OpenLDAP client. Step by Step Installation and Conf...