BLUG July 19 Meeting Report

Another good meeting with 14 present. As planned, Founder Clint Tinsley, presented on SELinux. Delivering from prepared slides and demo scripts, Clint spent 90 minutes "demystifying SELinux" in the words of one of those present.  What follows here is the outline from his slides and includes the demonstration scripts.

SELinux Usage
Major Distributions support it!
In kernel since 2002
Fedora since Core 2 (2004)
RHEL since version 4 (2005)
Debian since Etch (2007)
Ubuntu since Hardy Heron 8.04 (2008)

What is SELinux?

An application firewall the prevents unauthorized access to system files, folders, by exploited processes and services.

What Does SELinux Do?
Restricts System Processes
Policies in most distributions are applied only to system processes, not user processes.
Policies limit what a process can access and how.
Prevents a process from a compromise affecting other files / users / ports / etc.

Operates at the kernel layer
LSM – Linux Security Module
Enforces MAC based on access requests
Context based enforcement
Boolean based enforcement

Access models
DAC - Discreationary Access Control
Standard Linux Permissions - read, write, execute (rwx)
Managed by file owners (root,users)
MAC - Mandatory Access Control
SELinux restricted access based on context type
All files, folders, processes, and ports have a context type
All have to have the correct context for the process before access is allowed.

SELinux MAC Controls
context  type – assigned files, folders, processes, ports
booleans - features such as enable public_html, ftp_anon_write
SELinux Decision Flowchart

Application Example
Webserver without SELinux
An exploit can write the Document root, tmp directory and other files and folders.
An exploit can elevate its privileges (become root) via the unrestricted access.

Webserver with SELinux

An exploit cannot write files outside of the Document root.
Files cannot be accessed unless they have the correct context.

SELinux Key Concepts

SELinux is a set of security rules for processes

Every file, process, directory and port have SELinux label context

SELinux security policy checks the context to see if the process can access the file, directory, or port.

-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html
There are four security contexts on this file (index.html):
unconfined_u:object_r:httpd_sys_content_t:s0  -  user:role:type:level(range)
We are only concerned with the third entry which is the context type: httpd_sys_content_t
-  context types usally end in '_t'
-  The other security contexts of user, role, & level are beyond the scope of this presentation
-  Note: s0 is the default level, used for multi-level (MCS/MLS) security.

Viewing Context
ls -Z  file
ls -lZ file long listing
ls -ldZ directory context
ps axZ
ps -ZC httpd
The context type_t is what is governs!
Demo Script:

File Contexts:
ls -lZ /var/www/html  <= display index.html
ls -ldZ /var/www/html <= display directory context
ls -lZ /home/student  <= home directories contexts
lx -lZ (root homedir) <= admin_t


ps axZ |grep httpd
ps -ZC httpd 
SELinux Modes

Policies are enforced – Access Denied
Violations logged

Permissive (Testing Mode!)
Unrestricted Access Allowed
Violations logged

Disabled (Requires Reboot to Apply) 
Unrestricted Access Allowed
Not Recommended!

Setting SELinux Mode

Command Line - 
getenforce <=returns current selinux mode
setenforce permissive | enforcing | 0 | 1 
0 is permissive, 1 is enforcing

Persistently – default selinux mode on boot.
RHEL 6: /etc/sysconfig/selinux
RHEL 7: /etc/selinux/config

Setting SELinux Mode
At boot time via Grub edit menu - 
grub directives (kernel paramters)
These overide /etc/selinux/config settings!
selinux=0      <== disables selinux completely 
enforcing=0  <== sets permissive mode
enforcing=1  <== set enforcing mode
Demo Script Setting SELinux Mode:
setenforce permissive (case insensitive P)
setenforce 1set

Default SELinux Settings:
ls -l /etc/sysconfig/selinux <= display symbolic link
vim /etc/sysconfig/selinux (link to /etc/selinux/config)
=> go over settings <=
=> reboot required  <=

targeted     <=default
minimum        <=selected processes
mls            <=MCS/MLS Mult-Lever Security

Grub linux16 line:
grub directives (kernel paramters)
These overide /etc/selinux/config settings!
vim /boot/grub2/grub.cfg

linux16 line:
selinux=0   <== disables selinux completely (not wise)
enforcing=0 <== sets permissive mode
enforcing=1 <== set enforcing mode

Make persistent in grub:
/etc/default/grub and add selinux=0 to command line.
grub2-mkconfig > /boot/grub2/grub.cfg

Setting SELinux Context

Default context (file creation) 

Copying versus Moving (Always copy!)

chcon (temporary, not persistent)
Friends don't let friends use chcon

restorecon – Apply default context
Restores the default SELinux context of a file
Looks up the database of rules and finds the correct context for that directory or file
Demo Script Setting SELinux Context
Default context
touch /var/www/html/page1.html
ls -lZ /var/www/html/page1.html

touch /tmp/file1 /tmp/file2
ls -Zl /tmp/file?    <= user_tmp_t
mv /tmp/file1 /var/www/html
cp /tmp/file2 /var/www/html
ls -Zl /var/www/html/file?

=> file1, moved, is still user_tmp_t

mkdir /virtual1
ls -ldZ /virtual1  <= default_t
chcon -t httpd_sys_content_t /virtual1
ls -ldZ /virtual1  <= httpd_sys_content_t
restorecon -v /virtual1
ls -ldZ /virtual1  <= default_t

Using SELinux Policies

semanage fcontext command 

recursion operator (into directory) (/.*)?

view/list:  semanage fcontext -l | grep '/var/www(/.*)?'

create policy:
semanage fcontext -a -t httpd_sys_content_t '/directory(/.*)?'

apply to directory/files: (policy is not applied by default!)
restorecon -RFvv /directory
Demo Creating SELinux Policy
view/list:  semanage fcontext -l | grep '/var/www(/.*)?'
create policy:

semanage fcontext -a -t httpd_sys_content_t '/virtual1(/.*)?'
mkdir /virtual1/html
touch /virtual1/html/index.html
ls -Zl /virtual1/html/    <=note policy has not been applied!
restorecon -RFvv /virtual1
ls -LZ /virtual1/html
touch /virtual1/html/page2.html
ls -LZ /virtual1/html   <=policy is now applied
touch /virtual/html/page1.html
ls -LZ /virtual1/html   <=policy is now applied by default
restorecon -RFvv /virtual1

Using SELinux Booleans
Switches turn groups of rules on or off
getsebool -a | grep [service]
setsebool boolean_name (from list) on 
setsebool http_enable_homedirs on (current session on)
setsebool -P http_enable_homedirs on (persistent)
View: semanage boolean -l | grep boolean_name
Changed: semanage boolean -l -C
Demo Script Booleans
getsebool -a | grep httpd
getsebool httpd_enable_home_dirs <= View is off
sesetsebool http_enable_homedirs on (current session on)
getsebool httpd_enable_home_dirs <= View is on
View policy status: semanage boolean -l | grep httpd_enable_homedirs
current is on, default is off
setsebool -P http_enable_homedirs on (persistent)
View policy status: semanage boolean -l | grep httpd_enable_homedirs
current is on, default is now on

Changed: semanage boolean -l -C

create public_html folder in users home directory
chmod 711 ~/public_html as user

SELinux – Troubleshooting

Setenforce 0 – toggle enforcing off
Verify that SELinux is preventing access! 

Ls -lZ on file location – view permissions and context

restorecon -v /path/to/file (set default context)

setroubleshoot-server – generates avc and sealerts

Logs:  /var/log/audit/audit.log (raw message)
           /var/log/messsages | grep sealert (list/view alerts)

sealert -l UUID (UUID from message log) – Read & Analyze


yum info setroubleshoot-server  <= verify installed
Generates sealert messages in /var/log/messages

Raw message: /var/log/audit/audit.log

Sealert message: /var/log/messages 

cat /var/log/messages |grep sealert
copy "sealert -l UUID" from /var/log/message file
paste to command line
analyze report (same as found in SELinux Troubleshooter detail window on Desktop.) Determine steps to fix.
Demo Script Troubleshooting
yum info setroubleshoot-server
mv /root/file3 /var/www/html
curl http://localhost/file3
AVC message is generated (violation recorded)
/var/log/audit/audit.log is updated
/var/log/messages SEALERT message is added for violation 
View Applications | Sundry | SELinux Troubleshooter
Review Details Window
Commnand line
tail -n 10 /var/log/audit/audit.log <= type=AVC avc:denied
cat /var/log/messages | grep sealert
copy "sealert -l UUID"
paste to commmand line
Analyse report (same as found in SELinux Troubleshooter detail window)


Security-Enhanced Linux - Wikipedia, the Free Encyclopedia

SELinux Wiki
Your visual how-to guide SELinux policy enforcement
14.04 - SELinux Implementation in Ubuntu



The SELinux Notebook – Richard Hains 4th Ed. (2014)

Red Hat Enterprise Linux 7 SELinux User's and Administrator's Guide   
Select RHEL 7 and scroll down.


Next month, we planning on showing both Ubuntu's Firewall Builder and Firewalld.  Hope to see you all next month.