In this post we’ll go over using SELinux to manage the security of a Linux system.
NSA Security-Enhanced Linux or SELinux is a mandatory access control architecture controlled through the /etc/selinux/config file.
Let’s take a peek at the file on my box:
12345678910111213
cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
If SELinux is disabled and then enabled, all the files inside the filesystem will need to be re-labeled.
You can adjust SELinux with many commands and utilities:
semanage boolean -l | grep nfs
xen_use_nfs (off , off) Allow xen to use nfs
mpd_use_nfs (off , off) Allow mpd to use nfs
virt_use_nfs (off , off) Allow virt to use nfs
use_nfs_home_dirs (off , off) Allow use to nfs home dirs
ksmtuned_use_nfs (off , off) Allow ksmtuned to use nfs
nfsd_anon_write (off , off) Allow nfsd to anon write
git_system_use_nfs (off , off) Allow git to system use nfs
git_cgi_use_nfs (off , off) Allow git to cgi use nfs
logrotate_use_nfs (off , off) Allow logrotate to use nfs
cobbler_use_nfs (off , off) Allow cobbler to use nfs
httpd_use_nfs (off , off) Allow httpd to use nfs
sge_use_nfs (off , off) Allow sge to use nfs
sanlock_use_nfs (off , off) Allow sanlock to use nfs
samba_share_nfs (off , off) Allow samba to share nfs
ftpd_use_nfs (off , off) Allow ftpd to use nfs
openshift_use_nfs (off , off) Allow openshift to use nfs
polipo_use_nfs (off , off) Allow polipo to use nfs
tmpreaper_use_nfs (off , off) Allow tmpreaper to use nfs
nfs_export_all_rw (on , on) Allow nfs to export all rw
nfs_export_all_ro (on , on) Allow nfs to export all ro
You need to call restorecon after changing the context
getsebool
get SELinux boolean value(s)
12345678910111213
getsebool -a | grep ftp
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
tftp_home_dir --> off
sealert is the user interface component (either GUI or command line) to
the setroubleshoot system. setroubleshoot is used to diagnose SELinux
denials and attempts to provide user friendly explanations for a
SELinux denial (e.g. AVC) and recommendations for how one might adjust
the system to prevent the denial in the future.
-l # Lookup alert by id, if id is wildcard * then return all alerts
sealert -a /var/log/audit/audit.log
100% done
found 4 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------
SELinux is preventing /usr/bin/pgrep from getattr access on the filesystem /sys.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that pgrep should be allowed getattr access on the sys filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'pgrep' --raw | audit2allow -M my-pgrep
# semodule -i my-pgrep.pp
Additional Information:
Source Context system_u:system_r:ksmtuned_t:s0
Target Context system_u:object_r:sysfs_t:s0
Target Objects /sys [ filesystem ]
Source pgrep
Source Path /usr/bin/pgrep
Port <Unknown>
Host <Unknown>
Source RPM Packages procps-ng-3.3.10-10.el7.x86_64
Target RPM Packages filesystem-3.2-21.el7.x86_64
Policy RPM selinux-policy-3.13.1-102.el7_3.16.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name rhel7
Platform Linux rhel7 3.10.0-514.26.2.el7.x86_64 #1 SMP Fri
Jun 30 05:26:04 UTC 2017 x86_64 x86_64
Alert Count 9
First Seen 2018-02-10 02:25:54 JST
Last Seen 2018-02-10 03:19:45 JST
Local ID d5a68144-c84d-44c4-bde0-31380fd5bb60
Raw Audit Messages
type=AVC msg=audit(1518200385.729:205): avc: denied { getattr } for pid=4616 comm="pgrep" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:ksmtuned_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1518200385.729:205): arch=x86_64 syscall=statfs success=no exit=EACCES a0=7f9407f4e013 a1=7fffcd705e80 a2=fffffffffff476d8 a3=7fffcd705b90 items=0 ppid=4615 pid=4616 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=pgrep exe=/usr/bin/pgrep subj=system_u:system_r:ksmtuned_t:s0 key=(null)
Hash: pgrep,ksmtuned_t,sysfs_t,filesystem,getattr
[...]
12345678910
__________________________________
/ Someone is speaking well of you. \
| |
\ How unusual! /
----------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||