Tuesday, October 17, 2017

SELinux

SELinux stands for NSA Security-Enhanced Linux.

By default, the setting for SELinux is set at /etc/selinux/config. Theh default setup is permissive, which if the SELinux policy is violated, warnings will be logged rather than prohibit the service from running properly.

SELinux config file content.


In permissive mode, the log is captured in /var/log/audit/audit.log file.

Port related

Let's do a test.


I set the httpd service also listen to port 1234, which is not a convention port number for httpd. When it is in permissive mode, the httpd service is successfully to restart. However, there's an entry in the audit.log file.


When I set SELinux to enforcing, the service failed to start. This is the snippets of log when I get the status of httpd service.


From the log in audit.log file and also the status log, port 1234 is the culprit. It should be added to related SELinux policy. I am adding the port to http_port_t as well.


Now it can be successfully restarted!


File related

SELinux policy is not limited to port context, but also file context.

For example, the files in /var/www/html is already set with httpd_sys_content_t context. Therefore, there's no additional steps required to set the SELinux policy.


There's another path that is also a convention path to host the html files, which is at /srv/*/www. However, for new directory, this fcontext is not automatically setup properly. You'll need to run once restorecon on /srv to make it set correctly.


If the file is put in a different path, then you'll need to set the path to the correct fcontext, then run restorecon command.


Boolean related

There is also another main topic in semanage, which is the SELinux boolean.


You can use semanage boolean -l command to list out all boolean.

Example, let's check the network and db related boolean, and modify it.


These boolean policy adding an additional security layer to the service in case the configuration of the service is contaminated.

That's all for the 3 main domains in SELinux policy management.

No comments:

Post a Comment