SELinux Quick Start Guide
A lot of sysadmins will disable SELinux immediately. Not good.
SELinux is easy. I’ll go through your two main scenarios. A standard Linux server using official repos and a Linux server running a custom application.
I’m focusing on CentOS/RHEL 6 and 7 here so YMMV.
Standard Linux Server
If you’re just using standard repos and aren’t doing anything too crazy, you shouldn’t even notice SELinux is running. Your distro developers and package maintainers will have written all of the policies. Just enable and go! If it’s not already running (check with sestatus
) you can enable it like so:
Install policies:
yum install selinux-policy selinux-policy-targeted
Enable SELinux:
cat << EOF > /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
EOF
A reboot is required:
reboot
That’s it. Reboot will take longer than usual as it adds SELinux labels to your filesystem.
You can view these labels by using ls
with the -Z
flag:
ls -alZ ~
For more information about labels and contexts see the references at the end of the post.
If you’re having trouble due to some customisations you’ve made, read on!
Custom Application
This is a little more work but still very easy to sort out. The best analogy here is you need to put SELinux into a permissive “learning” mode like you would an application firewall. Permissive mode will log all SELinux actions to /var/log/audit/audit.log
which is later parsed by audit2allow
to generate your application-specific policies.
Install auditd, SELinux policies and tools for policy creation:
yum install selinux-policy selinux-policy-targeted policycoreutils-python setools-console audit
Start up auditd:
service auditd start && chkconfig auditd on
Enable permissive mode:
cat << EOF > /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
EOF
A reboot is required:
reboot
Burn in your application. Step through everything it might encounter with network and file access. This will write every restricted SELinux access attempt to /var/log/audit/audit.log
for later processing.
Now you can generate your policies. audit2allow
is the tool for this. It will parse your auditd logs and create a new policy for any actions that may have generated SELinux denial messages during your burn-in phase.
First, look over any policy denials and check for anything unexpected from your OS or application. Only grep out any processes related to your application. If it’s a webapp, grep httpd or nginx etc. If you’re completely unsure you can grep for ‘denied’.
grep 'nginx' /var/log/audit/audit.log | audit2allow -w -a
Once you’re happy, generate your policies.
grep 'nginx' /var/log/audit/audit.log | audit2allow -a -M yourapplication_local
Install the policy:
semodule -i yourapplication_local.pp
At this stage you’ll want to start using your application again and check if any further denial messages are being logged to /var/log/audit/audit.log
. If they are, check over your policy denial messages again with audit2allow -w -a
and repeat the process above, grepping for any other processes that might be causing you issues.
Ensure you give any additional policy files you generate a unique name.
Otherwise enable SELinux in targeted mode:
cat << EOF > /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
EOF
A relabel is important when changing from permissive to enforcing mode. This is not necessary when changing directly from disabled to enforcing or permissive.
touch /.autorelabel
Another reboot:
reboot
Done!
Once you’re comfortable with audit2allow
you can use the semanage fcontext
and restorecon
commands to write and apply persistent policies for specific files, as opposed to the shotgun approach of audit2allow.
I also haven’t covered booleans (predefined rules such as allow httpd to read from home directories) or explained exactly how type enforcement and labeling work. More info on that in the references below.
I highly, highly recommend watching RedHat talk at the top of the references.
References
2012 Red Hat Summit: SELinux For Mere Mortals
RHEL 6 SELinux Handbook
Working with Booleans
Fixing Problems With audit2allow
Persistent Changes with semanage fcontext
Enable/Disable Guide