My Avatar

Shilong ZHAO

Security-Enhanced Linux

2015-10-14 00:00:00 +0200

In case you have any questions or suggestions, you can leave comments HERE . Thanks!

Linux direct access control (DAC) is based on the user and group information: processes have user and group (real and effective), files have user/group information and access bits.

SELinux provides another layer of mandatory access control (MAC) layer over DAC, so that even the root user may not be guaranteed all the privileges.

SELinux is transparent to applications. It is an implementation of Linux Security Module (LSM). LSM provides hooks inside the Linux kernel so that SELinux is called when a hook is triggered. LSM is executed after DAC.

SELinux Cares About Context

SELinux does not care about the ownership of a process. The context of a process matters instead. Thus SELinux is a label-based (context) control system. The same binary launched from different programs may have different contexts. This is meaningful, since a web server program started by init system will be more trustable than one started by a user.

Now what is the context? The contexts fields include types, rules and users and usually end with _t, _r and _u, respectively. Example from [SELinux System Administration Handbook], on a system with SELinux enabled,

# ps -eZ | grep dbus-daemon
system_u:system_r:system_dbusd_t 4531 ?        00:00:00 dbus-daemon
staff_u:staff_r:staff_dbusd_t    5266 ?        00:00:00 dbus-daemon

There are two same dbus-daemon binaries running but their contexts differ, thus SELinux can enforce different policies accordingly.

Note that SELinux user label does not change even when the Linux user has changed, e.g. by su or sudo. This explains why the privileged root user sometimes get permission denied error.

Enable SELinux

SELinux has three modes: disabled, system boots without SELinux activation. permissive, SELinux is activated but the access control policy is not enforced. enforcing, SELinux is active and policy is enforced.

SELinux can be enabled or disabled by either configuration file /etc/selinux/config or GRUB boot parameters in /boot/grub2/grub.cfg and it is also possible to put a specific namespace (tag) in permissive mode.

SELinux Access Control

SELinux has three different forms of access control: + Type Enforcement (TE) + Rule Based Access Control (RBAC) + Multi-Level Security (MLS)

Type enforcement applies to processes and resources (files, sockets, ports, etc.). Resources and processes are assigned with types as mentioned earlier.

For example, Apache processes is allowed to read file /var/www/html/index.html. A httpd_t tag is assigned to all apache processes and a httpd_sys_content_t is assigned to the index.html file. Resources could be files, directories, sockets, processes, ports. Here index.html is of file class. Corresponding to file resource, permissions predefined are: read, write, execute, getattr, etc. So if the Apache processes are allowed to read file index.html, the rule will be

allow httpd_t httpd_sys_content_t : file read;

This rule allows all processes with type httpd_t to read all the files tagged with type httpd_sys_content_t.

The access rules are configurable by policies.

Set SELinux Context

The list of regular expressions which determines the context of files can be shown with

# semanage fcontext -l
/var/run/bitlbee\.sock                             socket             system_u:object_r:bitlbee_var_run_t:s0
/var/run/bmc-watchdog\.pid                         regular file       system_u:object_r:freeipmi_bmc_watchdog_var_run_t:s0
...

The file context is permanently changeable by modifying the SELinux database with semanage fcontext and applying the changes with restorecon

In SELinux, processes are also asigned with labels, i.e. domain. Child process inherits the context from its parent.

It may be needed to install package setools-console.