SELinux

SELinux is an enhancement to the Linux kernel released by the NSA.

"Security-enhanced Linux is a research prototype of the Linux® kernel and a number of utilities with enhanced security functionality designed simply to demonstrate the value of mandatory access controls to the Linux community and how such controls could be added to Linux."


 * http://www.nsa.gov/selinux/index.cfm


 * http://www.nsa.gov/selinux/info/faq.cfm


 * http://fedora.redhat.com/docs/selinux-faq/

Related: grsec

= selinux = "SELinux is a mandatory access control (MAC) system that can be used to protect services and contain security exploits found in system daemons or user applications. SELinux constrains services to a least-privilege security domain by way of a security policy, customized by administrators, that provides fine-grain control over information flow."

Log file

 * 1) cat /var/log/audit/audit.log

Example denied entry
type=AVC msg=audit(1247665905.681:32003): avc: denied  { write } for  pid=1118 comm="cmd.cgi" name="nagios.cmd" dev=dm-2 ino=819218 scontext=root:system_r:httpd_nagios_script_t:s0 tcontext=root:object_r:nagios_log_t:s0 tclass=fifo_file


 * comm = command that had access denied
 * name = target
 * scontext = source security context
 * tcontext = targets security context

Create new rule
the simpliest way to create a new rule, is with the audit2allow command. It will create a rule based on the error in selinux's audit log. The module/rule must have a unique name. The installed modules can be viewed using `semodule -l`

View new rule first
We have two methords

1) will create a rule for all errors in the log: 2) searches the log for a specied command
 * 1) audit2allow -m localName -i  /var/log/audit/audit.log  > httpdNagiosCmd.te


 * 1) ausearch -m AVC --comm cmd.cgi | audit2allow -m local  > httpdNagiosCmd.te

example output
module local 1.0;

require { type nagios_log_t; type httpd_nagios_script_t; class fifo_file { write getattr }; }

allow httpd_nagios_script_t nagios_log_t:fifo_file { write getattr };
 * 1) ============= httpd_nagios_script_t =====

edit the file
You can now edit the file to remove / add bits you want.

compile the new file
checkmodule -M -m -o httpdNagiosCmd.mod httpdNagiosCmd.te semodule_package -o httpdNagiosCmd.pp -m local.mod semodule -i httpdNagiosCmd.pp setenforce 1

Quick Way to allow
if you dont want to edit the file you can just compile it directly with autid2allow's -M option

ausearch -m AVC --comm cmd.cgi | audit2allow -M httpdNagiosCmd semodule -i httpdNagiosCmd.pp setenforce 1

check status
SELinux status:                enabled SELinuxfs mount:               /selinux Current mode:                  enforcing Mode from config file:         enforcing Policy version:                21 Policy from config file:       targeted
 * 1) sestatus

permissive mode
permissive will disable enforcing of rules. it can used to create log entries showing what new rules need to be set up

SELinux status:                enabled SELinuxfs mount:               /selinux Current mode:                  permissive Mode from config file:         enforcing Policy version:                21 Policy from config file:       targeted
 * 1) setenforce 0
 * 2) sestatus

list a files security context
The Z switch will work with most other utilities such as ps.

ls -Z /var/log/nagios/rw/nagios.cmd prw-rw nagios nagiocmd root:object_r:nagios_log_t       /var/log/nagios/rw/nagios.cmd

=External Links=

RedHat Doc