×
Create a new article
Write your page title here:
We currently have 3,189 articles on s23. Type your article name above or create one of the articles listed here!



    s23
    3,189Articles

    SELinux is an enhancement to the Linux kernel released by the NSA.

    "Security-enhanced Linux is a research prototype of the Linux® kernel and a number of utilities with enhanced security functionality designed simply to demonstrate the value of mandatory access controls to the Linux community and how such controls could be added to Linux."

    Related: grsec



    selinux[edit]

    SELinux is a mandatory access control (MAC) system that can be used to protect services and contain security exploits found in system daemons or user applications. SELinux constrains services to a least-privilege security domain by way of a security policy, customized by administrators, that provides fine-grain control over information flow.

    Log file[edit]

    1. cat /var/log/audit/audit.log

    Example denied entry[edit]

    type=AVC msg=audit(1247665905.681:32003):
    avc:  denied  { write } for  pid=1118 comm="cmd.cgi" name="nagios.cmd" dev=dm-2 ino=819218
    scontext=root:system_r:httpd_nagios_script_t:s0
    tcontext=root:object_r:nagios_log_t:s0 tclass=fifo_file
    
    • comm = command that had access denied
    • name = target
    • scontext = source security context
    • tcontext = targets security context

    Create new rule[edit]

    the simpliest way to create a new rule, is with the audit2allow command. It will create a rule based on the error in selinux's audit log.  The module/rule must have a unique name.  The installed modules can be viewed using `semodule -l`


    View new rule first[edit]

    We have two methords

    1) will create a rule for all errors in the log:

    # audit2allow -m localName -i  /var/log/audit/audit.log  > httpdNagiosCmd.te
    

    2) searches the log for a specied command

    # ausearch -m AVC --comm cmd.cgi | audit2allow -m local  > httpdNagiosCmd.te
    

    example output[edit]

    module local 1.0;
    
    require {
            type nagios_log_t;
            type httpd_nagios_script_t;
            class fifo_file { write getattr };
    }
    
    #============= httpd_nagios_script_t =====
    allow httpd_nagios_script_t nagios_log_t:fifo_file { write getattr };
    


    edit the file[edit]

    You can now edit the file to remove / add bits you want.

    compile the new file[edit]

    checkmodule -M -m -o httpdNagiosCmd.mod httpdNagiosCmd.te
    semodule_package -o httpdNagiosCmd.pp -m local.mod
    semodule -i httpdNagiosCmd.pp
    setenforce 1
    

    Quick Way to allow[edit]

    if you dont want to edit the file you can just compile it directly with autid2allow's -M option


    ausearch -m AVC --comm cmd.cgi | audit2allow -M httpdNagiosCmd
    semodule -i httpdNagiosCmd.pp
    setenforce 1
    

    check status[edit]

     # sestatus
    SELinux status:                 enabled
    SELinuxfs mount:                /selinux
    Current mode:                   enforcing
    Mode from config file:          enforcing
    Policy version:                 21
    Policy from config file:        targeted
    
    
    

    permissive mode[edit]

    permissive will disable enforcing of rules. it can used to create log entries showing what new rules need to be set up

     # setenforce 0
     # sestatus
    SELinux status:                 enabled
    SELinuxfs mount:                /selinux
    Current mode:                   permissive
    Mode from config file:          enforcing
    Policy version:                 21
    Policy from config file:        targeted
    

    list a files security context[edit]

    The Z switch will work with most other utilities such as ps.

    ls -Z /var/log/nagios/rw/nagios.cmd
    prw-rw----  nagios nagiocmd root:object_r:nagios_log_t       /var/log/nagios/rw/nagios.cmd
    

    External Links[edit]

    RedHat Doc

    Cookies help us deliver our services. By using our services, you agree to our use of cookies.
    Cookies help us deliver our services. By using our services, you agree to our use of cookies.