Selinux

Updated: September 28, 2024

SELinux is standand on centos, rhel and fedora and optional on debian and ubuntu.

Ubuntu has app armor installed and enforced out the gate.

Table of Contents

• Info
• Modes
• types
• Commands
• Diagnose

Info

Linux Security Modules (LSM) is a framework in the kernel that adds hooks for access control checks. This is what MAC frameworks use (SELinux, AppArmor, Smack, Yama)

SELinux (Security Enhanced Linux) is another security layer that is added on top of the security that all nix type systems have - that is DAC (Discretionary Access Control). DAC is the rwx and chown of various files and directories. SELinux adds MAC (Mandatory Access Control) which adds an object to every file and folder and applies a label to it. This creates separation between users, processes, etc and control how they all interact.

• MAC permissions are stored in extended attributes of file systems
• sandboxes subjects and objects
• restricts access of subjects (users/processes) to objects (files)

Modes

• Enforcing means that policies are in effect. (setenforce1)

• Permissive means that it is only logging. (setenforce0)

• Disabled has no logging or policy enforcement. Lose all settings and labels!!

Types

1. targeted - only network daemons are protected
2. strict - full SELinux protection
3. mls - strict + multi level security
4. mcs - multi category security (only one sensitivity level of mls)

Format user:role:type:sensitivity (only mls|mcs use sensitivity) systen_u:system_r:httpd_t

Commands

Most tools use -Z for SELinux: ls -Z will show labels

ps auxZ                     # will show what type things are running as
id -Z                       # will show current users domain
getenforce                  # check what mode SELinux is running in
sestatus                    # get general information about SELinux
setenforce                  # sets desired mode
semodule -l | less          # see all boolean modules in a list
semanage boolean -l | less  # list of boolean states
semanage port -l | grep ssh # list ports and types linux allows (check for ssh)

semanage port -a -t ssh_port_t -p tcp 2022

getsebool ftp_home_dir      # check status of one particular boolean (ftp of home directory here)
    -a      # list all booleans
setsebool ftp_home_dir on   # turn off/on a boolean

seaudit

Diagnose

Sometimes it is good to be denied…

SELinux reports its messages to Audit, but dmesg is usually defualt to so be sure to run audit!

1. Check audit logs or dmesg

auserach -m avc -ts recent