How to understand SELinux under Linux

1. Introduction to SELinux

SELinux is a kernel-level security mechanism. SELinux has been integrated into the kernel since Linux 2.6. Because SELinux is kernel-level, any changes to its configuration files require restarting the operating system to take effect.

The SELinux mechanism is now integrated into the mainstream Linux versions, and CentOS/RHEL will enable the SELinux mechanism by default.

System resources are read and changed by processes. To ensure the security of system resources, traditional Linux uses the concepts of user and file permissions to restrict access to resources. This is done by comparing the initiating user of the process with the file permissions to ensure the security of system resources. This is a discretionary access control method (DAC). However, as the requirements for system resource security increase, a security enhancement mechanism (SELinux) has emerged under Linux. This mechanism adds more restrictions to processes and files in addition to permissions to enhance access conditions. This method is mandatory access control (MAC). The most intuitive comparison between these two methods is that with traditional DAC, root can access any file, but under MAC, even root can only access files allowed by settings.

The working principle is as follows:

2. Basic concepts of SELinux

We know that the security mechanism of the operating system actually restricts two things: processes and system resources (files, network sockets, system calls, etc.).

In the knowledge we have learned before, the Linux operating system limits our system resources through the concepts of users and groups. We know that each process requires a user to execute.

In SELinux, two basic concepts are defined for these two things: domain and context.

2.1 Type of work

There are different rules under SELinux. SELinux turns these rules on or off (on|off<Boolean value 1|0>) according to different work types, and then specifically restricts different processes from reading files by turning the rules on and off.

getsebool -a or sestatus -b # Check whether each rule is enabled or not under the current work type

setsebool -P rule name [0|1] # Modify the opening and closing of the specified rule under the current work type. -P means modifying the file at the same time to make it permanent

The domain is used to limit the process, and the context is used to limit the system resources.

2.2. Security context introduction

The security context exists in the process and the file. The context is stored in the memory together with the process, and the context of the file is stored in its corresponding inode. Therefore, when a process accesses a file, it must first read the inode and then determine whether it can access the file.

ls -Z # Display the security context of a file

ps -eZ # Display the security context of all processes

We can use the ps -Z command to view the domain information of the current process, that is, the SELinux information of the process:

[root@xiaoluo ~]# ps -Z

LABEL PID TTY TIME CMD

unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2503 pts/0 00:00:00 su

unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2511 pts/0 00:00:00 bash

unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3503 pts/0 00:00:00 ps

Through the ls -Z command we can view the file context information, that is, the SELinux information of the file:

[root@xiaoluo ~]# ls -Z

-rw------. root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfg

drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 Desktop

-rw-r--r--+ root root system_u:object_r:admin_home_t:s0 install.log

-rw-r--r--. root root system_u:object_r:admin_home_t:s0 install.log.syslog

We will explore what these fields represent later.

3. Strategy

In SELinux, we control which domains can access which contexts by defining policies.

In SELinux, there are many preset policy modes. We usually do not need to define policies ourselves unless we need to protect some services or programs.

In CentOS/RHEL, the target strategy is used by default. So what is the target strategy?

The target policy defines that only the target process is restricted by SELinux, and non-target processes are not restricted by SELinux. Usually our network applications are target processes, such as httpd, mysqld, dhcpd, etc.

Our CentOS SELinux configuration file is stored in the selinux file in the /etc/sysconfig/ directory. We can check the contents inside:

[root@xiaoluo ~]# cat /etc/sysconfig/selinux

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

# enforcing - SELinux security policy is enforced.

# permissive - SELinux prints warnings instead of enforcing.

# disabled - No SELinux policy is loaded.

SELINUX=enforcing

# SELINUXTYPE= can take one of these two values:

# targeted - Targeted processes are protected,

# mls - Multi Level Security protection.

SELINUXTYPE=targeted // The strategy used by our CentOS is the target strategy

4. SELinux Mode

There are three working modes of SELinux: enforcing, permissive and disabled.

① Enforcing mode: Any action that violates the policy will be prohibited and recorded as kernel information

②Permissive mode: Actions that violate the policy will not be prohibited, but a warning message will be prompted

③disabled mode: Disabling SELinux is the same as a system without SELinux. Usually, when we don’t know much about SELinux, we set the mode to disabled so that there will be no problems when accessing some network applications.

As mentioned above, the main configuration file of SELinux is /etc/sysconfig/selinux

[root@xiaoluo ~]# cat /etc/sysconfig/selinux

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

# enforcing - SELinux security policy is enforced.

# permissive - SELinux prints warnings instead of enforcing.

# disabled - No SELinux policy is loaded.

SELINUX=enforcing // We see that the default working mode of SELinux is enforcing

# SELINUXTYPE= can take one of these two values:

# targeted - Targeted processes are protected,

# mls - Multi Level Security protection.

SELINUXTYPE=targeted

Using the command to modify the working mode is only valid at the moment. If you want to take effect at boot, and if you want to switch between disabled and the other two modes, you can only modify the configuration file parameters and then restart. The configuration file is /etc/selinux/config. You can also modify it through the /etc/sysconfig/selinux file. In fact, this file is a soft link file of /etc/selinux/config.

The default working mode of our SELinux is enforcing, we can change it to permissive or disabled

If we want to view the current working status of SELinux, we can use the getenforce command to view it:

[root@xiaoluo ~]# getenforce

Enforcing

The current working mode is enforcing. If we want to set the current SELinux working state, we can use the setenforce [0|1] command to modify it. setenforce 0 means setting it to permissive, and 1 means enforcing

[Note:] Setting SELinux through setenforce is only a temporary modification and will become invalid when the system is restarted. Therefore, if you want to make a permanent modification, modify the SELinux main configuration file

[root@xiaoluo ~]# setenforce 0

[root@xiaoluo ~]# getenforce

Permissive

[root@xiaoluo ~]# setenforce 1

[root@xiaoluo ~]# getenforce

Enforcing

We can use the ls -Z command to view the context information of our file, that is, SELinux information.

[root@xiaoluo ~]# ls -Z

-rw------. root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfg

drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 Desktop

-rw-r--r--+ root root system_u:object_r:admin_home_t:s0 install.log

-rw-r--r--. root root system_u:object_r:admin_home_t:s0 install.log.syslog

We found that it has an additional system_u:object_r:admin_home_t:s0 compared to the traditional ls command. Let's analyze the meaning of this statement.

system_u:object_r:admin_home_t:s0

This statement is divided into four sections: the first section system_u represents the user, the second section object_r represents the role, the third section is the most important information in SELinux, admin_home represents the type, and the last section s0 is related to MLS and MCS, which you don't need to worry about for now.

①system_u: refers to SElinux users, root represents the root account identity, user_u represents ordinary users without privileges, and system_u represents system processes. The identity type can be confirmed through the user and is generally used with roles. Different identities have different permissions when used with different roles. Although you can use the su command to switch users, there is no change in the SElinux user. The user identity remains unchanged when switching between accounts. User identification has no substantial effect in a targeted policy environment.

②object_r: object_r is generally the role of a file directory, system_r is generally the role of a process, and in a targeted policy environment, the user's role is generally system_r. The user role is similar to the concept of user group. Different roles have different identity permissions. A user can have multiple roles, but can only use one role at a time. In the targeted policy environment, roles have no real effect. In the targeted policy environment, the role of all process files is the system_r role.

③admin_home: Files and processes have a type, and SElinux restricts access permissions based on the relevant combination of types.

5. Examples

Let's take a look at the context value and SELinux access control through an example

For example, if I have built a web server, we know that the default web page storage location of the www server is in the /var/www/html directory. If we create a new index.html test page here, start our www server, and refresh it, we can see its content. At this time, if we create an index.html page in our /home directory, and then move it to the /var/www/html directory, and then refresh the page, will it still display normally?

First we start our httpd service:

[root@xiaoluo ~]# service httpd restart

Stopping httpd: [ OK ]

Starting httpd: httpd: apr_sockaddr_info_get() failed for xiaoluo

httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName

[ OK ]

Then open the browser and enter our 127.0.0.1 to access. The interface you see now is the Apache test interface:

Because there is no page under /var/www/html at this time:

[root@xiaoluo home]# ll /var/www/html/

total 0

Next, we create an index.html page in the /home directory and then move it to our /var/www/html directory

[root@xiaoluo home]# vi index.html

This is a test about SELinux

[root@xiaoluo home]# mv index.html /var/www/html/

[root@xiaoluo html]# cd /var/www/html/

[root@xiaoluo html]# ls

index.html

At this time, according to normal circumstances, because there is an index.html page in the html directory, if we refresh the browser page at this time, we should jump to the index.html page.

But in fact we found that the page is still on this test page. Why is that? This is related to our SELinux security policy. We can go to the /var/log/audit directory to view the audit.log file and find the error information.

[root@xiaoluo html]# tail /var/log/audit/audit.log

type=CRED_DISP msg=audit(1369575601.957:289): user pid=3637 uid=0 auid=0 ses=44 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

type=USER_END msg=audit(1369575601.957:290): user pid=3637 uid=0 auid=0 ses=44 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

type=AVC msg=audit(1369575729.534:291): avc: denied { getattr } for pid=3619 comm="httpd" path="/var/www/html/index.html" dev=sda2 ino=538738 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file

type=SYSCALL msg=audit(1369575729.534:291): arch=c000003e syscall=4 success=no exit=-13 a0=7f34198634f8 a1=7fffbc87bee0 a2=7fffbc87bee0 a3=7f341985ff60 items=0 ppid=3612 pid=3619 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1369575729.535:292): avc: denied { getattr } for pid=3619 comm="httpd" path="/var/www/html/index.html" dev=sda2 ino=538738 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file

type=SYSCALL msg=audit(1369575729.535:292): arch=c000003e syscall=6 success=no exit=-13 a0=7f34198635c8 a1=7fffbc87bee0 a2=7fffbc87bee0 a3=1 items=0 ppid=3612 pid=3619 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1369575736.549:293): avc: denied { getattr } for pid=3618 comm="httpd" path="/var/www/html/index.html" dev=sda2 ino=538738 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file

type=SYSCALL msg=audit(1369575736.549:293): arch=c000003e syscall=4 success=no exit=-13 a0=7f34198634f8 a1=7fffbc87bee0 a2=7fffbc87bee0 a3=7f341985ff60 items=0 ppid=3612 pid=3618 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1369575736.549:294): avc: denied { getattr } for pid=3618 comm="httpd" path="/var/www/html/index.html" dev=sda2 ino=538738 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file

type=SYSCALL msg=audit(1369575736.549:294): arch=c000003e syscall=6 success=no exit=-13 a0=7f34198635c8 a1=7fffbc87bee0 a2=7fffbc87bee0 a3=1 items=0 ppid=3612 pid=3618 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

From this log file, we can see that the reason why the index.html page does not appear when refreshing is due to our SELinux security policy.

Let's use the ls -Z command to look at the context information of the index.html that has just been moved.

[root@xiaoluo html]# ls -Z

-rw-r--r--. root root unconfined_u:object_r:home_root_t:s0 index.html

We found that the type of its third field is home_root_t. Why is this? Because we just created this index.html file in the /home directory, it will inherit the SELinux type information of the upper directory by default. We can check the context information of the /home directory:

[root@xiaoluo html]# ls -Z -d /home/

drwxr-xr-x. root root system_u:object_r:home_root_t:s0 /home/

We can see that its third field is the same as the index.html we just saw. This shows that the context value of the file is affected by the parent directory. Generally, they will inherit the context value of the parent directory. However, some file context values ​​generated by installing services are exceptions and do not inherit the context value of the parent directory. The service will automatically create their context values. For example, when the http service is not installed, there is no www directory under the /var/ directory. After installing the httpd service, the service will automatically create the required directory and define the context values ​​of the directories and files related to the service. They will not inherit the context value of the parent directory.

[root@xiaoluo html]# ls -Z -d /var

drwxr-xr-x. root root system_u:object_r:var_t:s0 /var

[root@xiaoluo html]# ls -Z -d /var/www/html/

drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/

At this time, we find that the context type of our /var/www/html directory is httpd_sys_content_t, while the type of index.html we just moved is home_root_t. Because our SELinux working mode is enforcing at this time, actions that violate the policy are prohibited. Therefore, when we refresh the page, the information in our index.html will not appear. So how should we solve this problem at this time?

There are usually two solutions:

① Directly set the SELinux working mode to disabled, so that there will be no policy interception problem, but in this case our system will not have SELinux security protection

②Restore our file context information through restorecon or chcon command

The restorecon command can be used to restore the default context of a file:

restorecon -R -v /var/www/html/index.html //-R means recursion. If it is a directory, all subdirectories and files under the directory will be restored.

The command chcon can change the context information of a file. Usually we use a reference file to make modifications:

chcon --reference=/var/www/html/index.html /var/www/html/test.html

Here we restore the default context of our file by using the restorecon command:

[root@xiaoluo html]# restorecon -v index.html

restorecon reset /var/www/html/index.html context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0

[root@xiaoluo html]# ls -Z

-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html

We can see that after using the restorecon command, the context information of index.html inherits the context information of the upper-level directory html. At this time, we can see the content of our index.html by refreshing the page.

Through this example, we understand the relationship between the context information of the file and SELinux, and know how to find the error by viewing the information of the log file /var/log/audit/audit.log, and repair the context information of our file through the restorecon command.

6. SELinux log management

The log records of the processes blocked by SELinux are stored in the /var/log/audit/audit.log file. However, the user reading experience of the content in this file is very poor. You can go to cat /var/log/audit/audit.log to have a look. Therefore, the system provides us with the sealert tool to help us organize the log file. It takes a little time for the sealert tool to process the log file. Please be patient.

In addition, the logging function of SELinux requires the auditd.service service to be enabled.

Let’s learn about the sealert tool by using the example (Apache SELinux configuration):

1. Make sure the httpd service is configured on this machine and is turned on

2. The /usr/sbin/httpd command will start a process to read files ending with .html in the /var/www/html/ directory. Now create a file ~/index.html in your home directory, write any content, and then move the newly created file to /var/www/html/.

3. We use the browser to enter the local IP in the address bar to check whether it is successful or not. When the following interface appears, it means that the access failed.

4. We made sure there were no problems when configuring the service. At this time, we should think that SELinux may be blocking our access. We pass the command

sealert -a /var/log/audit/audit.log

Check the SELinux log and find the keyword httpd. Read the content. The content in the figure below is what we are mainly concerned about. The rest is the content of /var/log/audit/audit.log, which we can ignore. Finally, we prioritized the solution that required the least changes, which was to modify the SELinux label.

5. Execute commands

restorecon -v /var/www/html/index.html

Just modify the file to the default label that httpd can access

6. Use the browser to access and view the results again. This time it is successful.

The above is the details of how to understand SELinux under Linux. For more information about Linux SELinux, please pay attention to other related articles on 123WORDPRESS.COM!