context
user:role:type:sensitivity(optional)
example
user_u:user_r:user_t
system_u:object_r:lib_t
policy
allow user_t bin_t:file { execute }; allow user_t user_bin_t:file { execute };
Access controls
type enforcement
selinux rules are written for it.
allow user_t lib_t : file { execute };
access vector contains - the source context (such asuser_t
) - the target context (such aslib_t
) - the class of the target (such asfile
) - the activity that is invoked (such asexecute
)
ls /sys/fs/selinux/class
ls /sys/fs/selinux/class/file/perms/
ls /sys/fs/selinux/class/tcp_socket/perms/
Role-based access control
Roles are like caps that a user can put on. A user is always assigned to a role, but can decide to switch roles.In SELinux, roles decide which types a process context can be in.Types for processes are also called domains
user_r,
staff_r,
sysadm_r,
dbadm_r,
seinfo -ruser_r -x
User-based access control
seinfo -ustaff_u -x
semanage user -l
semanage login -l
ls -ldZ /home/userA/somefile /home/userB/somefile
-rwx------. userA userA userA_u:object_r:user_home_t /home/userA/somefile -rwxrw-rw-. userB userB userB_u:object_r:user_home_t /home/userB/somefile
allow user_t user_home_t:dir { read write execute close open ... }; allow user_t user_home_t:file { read write execute close open ... };
Multi-level security(sensitivity)
user_u:user_r:user_t:s0
sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1024
- The first part is the sensitivity level, which is an integer representation
- The second part is the category set, which are integers as well
s0
is public data, s1
internal, s2
confidential and s3
strictly confidential.
A few examples of category sets are:
- c0
meaning category 0
- c0,c4
meaning categories 0 and 4
- c0.c4
meaning categories 0 up to 4 (so 0, 1, 2, 3 and 4)
sestatus
id -Z ##context of current session
ls -lZ metadata.xml ## file context
ps -eZ | grep init
#process context
seinfo --portcon=80 ##port context
Manage Label
chcon -t net_conf_t /etc/resolv.conf
restorecon /etc/resolv.conf
semanage fcontext -l | grep resolv
semanage fcontext -a -t net_conf_t /etc/puppet-resolv\.conf
https://wiki.gentoo.org/wiki/SELinux/Quick_introduction
https://wiki.gentoo.org/wiki/SELinux/Users_and_logins
RHEL Guide
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/index
- policycoreutils provides utilities such as
restorecon
,secon
,setfiles
,semodule
,load_policy
, andsetsebool
, for operating and managing SELinux. - selinux-policy provides a basic directory structure, the
selinux-policy.conf
file, and RPM macros. - selinux-policy-targeted provides the SELinux targeted policy.
- libselinux – provides an API for SELinux applications.
- libselinux-utils provides the
avcstat
,getenforce
,getsebool
,matchpathcon
,selinuxconlist
,selinuxdefcon
,selinuxenabled
, andsetenforce
utilities. - libselinux-python provides Python bindings for developing SELinux applications.
- selinux-policy-devel provides utilities for creating a custom SELinux policy and policy modules.
- selinux-policy-doc provides manual pages that describe how to configure SELinux altogether with various services.
- selinux-policy-mls provides the MLS (Multi-Level Security) SELinux policy.
- setroubleshoot-server translates denial messages, produced when access is denied by SELinux, into detailed descriptions that can be viewed with the
sealert
utility, also provided in this package.
- setools-console provides the Tresys Technology SETools distribution, a number of utilities and libraries for analyzing and querying policy, audit log monitoring and reporting, and file context management. The setools package is a meta-package for SETools. The setools-gui package provides the
apol
andseaudit
utilities. The setools-console package provides thesechecker
,sediff
,seinfo
,sesearch
, andfindcon
command-line utilities. See the Tresys Technology SETools page for information about these utilities. Note that setools and setools-gui packages are available only when the Red Hat Network Optional channel is enabled. For further information, see Scope of Coverage Details. - mcstrans translates levels, such as
s0-s0:c0.c1023
, to a form that is easier to read, such asSystemLow-SystemHigh
. - policycoreutils-python provides utilities such as
semanage
,audit2allow
,audit2why
, andchcat
, for operating and managing SELinux. - policycoreutils-gui provides
system-config-selinux
, a graphical utility for managing SELinux.
setroubleshoot-server
audit logs :
/var/log/audit/audit.log
- The
sedispatch
utility runs as a part of theaudit
subsystem. When an AVC denial message is returned,sedispatch
sends a message usingdbus
. These messages go straight tosetroubleshootd
if it is already running. If it is not running,sedispatch
starts it automatically. - The
seapplet
utility runs in the system toolbar, waiting for dbus messages insetroubleshootd
. It launches the notification bubble, allowing the user to review AVC messages.
ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today
- selinux=0 kernel parameter and do
touch /.autorelabel
Booleans allow parts of SELinux policy to be changed at runtime, without any knowledge of SELinux policy writing. This allows changes, such as allowing services access to NFS volumes, without reloading or recompiling SELinux policy.
getsebool -a
abrt_anon_write --> off
abrt_handle_event --> on
abrt_upload_watch_anon_write --> on
antivirus_can_scan_system --> off
antivirus_use_jit --> off
auditadm_exec_content --> on
authlogin_nsswitch_use_ldap --> off
authlogin_radius --> off
authlogin_yubikey --> off
awstats_purge_apache_log_files --> off
boinc_execmem --> on
cdrecord_read_content --> off
cluster_can_network_connect --> off
cluster_manage_all_files --> off
cluster_use_execmem --> off
cobbler_anon_write --> off
cobbler_can_network_connect --> off
cobbler_use_cifs --> off
cobbler_use_nfs --> off
collectd_tcp_network_connect --> off
colord_use_nfs --> off
condor_tcp_network_connect --> off
conman_can_network --> off
conman_use_nfs --> off
cron_can_relabel --> off
cron_system_cronjob_use_shares --> off
cron_userdomain_transition --> on
cups_execmem --> off
cvs_read_shadow --> off
daemons_dontaudit_scheduling --> on
daemons_dump_core --> off
daemons_enable_cluster_mode --> off
daemons_use_tcp_wrapper --> off
daemons_use_tty --> off
dbadm_exec_content --> on
dbadm_manage_user_files --> off
dbadm_read_user_files --> off
deny_bluetooth --> off
deny_execmem --> off
deny_ptrace --> off
dhcpc_exec_iptables --> off
dhcpd_use_ldap --> off
dnsmasq_use_ipset --> off
domain_can_mmap_files --> off
domain_can_write_kmsg --> off
domain_fd_use --> on
domain_kernel_load_modules --> off
entropyd_use_audio --> on
exim_can_connect_db --> off
exim_manage_user_files --> off
exim_read_user_files --> off
fcron_crond --> off
fenced_can_network_connect --> off
fenced_can_ssh --> off
fips_mode --> on
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
git_cgi_enable_homedirs --> off
git_cgi_use_cifs --> off
git_cgi_use_nfs --> off
git_session_bind_all_unreserved_ports --> off
git_session_users --> off
git_system_enable_homedirs --> off
git_system_use_cifs --> off
git_system_use_nfs --> off
gitosis_can_sendmail --> off
glance_api_can_network --> off
glance_use_execmem --> off
glance_use_fusefs --> off
global_ssp --> off
gluster_anon_write --> off
gluster_export_all_ro --> off
gluster_export_all_rw --> on
gluster_use_execmem --> off
gpg_web_anon_write --> off
gssd_read_tmp --> on
guest_exec_content --> on
haproxy_connect_any --> off
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_manage_courier_spool --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_redis --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> off
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off
httpd_run_ipa --> off
httpd_run_preupgrade --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_opencryptoki --> off
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off
icecast_use_any_tcp_ports --> off
init_audit_control --> on
init_create_dirs --> on
irc_use_any_tcp_ports --> off
irssi_use_full_network --> off
kdumpgui_run_bootloader --> off
keepalived_connect_any --> off
kerberos_enabled --> on
ksmtuned_use_cifs --> off
ksmtuned_use_nfs --> off
logadm_exec_content --> on
logging_syslogd_append_public_content --> off
logging_syslogd_can_sendmail --> off
logging_syslogd_list_non_security_dirs --> off
logging_syslogd_run_nagios_plugins --> off
logging_syslogd_use_tty --> on
login_console_enabled --> on
logrotate_read_inside_containers --> off
logrotate_use_cifs --> off
logrotate_use_fusefs --> off
logrotate_use_nfs --> off
logwatch_can_network_connect_mail --> off
lsmd_plugin_connect_any --> off
mailman_use_fusefs --> off
mcelog_client --> off
mcelog_exec_scripts --> on
mcelog_foreground --> off
mcelog_server --> off
minidlna_read_generic_user_content --> off
mmap_low_allowed --> off
mock_enable_homedirs --> off
mount_anyfile --> on
mozilla_plugin_bind_unreserved_ports --> off
mozilla_plugin_can_network_connect --> on
mozilla_plugin_use_bluejeans --> off
mozilla_plugin_use_gps --> off
mozilla_plugin_use_spice --> off
mozilla_read_content --> off
mpd_enable_homedirs --> off
mpd_use_cifs --> off
mpd_use_nfs --> off
mplayer_execstack --> off
mysql_connect_any --> off
mysql_connect_http --> off
nagios_run_pnp4nagios --> off
nagios_run_sudo --> off
nagios_use_nfs --> off
named_tcp_bind_http_port --> off
named_write_master_zones --> on
neutron_can_network --> off
nfs_export_all_ro --> on
nfs_export_all_rw --> on
nfsd_anon_write --> off
nis_enabled --> off
nscd_use_shm --> on
openfortivpn_can_network_connect --> on
openshift_use_nfs --> off
openvpn_can_network_connect --> on
openvpn_enable_homedirs --> on
openvpn_run_unconfined --> off
pcp_bind_all_unreserved_ports --> off
pcp_read_generic_logs --> off
pdns_can_network_connect_db --> off
piranha_lvs_can_network_connect --> off
polipo_connect_all_unreserved --> off
polipo_session_bind_all_unreserved_ports --> off
polipo_session_users --> off
polipo_use_cifs --> off
polipo_use_nfs --> off
polyinstantiation_enabled --> off
postfix_local_write_mail_spool --> on
postgresql_can_rsync --> off
postgresql_selinux_transmit_client_label --> off
postgresql_selinux_unconfined_dbadm --> on
postgresql_selinux_users_ddl --> on
pppd_can_insmod --> off
pppd_for_user --> off
privoxy_connect_any --> on
prosody_bind_http_port --> off
puppetagent_manage_all_files --> off
puppetmaster_use_db --> off
racoon_read_shadow --> off
radius_use_jit --> off
redis_enable_notify --> off
rngd_execmem --> off
rpcd_use_fusefs --> off
rsync_anon_write --> off
rsync_client --> off
rsync_export_all_ro --> off
rsync_full_access --> off
rsync_sys_admin --> off
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_load_libgfapi --> off
samba_portmapper --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_enable_home_dirs --> off
sanlock_use_fusefs --> off
sanlock_use_nfs --> off
sanlock_use_samba --> off
saslauthd_read_shadow --> off
screen_allow_session_sharing --> off
secadm_exec_content --> on
secure_mode --> off
secure_mode_insmod --> off
secure_mode_policyload --> off
selinuxuser_direct_dri_enabled --> on
selinuxuser_execheap --> off
selinuxuser_execmod --> on
selinuxuser_execstack --> on
selinuxuser_mysql_connect_enabled --> off
selinuxuser_ping --> on
selinuxuser_postgresql_connect_enabled --> off
selinuxuser_rw_noexattrfile --> on
selinuxuser_share_music --> off
selinuxuser_tcp_server --> off
selinuxuser_udp_server --> off
selinuxuser_use_ssh_chroot --> off
sge_domain_can_network_connect --> off
sge_use_nfs --> off
smartmon_3ware --> off
smbd_anon_write --> off
spamassassin_can_network --> off
spamd_enable_home_dirs --> on
spamd_update_can_network --> off
squid_bind_snmp_port --> off
squid_connect_any --> on
squid_use_tproxy --> off
ssh_chroot_rw_homedirs --> off
ssh_keysign --> off
ssh_sysadm_login --> off
ssh_use_tcpd --> off
sslh_can_bind_any_port --> off
sslh_can_connect_any_port --> off
sssd_access_kernel_keys --> off
sssd_connect_all_unreserved_ports --> off
sssd_use_usb --> off
staff_exec_content --> on
staff_use_svirt --> off
swift_can_network --> off
sysadm_exec_content --> on
systemd_socket_proxyd_bind_any --> off
systemd_socket_proxyd_connect_any --> off
telepathy_connect_all_ports --> off
telepathy_tcp_connect_generic_network_ports --> on
tftp_anon_write --> off
tftp_home_dir --> off
tmpreaper_use_cifs --> off
tmpreaper_use_nfs --> off
tmpreaper_use_samba --> off
tomcat_can_network_connect_db --> off
tomcat_read_rpm_db --> off
tomcat_use_execmem --> off
tor_bind_all_unreserved_ports --> off
tor_can_network_relay --> off
tor_can_onion_services --> off
unconfined_chrome_sandbox_transition --> on
unconfined_dyntrans_all --> off
unconfined_login --> on
unconfined_mozilla_plugin_transition --> on
unprivuser_use_svirt --> off
use_ecryptfs_home_dirs --> off
use_fusefs_home_dirs --> off
use_lpd_server --> off
use_nfs_home_dirs --> off
use_samba_home_dirs --> off
use_virtualbox --> on
user_exec_content --> on
varnishd_connect_any --> off
virt_lockd_blk_devs --> off
virt_qemu_ga_manage_ssh --> off
virt_qemu_ga_read_nonsecurity_files --> off
virt_qemu_ga_run_unconfined --> off
virt_read_qemu_ga_data --> off
virt_rw_qemu_ga_data --> off
virt_sandbox_share_apache_content --> off
virt_sandbox_use_all_caps --> on
virt_sandbox_use_audit --> on
virt_sandbox_use_fusefs --> off
virt_sandbox_use_mknod --> off
virt_sandbox_use_netlink --> off
virt_sandbox_use_sys_admin --> off
virt_transition_userdomain --> off
virt_use_comm --> off
virt_use_execmem --> off
virt_use_fusefs --> off
virt_use_glusterd --> off
virt_use_nfs --> off
virt_use_pcscd --> off
virt_use_rawip --> off
virt_use_samba --> off
virt_use_sanlock --> off
virt_use_usb --> on
virt_use_xserver --> off
webadm_manage_user_files --> off
webadm_read_user_files --> off
wine_mmap_zero_ignore --> off
xdm_bind_vnc_tcp_port --> off
xdm_exec_bootloader --> off
xdm_manage_bootloader --> on
xdm_sysadm_login --> off
xdm_write_home --> off
xen_use_nfs --> off
xend_run_blktap --> on
xend_run_qemu --> on
xguest_connect_network --> on
xguest_exec_content --> on
xguest_mount_media --> on
xguest_use_bluetooth --> on
xserver_clients_write_xshm --> off
xserver_execmem --> off
xserver_object_manager --> off
zabbix_can_network --> off
zabbix_run_sudo --> off
zarafa_setrlimit --> off
zebra_write_config --> off
zoneminder_anon_write --> off
zoneminder_run_sudo --> off
getsebool httpd_can_network_connect_db
setsebool httpd_can_network_connect_db on
permanent config
setsebool -P httpd_can_network_connect_db on
ls -Z file1
ls -dZ - /etc
Thechcon
command changes the SELinux context for files. However, changes made with thechcon
command
are not persistent across file-system relabels, or the execution of the restorecon
command. SELinux policy
controls whether users are able to modify the SELinux context for any given file. When using chcon
, users
provide all or part of the SELinux context to change. An incorrect file type is a common cause of SELinux
denying access.
chcon -t type file-name
chcon -t httpd_sys_content_t file-name
chcon -R -t type directory-name
chcon -R -t httpd_sys_content_t directory-name
touch file1
ls -Z file1
unconfined_u:object_r:user_home_t:s0 file1
chcon -t samba_share_t file1
ls -Z file1
unconfined_u:object_r:samba_share_t:s0 file1
restorecon -v file1
In this example, the previous type,samba_share_t
, is restored to the correct,user_home_t
type.
When using targeted policy (the default SELinux policy in Red Hat Enterprise Linux), the restorecon
command
reads the files in the /etc/selinux/targeted/contexts/files/
directory, to see which SELinux context files should
have.
chcon -R -t httpd_sys_content_t /web/
restorecon -R -v /web/
permanent change
semanage fcontext -C -l
Changes made bysemanage fcontext
are used by the following utilities. Thesetfiles
utility is used when a file
system is relabeled and the restorecon
utility restores the default SELinux contexts. This means that changes
made by semanage fcontext
are persistent, even if the file system is relabeled. SELinux policy controls whether
users are able to modify the SELinux context for any given file.
semanage fcontext -a options file-name|directory-name
restorecon -v file-name|directory-name
semanage fcontext -a -t samba_share_t /etc/file1
semanage fcontext -C -l
restorecon -v /etc/file1
restorecon reset /etc/file1 context unconfined_u:object_r:etc_t:s0->system_u:object_r:samba_share_t:s0
Becausesemanage
added an entry tofile_contexts.local
for/etc/file1
,restorecon
changes the type to
samba_share_t
semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
The -a option adds a new record, and the -t option defines a type (httpd_sys_content_t). The "/web(/.*)?" regular
expression causes semanage to apply changes to web/, as well as the files in it. Note that running this command
does not directly change the type; web/ and files in it are still labeled with the default_t type
restorecon -R -v /web
deleting context
semanage fcontext -d "/web(/.*)?"
semanage fcontext -d file-name|directory-name
semanage fcontext -d /test
Based on the system policy,semanage
generatesfile_contexts.homedirs
andfile_contexts
files
semanage fcontext
command. Such customizations are stored in the file_contexts.local
file. matchpathcon
or restorecon
, is determining the proper label for a given path, it searches for local changes first (file_contexts.local
). If the utility does not find a matching pattern, it searches the file_contexts.homedirs
file and finally the file_contexts
file. However, whenever a match for a given file path is found, the
search ends, the utility does look for any additional file-context
definitions. This means that home directory-related file contexts have
higher priority than the rest, and local customizations override the
system policy. system policy
(contents of file_contexts.homedirs
and file_contexts
files) are sorted by the length of the stem (prefix of the path before
any wildcard) before evaluation. This means that the most specific path
is chosen. However, file-context definitions specified using semanage fcontext
are evaluated in reverse order to how they were defined: the latest entry is evaluated first regardless of the stem length. /etc/selinux/targeted/contexts/files/
directory define contexts for files and directories. Files in this directory are read by the restorecon
and setfiles
utilities to restore files and directories to their default contexts. mount server:/export /local/mount/point -o \ context="system_u:object_r:httpd_sys_content_t:s0"
mount /dev/sda2 /test/ -o defcontext="system_u:object_r:samba_share_t:s0"
mount server:/export /local/mount/point -o context="system_u:object_r:httpd_sys_content_t:s0"
mount server:/export/web /local/web -o context="system_u:object_r:httpd_sys_content_t:s0"
mount server:/export/web /local/web -o nosharecache,context="system_u:object_r:httpd_sys_content_t:s0"
mount server:/export/database /local/database -o \ nosharecache,context="system_u:object_r:mysqld_db_t:s0"
/etc/fstab
server:/export /local/mount/ nfs context="system_u:object_r:httpd_sys_content_t:s0" 0 0
cp
options to preserve the context of the original file, such as --preserve=context
. SELinux policy may prevent contexts from being preserved during copies. cp --preserve=context file1 /var/www/html/
user_home_t
tar -xvf archive.tar | restorecon -f -
tar --selinux -cf test.tar file{1,2,3}
avcstat
lookups hits misses allocs reclaims frees
65159479 65150996 8483 8483 7888 7974
seinfo
seinfo -adomain -x
seinfo -aunconfined_domain_type -x
seinfo --permissive -x
sesearch --role_allow -t httpd_sys_content_t
sesearch --allow
sesearch --dontaudit
ls /etc/selinux/targeted/active/modules
semodule -X 400 -i sandbox.pp
semodule --list-modules=full | grep sandbox
semodule -X 400 -r sandbox
semodule -d MODULE_NAME
sudo dnf5 install selinux-policy-mls
fixfiles -F onboot
this creates /.autorelabel
grep "SELinux is preventing" /var/log/messages
useradd -Z staff_u john
semanage login -l
semanage login --modify --range s2:c100 john
chcon -R -l s2:c100 /home/john
tail -n 3 /etc/security/namespace.conf
/tmp /tmp-inst/ level root,adm /var/tmp /var/tmp/tmp-inst/ level root,adm $HOME $HOME/$USER.inst/ level
grep namespace /etc/pam.d/login
session required pam_namespace.so
Comments
Post a Comment