Looking into SELinux

Once SELinux is configured it can be in three modes:

  • Disabled: SELinux is not policing access
  • Permissive: SELinux allows all access but logs access violations
  • Enforcing: SELinux is actively policing access

The mode can be set either in the kernel command-line, in the SELinux configuration file, or with the getenforce/setenforce command-line tools.

The Linux kernel command-line accepts the following SELinux-related parameters:

  • selinux=0 or selinux=1: This disables or enables SELinux respectively
  • enforcing=0 or enforcing=1: This boots into permissive mode (the kernel's default) or into enforcing mode

The root filesystem contains a configuration file in /etc/selinux/config with a SELINUX variable that controls the security mode:

  • SELINUX=disabled
  • SELINUX=permissive
  • SELINUX=enforcing

When enforcing, SELinux allows no access by default, and rules must be created and loaded to allow specific actions. A set of rules is called an SELinux policy. SELinux policies are usually formed of thousands of rules, and writing them is challenging.

Every object contains a security context stored in the inodes extended attribute fields, formed by:

  • A user associated with a subject or object (root, user_u, or system_u).
  • A role that defines a set of permissions granted to a user (object_r or system_r).
  • A domain (for processes) or types (for objects) is a combination of subjects and objects that may interact with each other. They use the _t suffix.

On an SELinux-enabled system ls -Z lists the contexts as <user>:<role>:<type>, for example:

-rw-r--r-- root root root:object_r:user_home_t file.txt

Allow rules have four elements:

  • source-type
  • target-type
  • object-class
  • permissions

For example, a process with domain type user_t is able to read, execute, and stat (getattr) a file object of type bin_t with the following rule:

allow user_t bin_t : file {read execute getattr};

These policy files need to be compiled from source into a binary module format (using the checkmodule tool) and are loaded at boot time into the kernel early in the boot process from /etc/selinux. The first SELinux boot is a deployment boot that relabels the entire root filesystem according to the policy and then reboots itself. Policies can be managed with the semodule command-line tool.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset