SELinux
15 May 2022 • Leave CommentsThis post only serves as a quick reference for SELinux. Read whatever for the design and principle behind.
Utilities
Make sure the following packages are installed.
~ $ dnf provides /usr/sbin/sestatus
policycoreutils
~ $ dnf list policycoreutils
~ $ dnf repoquery --provides /usr/sbin/getenforce
libselinux-utils
~ $ dnf list libselinux-utils
~ $ dnf provides /usr/sbin/semanage
policycoreutils-python-utils
~ $ dnf list policycoreutils-python-utils
Status
~ $ getenforce
Enforcing
~ $ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actua
~ $ seinfo
Statistics for policy file: /sys/fs/selinux/policy
Policy Version: 31 (MLS enabled)
Target Policy: selinux
Handle unknown classes: allow
Classes: 132 Permissions: 464
Sensitivities: 1 Categories: 1024
Types: 4938 Attributes: 252
Users: 8 Roles: 14
Booleans: 335 Cond. Expr.: 380
Allow: 110525 Neverallow: 0
Auditallow: 161 Dontaudit: 10253
Type_trans: 241591 Type_change: 87
Type_member: 35 Range_trans: 5781
Role allow: 37 Role_trans: 420
Constraints: 72 Validatetrans: 0
MLS Constrain: 72 MLS Val. Tran: 0
Permissives: 0 Polcap: 5
Defaults: 7 Typebounds: 0
Allowxperm: 0 Neverallowxperm: 0
Auditallowxperm: 0 Dontauditxperm: 0
Ibendportcon: 0 Ibpkeycon: 0
Initial SIDs: 27 Fs_use: 34
Genfscon: 108 Portcon: 642
Netifcon: 0 Nodecon: 0
Modes
SELinux has three modes:
- enforcing: security policy is enforced.
- permissive: security policy is disabled but log events.
- disabled: SELinux daemon is not loaded at all.
We can changed the modes permanently by /etc/selinux/config and reboot. Alternaitvely, we can temporarily switch between enforcing and permissive on CLI.
# enforcing
~ $ sudo setenforce 1
# permissive
~ $ sudo setenforce 0
Audit Logs
If SELinux denies an access (e.g. a file), the denial event is logged to /var/log/audit/audit.log. Sometimes, we call it "Access Vector Cache (AVC) denial".
The log may reveal what is the cause of our applications.
Boolean Values
SELinux have many built-in boolean values.
List boolean values by getsebool.
~ $ getsebool -a | grep [h]ttpd_can_network_connect
httpd_can_network_connect ---> off
We can set a boolean value by setsebool.
~ $ setsebool -P httpd_can_network_connect 1
# -or-
~ $ setsebool -P httpd_can_network_connect=1
Ports
Each port number, together with protocol, belong to a perticular service (i.e., label). For example, TCP port 22 is for SSH service (TCP).
List all services.
~ $ sudo semanage port -l
...
ephemeral_port_t tcp 32768-60999
ephemeral_port_t udp 32768-60999
...
ssh_port_t tcp 22
...
unreserved_port_t sctp 1024-65535
unreserved_port_t tcp 61000-65535, 1024-32767
unreserved_port_t udp 61000-65535, 1024-32767
There are two special services, namely ephemeral_port_t (32768-60999) and unreserved_port_t (1024-32767,61000-65535).
~ $ seinfo --portcon 32768
Portcon: 3
portcon sctp 1024-65535 system_u:object_r:unreserved_port_t:s0
portcon tcp 32768-60999 system_u:object_r:ephemeral_port_t:s0
portcon udp 32768-60999 system_u:object_r:ephemeral_port_t:s0
~$ seinfo --portcon 32767
Portcon: 3
portcon sctp 1024-65535 system_u:object_r:unreserved_port_t:s0
portcon tcp 1024-32767 system_u:object_r:unreserved_port_t:s0
portcon udp 1024-32767 system_u:object_r:unreserved_port_t:s0
By default, ephemeral ports are allowed but unreserved ports are disallowed. To allow an unreserved port, we just need to add it to a specific other services.
For example, here is the default allowed HTTP ports:
~ $ sudo semanage port -l | grep [h]ttp_port_t
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
To enable/disable a port, we add/delete it from a type and protocol combination.
# add a port
~ $ sudo semanage port -a -t http_port_t -p tcp 32767
# delete a port
~ $ sudo semanage port -d -t http_port_t -p tcp 32768