Security Enhanced Linux is a Mandatory Access Control Security Mechanics implemented in the Kernel. Selinux follows the model of Least privilege more closely.
As noted, SELinux follows the model of least-privilege; by default everything is denied and then a policy is written that gives each element of the system only the access required to function. This description best describes the strict policy
SELinux Operates in following three modes
(a) Enforcing
(b) Permissive
The default policy in RHEL is targeted policy which targets and restricts selected system process.
(a) User - Is the First attribute in the Security context
(b) Roles based access control - Is the Second attribute in the Security context
(c) Type Enforcement - Is the Third attribute in the Security context. Also Known as domain type.
Fields - User:Role:Type:MLS (Hidden Field)
ls -Z filename - To check the context of a file
8) What is Boolean
a) setstatus - Will display the status of SELinux
List of Topics
1) What is Selinux
2) What is the difference between MAC and DAC
3) List of Configuration Files
4) Modes of Operation
5) Policy
6) SELinux Context
7) How to see SELinux Context
8) List of Commands and its Explanation
8) List of Commands and its Explanation
1) What is SELinux
As noted, SELinux follows the model of least-privilege; by default everything is denied and then a policy is written that gives each element of the system only the access required to function. This description best describes the strict policy
2) What is the difference between MAC and DAC
Discretionary Access Controls (DAC) - Is a basic access control policies to files. These are set at the discretion of the owner of the objects. Example, user and group ownership or file and directory permissions.
Discretionary Access Controls (DAC) - Is a basic access control policies to files. These are set at the discretion of the owner of the objects. Example, user and group ownership or file and directory permissions.
Mandatory Access Controls (MAC) are system-controlled
access control policies where the system dictates and controls the level of
access to an object, even a user created one.
3) List of Configuration files
(i) /etc/selinux/config - Default configuration file of SELinux. Moded of the SELinux need to be configured for permanent change.
(ii) /etc/sestatus.conf - sestatus -v, will refer this file and displays the context
(ii) /etc/sestatus.conf - sestatus -v, will refer this file and displays the context
(iii) /etc/selinux/semanage.conf
(iv) /etc/selinux/restorecond.conf
(v) /etc/security/sepermit.conf
4) Modes of Operation
SELinux Operates in following three modes
(a) Enforcing
(b) Permissive
(c) Disabled
a) Enforcing - This is Default Mode of SELinux, which will enable the SELinux.
b) Permissive - In this mode, SELinux is enabled but it will not enforce the security policy, It will only warn and log the actions. Permissive mode is useful to troubleshoot SELinux issues
c) Disabled - SELinux is turned off.
c) Disabled - SELinux is turned off.
Note:- While changing the SELinux mode from disabled to Enforce/Permissive reboot is recommended as the filesystem need to be relabelled. Relabelling will take some time and it depends upon the size of filesystem.
5) Policy
SELinux allows different policies to be written that are interchangeable. The default policy in RHEL is the targeted policy which "targets" and restricts selected system processes. In RHEL 4 only 15 defined targets existed (including httpd, named, dhcpd, mysqld). Later, in CentOS 5 this number had risen to over 200 targets.
SELinux allows different policies to be written that are interchangeable. The default policy in RHEL is the targeted policy which "targets" and restricts selected system processes. In RHEL 4 only 15 defined targets existed (including httpd, named, dhcpd, mysqld). Later, in CentOS 5 this number had risen to over 200 targets.
By convention all confined(restricted) executable have a label type
that ends with exec_t
6) Selinux Context
Selinux context are named based on below three
Selinux context are named based on below three
(a) User - Is the First attribute in the Security context
(b) Roles based access control - Is the Second attribute in the Security context
(c) Type Enforcement - Is the Third attribute in the Security context. Also Known as domain type.
(d) MLS/MCS (Multi Level Security/Multi Category Security) - Multi Category Security and Multi Level Security
are mutually exclusive, This is hidden field and it is in the fourth attribute of the Security context.
To check the selinux context execute ls -Z <filename>
Fields - User:Role:Type:MLS (Hidden Field)
7) How to see the SELinux Context
ls -Z filename - To check the context of a file
id -Z - To check the context of a user
ps -eZ - To check the context of processes
SELinux has a set of built-in switches named Booleans
or conditional policies that you can use to turn specific SELinux features on
or off.
Entering the "getsebool -a | grep http" command lists
the 23 Booleans related to the http daemon, which are a subset of the 234
Booleans currently defined in the selinux-policy-2.4.6-203.el5 policy.
getsebool allow_console_login
getsebool allow_console_login
allow_cvs_read_shadow allow_daemons_dump_core
These 23
Booleans allow you to customize SELinux policy for the http daemon during
runtime without modifying, compiling, or loading a new policy. You can
customize the level of http security by setting the relevant Boolean values or
toggling between on and off values.
Acceptable values to
enable a Boolean are 1, true, and on. Acceptable values to disable a Boolean
are 0, false, and off
Viewing affected policy rules
To view the policy rules that are enabled (or
disabled) when a boolean is set (or unset), use sesearch:
root #sesearch -b user_dmesg -AC
Found 4 semantic av rules:
ET allow user_t kernel_t : system syslog_read ; [
user_dmesg ]
ET allow user_t user_t : capability2 syslog ; [
user_dmesg ]
ET allow staff_t kernel_t : system syslog_read ; [
user_dmesg ]
ET allow staff_t staff_t : capability2 syslog ; [
user_dmesg ]
In the above example, user_dmesg is currently enabled.
As a result, all four rules are shown as enabled as well (E). The second
character (T) tells us that the rule becomes active if the boolean is enabled
(T stands for True).
9) List of Commands and its Explanation
a) setstatus - Will display the status of SELinux
Options:
-b Displays all Booleans and their statuses
-v Provides verbose output
b) getenforce - prints the current mode of SELinux
c) setenforce – command to change the SELinux mode
on the fly, but changes do not persist through a system reboot. For permanent
change do the change in /etc/selinux/config. Also with setenforce command we can't change the mode to disabled. Either permissive or enabled only possible and even if the SELinux is disabled we can't use setenforce to enable it
d) getsebool - Returns the Boolean value of
a service option
e) setsebool - Sets the Boolean value of a
service option, -P Makes the changes persistent
f) chcon - Changes the context of a
file, directory, or service
Options:
-f To Suppresses error messages
-u To change user context
-r To change role context
-t To change domain context
-R To do the changes recursively
-v Provides verbose output
g) restorecon - Resets the context of an
object
Options:
-i Ignores files that don’t
exist
-p Shows progress
-v Shows changes as they
happen
-F Resets context
h) semanage -To review the status of
current users, run the semanage login -l command
No comments:
Post a Comment