# SELinux General information on SELinux can be found here: - [SELinux coloring book](_static/selinux-coloring-book_A4-Stapled.pdf) - Original: https://people.redhat.com/duffy/selinux/selinux-coloring-book_A4-Stapled.pdf ## Modes SELinux can be in one of three modes: - `enforcing` - The SELinux policy is enforced, violations are logged. - `permissive` - The SELinux policy is **not** enforced, but violations are still logged. - `disabled` - SELinux is not loaded at all. Going from ``enforcing`` or ``permissive`` to/from ``disabled`` requires a reboot. ## Contexts On an SELinux system every file has a context, and the SELinux policy controls whether a confined service can access files of a given context. The context of files can be listed with the `stat` command or by passing the `-Z` option to `ls`:: ```bash $ ls -Z /etc/fstab -rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/fstab $ stat /etc/fstab File: ‘/etc/fstab’ Size: 619 Blocks: 8 IO Block: 4096 regular file Device: fd01h/64769d Inode: 134320258 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Context: system_u:object_r:etc_t:s0 Access: 2017-05-13 21:50:43.533927373 +0200 Modify: 2016-04-03 04:19:02.289004083 +0200 Change: 2016-04-03 04:29:29.955011505 +0200 Birth: - ``` When files are created they are assigned a default context based on their path according to the system policy. The default contexts configured for various filesystem locations can be listed by running :manpage:`semanage`: ```bash $ semanage fcontext -l ... /usr/.* all files system_u:object_r:usr_t:s0 /var/.* all files system_u:object_r:var_t:s0 /run/.* all files system_u:object_r:var_run_t:s0 /srv/.* all files system_u:object_r:var_t:s0 ... ``` It is possible to add/list local customizations to the default contexts of the system: ```bash $ semanage fcontext -a -t httpd_sys_content_t '/srv/web/data(/.*)?' $ semanage fcontext -a -t etc_t /srv/web/httpd.conf $ semanage fcontext -l -C /srv/web/httpd.conf all files system_u:object_r:etc_t:s0 /srv/web/data(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 ``` Use the `restorecon` command to restore the context of a file or directory tree according to the system policy:: ```bash $ restorecon -v /etc/fstab $ restorecon -vR /etc/puppetlabs/ ``` It is also possible to trigger a relabeling of all files with default contexts by:: ```bash touch /.autorelabel reboot ``` For debugging or during development the `chcon` command can be used: ```bash chcon -t etc_t /srv/web/httpd.conf .. important:: This is not enough! The next ``restorecon(8)``, relabeling, or system redeployment will not honor the changes made with :manpage:`chcon(1)`. Use :manpage:`semanage(8)` as described above or change the location of the files in question so that they are classified correctly by the system policy. ``` ## Booleans SELinux booleans are variables which control certain restrictions enforced by the SELinux policy. An example would be `httpd_can_network_connect`, which controls whether Apache can open network connections. The state of SELinux booleans is either `on` or `off` and can be queried using `getsebool`: ```bash # List all SELinux booleans and their states getsebool -a # Show the state of a given variable getsebool httpd_can_network_connect ``` The `setsebool` command changes the state of a boolean: ```bash setsebool httpd_can_network_connect on ``` ## Basic Checks and Actions Check mode/status SELinux: ```bash getenforce ``` Change mode/status SELinux from enforce to permissive: ```bash setenforce 0 ``` Show SELinux context of a file: ```bash ls -Z ``` Show SELinux context attached to process ```bash ps -Z ``` Show SELinux booleans ```bash getsebool -a ``` Set SELinux boolean ```bash setsebool -P httpd_can_connect_ldap on setsebool -P httpd_can_check_spam off ``` `-P` makes it permanent and it will survive reboots. List defined SELinux contexts: ```bash semanage fcontext --list ``` Add SELinux context for directories/files: ```bash semanage fcontext --add -t httpd_log_t "/var/www(/.*)?/log(/.*)?" ``` Restore SELinux context of a directory/file ```bash restorecon -Rv /var/www/html/var ``` ## in Depth Log Analysis and Module Creation Ensure that `setroubleshoot-server` is installed for better readable log entries in `/var/log/audit/audit.log` and the journal. To see everything, you may enable full logging by disabling the `noaudit` rules: ```bash semodule -DB ``` revert again after, else it will fill your log: ```bash semodule -B ``` Check the new log entries since the start of your test ```bash ausearch -ts 14:29 ``` Create a new SELinux policy file for the events logged since the start of your test ```bash ausearch -ts 14:28 --raw | audit2allow -M my-application ``` This will create a `my-application.te` policy file with the source code (e.g. to be modified and distributed with Ansible or Puppet) and the copiled `my-application.pp` policy file. If you just need the TE source code as output (e.g. for Puppet), then do ```bash ausearch -ts 14:28 --raw | audit2allow -r -m my-application ``` To add such a module to Hiera for Puppet see [SELinux Configuration](../configuration/software/selinux_configuration). To install the new SELinux policy file run ```bash semodule --install my-application.pp ``` To compile the binary SELinux policy file yourself run ```bash cd /tmp; checkmodule --mls -m --output my-application.mod $PATH_TO/my-application.te; semodule_package --outfile my-application.pp --module my-application.mod ``` References: - [SELinux Guide](https://docs.linuxfabrik.ch/base/security/selinux.html) (German) - [Short SELinux Manual](https://dokuwiki.dsteiner.ch/selinux) (English) - How to read SELinux logs: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/troubleshooting-problems-related-to-selinux_using-selinux - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/troubleshooting-problems-related-to-selinux_using-selinux