One place for hosting & domains

      SELinux

      How to Install SELinux on Ubuntu 22.04


      According to
      the official Security Enhanced Linux project page, SELinux is a security enhancement to Linux. Linux-based security-sensitive projects largely standardize on it. Ubuntu 22.04 is compatible with SELinux and these instructions make it available on your Ubuntu 22.04 host. The steps in this guide appear as command line instructions. Both physical and virtual machines can be configured for SELinux, but it is not possible to enable SELinux in a Docker container without additional steps not covered here.

      Before You Begin

      1. If you have not already done so, create a Linode account and Compute Instance. See our
        Getting Started with Linode and
        Creating a Compute Instance guides.

      2. Follow our
        Setting Up and Securing a Compute Instance guide to update your system. You may also wish to set the timezone, configure your hostname, create a limited user account, and harden SSH access.

      Note

      The steps in this guide require root privileges. Be sure to run the steps below as root or with the sudo prefix. For more information on privileges, see our
      Users and Groups guide.

      SELinux Installation

      SELinux’s technical basis is
      access control, meaning how different users can and cannot read, write, update, remove, or otherwise change different resources, and how administrators manage those differences. Over twenty years ago,
      SELinux introduced tools to enhance conventional Linux so these administrative chores are now less complex and more reliable. SELinux is currently implemented as a Mandatory Access Control (MAC) module within the kernel.

      A standard modern Ubuntu distribution includes
      AppArmor, a Linux application security system which emphasizes ease-of-use and routine reliability. Both AppArmor and SELinux work through the
      Linux Security Module (LSM) interface. Since Linux only permits a single LSM to be active, the first step in an SELinux installation is to deactivate AppArmor.

      Caution

      SELinux alters parts of Linux profoundly. An error in its installation can easily render an entire host unresponsive. Make backups, be prepared to dispose or recycle a particular instance, and work with care. Start your SELinux experiments in permissive mode, and make backups again before any switch to enforcing mode. The simplest SELinux installations are somewhat time-consuming, as they affect the entire filesystem. Each reboot takes a while, since SELinux methodically confirms the state of all filesystems and other resources.

      Stop and Remove AppArmor

      1. It’s good practice to begin any Linux installation work by ensuring a consistent package state with:

        sudo apt update && sudo apt upgrade -y

      2. Your Ubuntu 22.04 installation probably runs AppArmor by default. To verify its status, request:

        systemctl status apparmor

        There are several lines of output, including “… enabled … SUCCESS …”.

      3. Press Q to close the status info.

        Note

        A few Ubuntu 22.04 variants for embedded computing do not run AppArmor. Therefore, if you see “… apparmor.service could not be found …” you can safely skip the next paragraphs and go immediately to the “Install SELinux” section below.

      4. In the more common case, where AppArmor is running, stop it:

        sudo systemctl stop apparmor

      5. Now disable AppArmor to prevent it from re-enabling:

        sudo systemctl disable apparmor

      It is not necessary, or even desirable, to remove AppArmor. Most administrators leave it installed, but stopped and disabled.

      Install SELinux

      1. Install SELinux:

        sudo apt install policycoreutils selinux-basics selinux-utils -y

      2. Enable SELinux:

        sudo selinux-activate

        Now you see:

        SELinux is activated. You may need to reboot now.

      Do not reboot immediately! First, review the current state of your new SELinux host.

      Verification

      1. To confirm the current status of your installation, use the command:

        getenforce

        This shows the one-word response:

        Disabled

      This means that your SELinux is ready to work. It’s “active” but not yet turned on.

      While getenforce provides the current state of SELinux, sestatus is a different command that provides more details.

      1. When you enter:

        sestatus

        You see:

        SELinux status:		disabled

      While this output is similar to getenforce, once SELinux is enabled, sestatus reports more fully on the configuration, as detailed later.

      Configuration of Permissions to Allow for Reboot

      SELinux can be enabled in one of two states: permissive or enforcing. Your current SELinux installation remains disabled.

      Caution

      If you connect to your host via SSH, access will be lost once SELinux is enabled. If you’re using a Linode host, you can still login via the LISH console.

      1. Reboot, and the Ubuntu 22.04 host likely comes up with SELinux “on”:

        sudo reboot

        Note

        The first reboot with SELinux enabled begins a relabelling process that could take a long time, so be patient.

      2. Verify this through examination of /etc/selinux/config:

        cat /etc/selinux/config

        It should include the line:

        SELINUX=permissive

      The presence of /etc/selinux/config is a sign that the host is ready for configuration and the reboot needed to make most configurations effective:

      • Installation creates /etc/selinux/config.
      • Configuration updates /etc/selinux/config.
      • A reboot puts SELinux into action.

      SELinux Management

      SELinux has several options beyond the scope of this guide. Configuration is commonly achieved through configuration files rather than graphical user interface (GUI) or command line applications.

      Enabling SELinux

      Basic configuration of an SELinux installation starts with the SELINUX attribute in /etc/selinux/config.

      1. Open /etc/selinux/config:

        sudo nano /etc/selinux/config

      2. Enable SELinux by changing the line:

        SELINUX=permissive

        to

        SELINUX=enforcing

      3. Press CTRL+X to exit nano.

      4. Press Y to confirm.

      5. Press ENTER to save.

      6. The next time the host is rebooted, it comes up as an enforcing SELinux instance:

        sudo reboot

      7. Verify this again via /etc/selinux/config:

        cat /etc/selinux/config

        It should include the line:

        SELINUX=enforcing

      SELinux Policies

      /etc/selinux/config controls how an SELinux instance launches. However, it’s possible to adjust the action of SELinux between reboots with setenforce.

      1. Temporarily put SELinux in permissive mode with:

        sudo setenforce 0

      2. Check the current status of SELinux with:

        getenforce

        This should now display:

        Permissive

      3. Now check the status of SELinux again using sestatus

        sestatus

        You not only see the current SELinux mode, but also the config file (boot) mode, and other information:

        SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             default
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     requested (insecure)
Max kernel policy version:      33

      4. Switch SELinux back from permissive to enforcing mode with:

        sudo setenforce 1

      5. Check the current status of SELinux again:

        getenforce

        This should now display:

        Enforcing

      6. Confirm the status again using sestatus

        sestatus

        You can see that setenforce only changes the current mode:

        SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             default
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     requested (insecure)
Max kernel policy version:      33

      Other possible values for getenforce output are Permissive and Disabled. These values are capitalized, unlike the values permitted within /etc/selinux/config.

      How to disable SELinux

      There are two distinct ways to disable SELinux:

      • Have SELinux immediately stop its enforcement of resource permissions, and continue in the same way until its next reboot, at which point SELinux returns to enforcement.
      • Stop SELinux enforcement permanently, so that SELinux is not in effect after each boot operation.

      It’s common to speak of SELinux’s permissive operation as “disabled”. This first of the two descriptions may be confusing, because, although SELinux is disabled, and users can’t see its action, it remains active. When SELinux runs as Permissive, it logs access violations, but doesn’t enforce them. When SELinux is enabled as enforcing, the only effective way to disable it fully so that it doesn’t log its observations or otherwise act in the background, requires updates of /etc/selinux/config and sudo reboot.

      Conclusion

      Fewer than a couple dozen commands are required to install, enable, and activate SELinux on Ubuntu 22.04. You can quickly have an enforcing SELinux, but refer to other references for details on how to configure your SELinux to achieve specific useful requirements.



      Source link

      What is SELinux?


      SELinux stands for Security Enhanced Linux, which is an access control system that is built into the Linux kernel. It is used to enforce the resource policies that define what level of access users, programs, and services have on a system.

      In its default enforcing mode, SELinux will deny and log any unauthorized attempts to access any resource. This approach, usually referred to as the principle of least privilege, means that explicit permission must be given to a user or program to access files, directories, sockets, and other services.

      To learn more about how to use SELinux please read our article, “An Introduction to SELinux on CentOS 7.”

      For a more in-depth description of how to define and use SELinux policies, visit the CentOS Wiki page on SELinux.



      Source link

      A Beginner's Guide to SELinux on CentOS 8


      Updated by Linode

      Contributed by
      Linode

      SELinux is a Mandatory Access Control (MAC) system, developed by the NSA. SELinux was developed as a replacement for Discretionary Access Control (DAC) that ships with most Linux distributions.

      The difference between DAC and MAC is how users and applications gain access to machines. Traditionally, the command sudo gives a user the ability to heighten permissions to root-level. Root access on a DAC system gives the person or program access to all programs and files on a system.

      A person with root access should be a trusted party. But if security has been compromised, so too has the system. SELinux and MACs resolve this issue by both confining privileged processes and automating security policy creation.

      SELinux defaults to denying anything that is not explicitly allowed. SELinux has two global modes, permissive and enforcing. Permissive mode allows the system to function like a DAC system, while logging every violation to SELinux. The enforcing mode applies a strict denial of access to anything that isn’t explicitly allowed. To explicitly allow certain behavior on a machine, you, as the system administrator, have to write policies that allow it. This guide provides a brief and basic introduction to commonly used commands and practices for SELinux system administration.

      Before You Begin

      1. Ensure that you have followed the Getting Started and Securing Your Server guides.

        Note

        This guide is written for a non-root user. Commands that require elevated privileges are prefixed with sudo. If you’re not familiar with the sudo command, you can check our Users and Groups guide.

      2. Update your system:

        sudo yum update

        Note

        The Linode kernel does not support SELinux by default. However, all new Linodes running CentOS 8 use the distribution provided kernel, which has SELinux enabled by default.

        If your system is running a Linode kernel, you will need to change to an upstream kernel in order to use SELinux. See the How to Change Your Linode’s Kernel for more steps. Once you’re kernel is set to the upstream kernel, continue on with the steps in this guide.

      Install Supporting SELinux Packages

      In this section, you will install various SELinux packages that will help you when creating, managing, and analyzing SELinux policies.

      1. Verify which SELinux packages are installed on your system:

        sudo rpm -aq | grep selinux

        A newly deployed CentOS 8 Linode should have the following packages installed:

          
libselinux-2.5-14.1.el7.x86_64
selinux-policy-3.13.1-252.el7_7.6.noarch
selinux-policy-targeted-3.13.1-252.el7_7.6.noarch
libselinux-utils-2.5-14.1.el7.x86_64
libselinux-python-2.5-14.1.el7.x86_64

      2. Install the following packages and their associated dependencies:

        sudo yum install policycoreutils policycoreutils-python setools setools-console setroubleshoot
        • policycoreuitls and policyoreutils-python contain several management tools to administer your SELinux environment and policies.
        • setools provides command line tools for working with SELinux policies. Some of these tools include, sediff which you can use to view differences between policies, seinfo a tool to view information about the components that make up SELinux policies, and sesearch used to search through your SELinux policies. setools-console consists of sediff, seinfo, and sesearch. You can issue the --help option after any of the listed tools in order to view more information about each one.
        • setroubleshoot suite of tools help you determine why a script or file may be blocked by SELinux.

        Optionally, install setroubleshoot-server and mctrans. The setroubleshoot-server allows, among many other things, for email notifications to be sent from the server to notify you of any policy violations. The mctrans daemon translates SELinux’s output to human readable text.

      SELinux States and Modes

      SELinux States

      When SELinux is installed on your system, it can be either enabled or disabled. By default, the CentOS 8 image provided by Linode has SELinux in an enabled state.

      • To disable SELinux, update your SELinux configuration file using the text editor of your choice. Set the SELINUX directive to disabled as shown in the example.

        /etc/selinux/config
         1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

        # This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

        Note

        You can update the SELINUX directive with any of the available SELinux states or modes.

      • Reboot your Linode for the changes to take effect:

        sudo reboot

      • Connect to your Linode via SSH (replace 192.0.2.0 with your own Linode’s IP address) and verify your SELinux installation’s status:

        ssh [email protected]
sudo sestatus

        Its output should display disabled

          
SELinux status:                 disabled

      SELinux Modes

      When SELinux is enabled, it can run in either enforcing or permissive modes.

      Note

      If SELinux is currently disabled, update your SELinux configuration file with the SELINUX directive set to enabled, then reboot your system, and SSH back into your Linode. These steps are outlined in the SELinux States section of the guide.

      • In enforcing mode, SELinux enforces its policies on your system and denies access based on those policies. Use the following command to view SELinux policy modules currently loaded into memory:

        sudo semodule -l

      • Permissive mode does not enforce any of your SELinux policies, instead, it logs any actions that would have been denied to your /var/log/audit/audit.log file.

      • You can check which mode your system is running by issuing the following command:

        sudo getenforce

      • To place SELinux in permissive mode, use the following command:

        sudo setenforce 0

        Permissive mode is useful when configuring your system, because you and your system’s components can interact with your files, scripts, and programs without restriction. However, you can use audit logs and system messages to understand what would be restricted in enforcing mode. This will help you better construct the necessary policies for your system’s user’s and programs.

      • Use the sealert utility to generate a report from your audit log. The log will include information about what SELinux is preventing and how to allow the action, if desired.

        sudo sealert -a /var/log/audit/audit.log

        The output will resemble the example, however, it varies depending on the programs and configurations on your system. The example was generated using a Linode running the Apache webserver with a virtual hosts configuration.

          
SELinux is preventing /usr/sbin/httpd from write access on the directory logs.

*****  Plugin httpd_write_content (92.2 confidence) suggests   ***************

If you want to allow httpd to have write access on the logs directory
Then you need to change the label on 'logs'
Do
# semanage fcontext -a -t httpd_sys_rw_content_t 'logs'
# restorecon -v 'logs'

      • To allow /usr/sbin/httpd write access to the directory logs, as shown by the output, you can execute the suggested commands, semanage fcontext -a -t httpd_sys_rw_content_t 'logs' and restorecon -v 'logs'.

      SELinux Context

      SELinux marks every single object on a machine with a context. Every file, user, and process has a context. The context is broken into three parts: user, role, and type. An SELinux policy controls which users can get which roles. Each specific role places a constraint on what type of files that user can access. When a user logs in to a system, a role is assigned to the user as seen in the ls -Z example, the output unconfined_u is a user role.

      1. Create a directory in your home folder:

        mkdir ~/example_dir

      2. Print the SELinux security context of your home folder’s directories and files :

        ls -Z ~/

        The output is similar to:

          
drwxrwxr-x. example_user example_user unconfined_u:object_r:user_home_t:s0 example_dir

        The SELinux specific information is contained in the unconfined_u:object_r:user_home_t:s0 portion, which follows the following syntax: user:role:type:level. To learn more about users, roles, and related access control, see the CentOS SELinux documentation.

      SELinux Boolean

      An SELinux Boolean is a variable that can be toggled on and off without needing to reload or recompile an SELinux policy.

      1. You can view the list of boolean variables using the getsebool -a command. Pipe the command through grep to narrow down your results.

        sudo getsebool -a | grep "httpd_can"

        You will see a similar output:

          
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off

        You can change the value of any variable using the setsebool command. If you set the -P flag, the setting will persist through reboots. If, for example, you want to allow HTTPD scripts and modules to connect to the network, update the corresponding boolean variable

        sudo setsebool -P httpd_can_network_connect ON

        When viewing a list of your boolean variables, you should now see that it is set to ON.

        sudo getsebool -a | grep "httpd_can"

          
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> on
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off

      Next Steps

      This guide provides a brief and basic introduction to SELinux administration. You can now take a deeper dive into SELinux by consulting some of the resources include in the More Information section of this guide.

      More Information

      You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

      This guide is published under a CC BY-ND 4.0 license.



      Source link

      Forgot Your Password ?