Explore information related to selinux

Files and Processes in SELinux on CentOS 7 - More information

This article covers Files and Processes in SELinux. Basically, managing file and process context are at the heart of a successful SELinux implementation.

With SELinux, a process or application will have only the rights it needs to function and NOTHING more. The SELinux policy for the application will determine what types of files it needs access to and what processes it can transition to. 

SELinux policies are written by app developers and shipped with the Linux distribution that supports it. A policy is basically a set of rules that maps processes and users to their rights.


SELinux enforces something we can term as “context inheritance”. What this means is that unless specified by the policy, processes and files are created with the contexts of their parents.

So if we have a process called “proc_a” spawning another process called “proc_b”, the spawned process will run in the same domain as “proc_a” unless specified otherwise by the SELinux policy.


SELinux in Action: Testing a File Context Error

1. First, let's create a directory named www under the root. We will also create a folder called html under www:

mkdir -p /www/html

 

2. If we run the ls -Z command, we will see these directories have been created with the default_t context:

ls -Z /www/

drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 html


3. Next we copy the contents of the /var/www/html directory to /www/html:

cp /var/www/html/index.html /www/html/

 

The copied file will have a context of default_t. That's the context of the parent directory.


We now edit the httpd.conf file to point to this new directory as the web site's root folder. 

i. We will also have to relax the access rights for this directory.

vi /etc/httpd/conf/httpd.conf

ii. First we comment out the existing location for document root and add a new DocumentRoot directive to /www/html:

# DocumentRoot "/var/www/html"

DocumentRoot "/www/html"

iii. We also comment out the access rights section for the existing document root and add a new section:

#<Directory "/var/www">

#    AllowOverride None

    # Allow open access:

#    Require all granted

#</Directory>


<Directory "/www">

    AllowOverride None

    # Allow open access:

    Require all granted

</Directory>


We leave the location of the cgi-bin directory as it is. We are not getting into detailed Apache configuration here; we just want our site to work for SELinux purposes.


iv. Finally, restart the httpd daemon:

service httpd restart

 

Once the server has been restarted, accessing the web page will give us the same “403 Forbidden” error (or default “Testing 123” page) we saw before.

The error is happening because the index.html file's context changed during the copy operation. It needs to be changed back to its original context (httpd_sys_content_t).

Read More



restorecond Will not restore a file with more than one hard link - How to resolve this issue

This article covers Tips to fix 'restorecond: Will not restore a file with more than one hard link' error.

To fix this problem type the following commands:

# rm /etc/sysconfig/networking/profiles/default/resolv.conf

# restorecon /etc/resolv.conf

# ln /etc/resolv.conf /etc/sysconfig/networking/profiles/default/resolv.conf

Read More



SELinux users on CentOS 7 – Actions and Deciphering error messages

This article covers more information about SELinux users on CentOS 7.


Deciphering SELinux Error Messages

We looked at one SELinux error message. We were then using the grep command to sift through /var/log/messages file. Fortunately SELinux comes with a few tools to make life a bit easier than that. These tools are not installed by default and require installing a few packages, which you should have installed in the first part of this tutorial.

The first command is ausearch. We can make use of this command if the auditd daemon is running. In the following code snippet we are trying to look at all the error messages related to the httpd daemon. Make sure you are in your root account:

ausearch -m avc -c httpd

In our system a number of entries were listed, but we will concentrate on the last one:

----
time->Thu Aug 21 16:42:17 2014
...
type=AVC msg=audit(1408603337.115:914): avc:  denied  { getattr } for  pid=10204 comm="httpd" path="/www/html/index.html" dev="dm-0" ino=8445484 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file

Even experienced system administrators can get confused by messages like this unless they know what they are looking for. To understand it, let’s take apart each of the fields:

type=AVC and avc: AVC stands for Access Vector Cache. SELinux caches access control decisions for resource and processes. This cache is known as the Access Vector Cache (AVC). That's why SELinux access denial messages are also known as “AVC denials”. These two fields of information are saying the entry is coming from an AVC log and it’s an AVC event.


denied { getattr }: The permission that was attempted and the result it got. In this case the get attribute operation was denied.

pid=10204. This is the process id of the process that attempted the access.

comm: The process id by itself doesn’t mean much. The comm attribute shows the process command. In this case it’s httpd. Immediately we know the error is coming from the web server.

path: The location of the resource that was accessed. In this case it’s a file under /www/html/index.html.

dev and ino: The device where the target resource resides and its inode address.

scontext: The security context of the process. We can see the source is running under the httpd_t domain.

tcontext: The security context of the target resource. In this case the file type is default_t.

tclass: The class of the target resource. In this case it’s a file.

Read More



SELinux on CentOS 7 - Set it up now

This article covers how to set up SELinux on #CentOS 7. #SELinux is a security mechanism built into the Linux kernel. Linux distributions such as CentOS, RHEL, and Fedora are equipped with SELinux by default.

SELinux improves server security by restricting and defining how a server processes requests and users interact with sockets, network ports, and essential directories.


To check SELinux mode:

The easiest way on how to check SELinux ( Security Enhanced Linux ) operation mode is to use getenforce command. 

This command without any options or arguments will simply print a current status SELinux operational mode. 

Furthermore, the current status of SELinux operational mode can be set permanently or temporarily.


To check whether SELinux is enabled or not:

1. Use the getenforce command. [vagrant@vagrantdev ~]$ getenforce Permissive.

2. Use the sestatus command.

3. Use the SELinux Configuration File i.e. cat /etc/selinux/config to view the status.


To configure SELinux to enforcing mode:

1. Open the /etc/selinux/config file in a text editor of your choice, for example: # vi /etc/selinux/config.

2. Configure the SELINUX=enforcing option: # This file controls the state of SELinux on the system.

3. Save the change, and restart the system: # reboot.


To enable SELinux without rebooting:

1. Changing the SELinux mode at run time. If SELinux is disabled it cannot be enabled without rebooting.

2. To detemine the current Mode of SELinux.

3. Changing the SELinux mode Permanently. In the /boot/grub/grub.conf file add a line: selinux=0.

4. Or in /etc/sysconfig/selinux change.


To permanently change mode to permissive:

1. Edit the /etc/selinux/config file as follows: # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced.

2. Restart the system: $ reboot.

Read More