Fedora 26: Mandatory Access Control with SELinux

Table of Contents

1 Show SELinux status

The sestatus and the getenforce shows SELinux status. Enforcing means enabled and Permissive means disabled. SELinux is enabled by default.

$ sudo sestatusSELinux status: enabledSELinuxfs mount: /sys/fs/selinuxSELinux root directory: /etc/selinuxLoaded policy name: targetedCurrent mode: enforcingMode from config file: enforcingPolicy MLS status: enabledPolicy deny_unknown status: allowedMax kernel policy version: 30 $ sudo getenforceEnforcing

2 Enable and disable SELinux with setenforce (Not recommended)

Enable and disable SELinux with setenforce. “on” and “1” means enabled. “off” and “0” means disabled.

$ sudo setenforce on # Enable SELinux.$ sudo setenforce off # Disable SELinux.

But “setenforce off” is not good way. You should use setroubleshoot-server, and set boolean or add policy.

3 Set SELinux boolean with setsebool

SELinux provides boolean for controlling of some function is enabled or disabled. For example, httpd_read_user_content controls to read user home directory.

Get boolean with getsebool.

$ sudo getsebool <key> # Show key value$ sudo getsebool -a # Show all key value

Set boolean with setsebool. -P option will apply boolean permanently. “on” and “1” means enabled. “off” and “0” means disabled.

$ sudo setsebool -P <key> on # Enable <key>$ sudo setsebool -P <key> off # Disable <key>

You do not need to learn boolean name with setroubleshoot-server.

4 Add SELinux policy with semodule

If setsebool cannot allow some action, you need to add SELinux policy with semodule.

  • Create “.te” file. “.te” file is text.
  • Create “.mod” file from “.te” file.
  • Create “.pp” file from “.mod” file. “.pp” file is binary.
  • Loading “.pp” file to semodule adds SELinux policy.

$ # create my-policy.te$ checkmodule -M -m -o my-policy.mod my-policy.te$ semodule_package -m my-policy.mod -o my-policy.pp$ sudo semodule -i my-policy.pp

setroubleshoot-server will suggest “.te” file example.

5 Get resolution for SELinux from setroubleshoot-server

setroubleshoot-server provides resolution for SELinux to journald log when SELinux denies something.

5.1 setsebool example

SELinux will deny mod_userdir of httpd.

$ sudo journalctl<snip>Jun 11 22:15:59 fedora-25 setroubleshoot[20931]: Deleting alert4d17868b-f30d-4719-9bbd-997a38f61807, it is dontaudit’d in current policyJun 11 22:16:00 fedora-25 setroubleshoot[20931]: SELinux is preventinghttpd from read access on the directory public_html. For completeSELinux messages. run sealert -l 50efa2e4-2f95-40f3-ba54-114a9a44b4c2Jun 11 22:16:00 fedora-25 python3[20931]: SELinux is preventing httpdfrom read access on the directory public_html. ***** Plugin catchall_boolean (32.5 confidence) suggests *************** If you want to allow httpd to read user content Then you must tell SELinux about this by enablin the ‘httpd_read_user_content’ boolean. Do setsebool -P httpd_read_user_content 1<snip>

You can change SELinux control with commands at the “Do”.

$ sudo setsebool -P httpd_read_user_content 1

5.2 semodule example

SELinux will deny creating socket by Nagios.

$ sudo journalctlJun 11 23:22:42 fedora-25 setroubleshoot[9871]: SELinux is preventingnagios from create access on the sock_file nagios.qh. For completeSELinux messages. run sealert -l 3221abf3-4aae-4451-9d57-267a78ef12feJun 11 23:22:42 fedora-25 python3[9871]: SELinux is preventing nagiosfrom create access on the sock_file nagios.qh. ***** Plugin catchall (100. confidence) suggests *********************** If you believe that nagios should be allowed create access on the nagios.qh sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c ‘nagios’ –raw | audit2allow -M my-nagios # semodule -X 300 -i my-nagios.pp

ausearch and audit2allow creates “.pp” file and “.te” file. But ausearch does not work unless SELinux denied once.

$ sudo ausearch -c ‘nagios’ –raw | audit2allow -M my-nagios******************** IMPORTANT ***********************To make this policy package active, execute:semodule -i my-nagios.pp$ ls my-nagios.*my-nagios.pp my-nagios.te

semodule adds SELinux policy.

$ sudo semodule -X 300 -i my-nagios.pp

For adding SELinux policy before SELinux denies, you need to create “.te” file manually.

  • Create “.te” file and “.pp” file with ausearch and audit2allow after SELinux denied on test environment. And copy “.te” file to product environment.
  • Add SELinux policy with “.te” file on product environment before SELinux denies.

$ cat my-nagios.temodule my-nagios 1.0;require { type nagios_log_t; type nagios_t; class sock_file create;}#============= nagios_t ==============allow nagios_t nagios_log_t:sock_file create;

Android | Linux | SDL - Narrow Escape