How do I enforced security with SELinux
Security-Enhanced Linux (*SELinux*) is a security architecture for Linux® systems that allows administrators to have more control over who can access the system
5 minutes to read
/
SELinux is a Linux® kernel security module that implements what’s known as MAC (Mandatory Access Control).MAC is implemented on top of what already exists in every Linux distro, the DAC (Discretionary Access Control).
I installed a useful tool semanage: dnf install -y policycoreutils-python
Get status
$ sestatus
*SELinux* status: enabled
*SELinux*fs mount: /sys/fs/*SELinux*
*SELinux* root directory: /etc/*SELinux*
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
You can get a brief status:
$ getenforce
Enforce | Permissive (warnings) | Disabled
Alternatively you can also edit *SELinux* is configurable in /etc/*SELinux*/config After changes you need reboot.
cat /etc/*SELinux*/config
# This file controls the state of *SELinux* on the system.
# *SELinux*= can take one of these three values:
# enforcing - *SELinux* security policy is enforced.
# permissive - *SELinux* prints warnings instead of enforcing.
# disabled - No *SELinux* policy is loaded.
*SELinux*=enforcing
# *SELinux*TYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
*SELinux*TYPE=targeted
Some history
Now in relationship with httpd, *SELinux* has evolved: in Centos 7 it was unified, that is simpler but less secure: sudo setsebool -P httpd_unified 1
in Centos 8 is by default httpd_unified is set to 0 allowing more granular control.
sudo setsebool -P httpd_unified 0
I needed to set labels on folders depending on permissions
ls -Z /var/www/html
Adjust /var/www and subfolders to be read-writable:
sudo semanage fcontext -a -t httpd_sys_rw_content_t "/var/www(/.*)?"
Now again:
$ ls -Z /var/www/html
drwxr-xr-x. 3 jazio apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 18 Jun 24 17:32 folder1
drwxr-xr-x. 14 apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 4096 Mar 9 2020 folder2
-rwxr-xr-x. 1 apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 2335695 Mar 4 2020 folder3
-rwxr-xr-x. 1 apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 332158 Mar 4 2020 folder4
You’re set.
Set correct context for log files in case you defined log folder inside the site.
sudo semanage fcontext -a -t httpd_log_t "/var/www/example.com/log(/.*)?"
The -R flag runs this command recursively, meaning it will update any existing files to use the new context. The -v flag will print the context changes the command made.
Next, use the restorecon command to apply these changes and have them persist across reboots:
sudo restorecon -R -v /var/www/example.com/log
Some about Apache Context Types
Before we can start creating our own policies for applying Apache’s context types, we need to understand which are available to us out of the box. The following table shows the ones we are primarily interested in, however there are several others available.
httpd_sys_content_t Read-only directories and files used by Apache
httpd_sys_rw_content_t Readable and writable directories and files used by Apache. Assign this to directories where files can be created or modified by your application, or assign it to files directory to allow your application to modify them.
httpd_log_t Used by Apache to generate and append to web application log files.
httpd_cache_t Assign to a directory used by Apache for caching, if you are using mod_cache.
semanage fcontext -l
Restart the httpd service using the following command:
sudo systemctl restart httpd
A final note, while reading logs (using the cockpit GUI tool) /selinux/setroubleshoot. I found several warnings like this one SELinux is preventing php-fpm from name_connect access on the tcp_socket port 443. I wanted to allow httpd to can sendmail. Unable to apply this solution automatically
You must tell SELinux about this by enabling the ‘httpd_can_sendmail’ boolean.
setsebool -P httpd_can_sendmail 1
And yes SELinux is created by United States National Security Agency (NSA). It was originally developed by the as a series of patches to the Linux kernel using Linux Security Modules (LSM).
SELinux was released to the open source community in 2000, and was integrated into the upstream Linux kernel in 2003. But until you find the corpse aka the backdoor itself, I can’t say nothing against it.