Trump, Tariffs, and the Canadian Economy
5 days ago
Visitors
Popular Posts
-
Please read my previous post before you watch this video. 1. Setting Your Own Website On CentOS 6 (PHP 5 & MySQL 5) 2. Instal...
-
In my previous post, I showed you how to build an website from scratch with PHP and MySQL. Now, I will start to build my forum using phpB... -
This guide will help you to create a Task Schedule to Shutdown or Restart Windows Server Automatically. First, you have to download PSshu... -
It is so sad that the graphic management VMware ESXi is not support Linux OS so today I will write about how to use vCLI on Linux. -
There are many solutions that help typing Vietnamese on Linux (RedHat/Fedora/CentOS). One of those is SCIM. It is very simple to install Sc...
My Blog List
Working With Security Enhanced Linux (SELinux)
Tuesday, July 26, 2011
Security Enhanced Linux (SELinux) is another layer of security for the Linux OS. Instead of turning it off, however, you could use SELinux in “permissive” mode, which allows everything to function normally but logs warnings when actions or commands would have been blocked.
1. Understanding SELinux
Let’s start with some of the basics to understanding SELinux. It can run in three different modes:
disabled SELinux is turned off and doesn’t restrict anything
permissive SELinux is turned on, logs warnings only
enforcing SELinux is turned on and blocks actions related to services
View the current status of SELinux
2. Configuring SELinux
You can change the mode in which SELinux operates by using setup command or changing the config file (/etc/selinux/config)
3. File Contexts
SELinux uses three different contexts to enforce security: user, role and domain (also called type).
User:
unconfined_u Unprotected user
system_u System user
user_u Normal user
Role:
object_r File
system_r Users and processes
Domain:
unconfined_t Unprotected file or process
Let’s take a look at SSH service as an example.
The first field you see here is system_u, which is a system user. The second file contains system_r, which is a process. The third field shows unconfined_t as the domain.
Another example is ssh_config file:
You see the user is system_u (a system user), the role is object_r (a file), and the domain is etc_t. Any service that has access to the ect_t domain is able to access this file.
To change the context of a file or directory, you can use the chcon command:
Step 1. Change the user context from normal user to system user:
Step 2. Reset the context of your file back to its original context:
4. Service and Boolean Options
Each service controls certain actions with a set of options defined as Boolean values (on or off). This session will help you how to enable access to different services.
To view these Boolean options, you can use the getsebool command combined with grep to look for specific options.
After deciding which Boolean you’d like to change, you need to enable or disable the value appropriately. To achieve this, you can use the setsebool command. Suppose you want to be able to access your home directory through the web server. You need to adjust the httpd_enable_homedirs Boolean.
5. SELinux Troubleshooting
There are few packages that you should install first:
# yum install -y selinux-policy setroubleshoot-server
You will also find the following two log files handy:
/var/log/audit/audit.log Logs SELinux denials
/var/log/messages Logs SELinux denials
Two common commands you can use to hunt for error messages include:
# grep “SELinux is preventing” /var/log/messages
# grep “denied” /var/log/audit/audit.log
Problems can arise in SELinux for numberous reasons. However, the top three include:
Labeling problems: Using a nonstandard directory tends to cause problems if the directory or files aren’t labeled correctly.
Correct context: When you’re moving files, they can lose or retain incorrect contexts, causing access errors. Use the matchpathcon command to verify the correct context.
Confined service: If certain Booleans are not enable, a service may have trouble operating or communicating with other services.
Have fun!
