1. Preamble
Security-Enhanced Linux (SELinux) is a Linux kernel module and a security subsystem of Linux.
SELinux was primarily developed by the NSA. Linux kernels 2.6 and above already integrate SELinux modules.
SELinux is very complex and has a lot of conceptual stuff that is difficult to learn. Many Linux system administrators have turned off SELinux because they find it troublesome.
If you can master SELinux and use it correctly, I think the whole system can basically reach the point of being "indestructible" (always remember that there is no absolute security).
Mastering the basic concepts of SELinux as well as simple configuration methods is a compulsory course for every Linux system administrator.
This article is based on CentOS 7.4.1708.
This article is purely a personal learning experience sharing and exchange, mistakes are inevitable, for reference only! If you find a mistake, please point it out, thank you very much!
2. The role of SELinux and the permission management mechanism
2.1 The role of SELinux
The main function of SELinux is to minimize the resources that can be accessed by service processes in the system (the principle of least privilege).
Imagine that if a network service running as root has a 0day vulnerability, hackers can exploit this vulnerability to do whatever they want on your server as root. Isn't it scary?
SELinux is here to solve this problem.
2.2 DAC
In an operating system that does not use SELinux, the factor that determines whether a resource can be accessed is whether a resource has the permissions of the corresponding user (read, write, execute).
As long as the process accessing this resource meets the above conditions, it can be accessed.
The most fatal problem is that root users are not subject to any regulation, and any resources on the system can be accessed without restrictions.
The main body of this permission management mechanism is the user, also known as autonomous access control (DAC).
2.3 MAC
In an operating system using SELinux, the factors that determine whether a resource can be accessed are not only the above factors, but also whether each type of process has access to a certain type of resource.
This way, even if a process is running as root, it is necessary to determine the type of process and the types of resources that are allowed to be accessed before deciding whether to allow access to a resource. The active space of the process can also be compressed to a minimum.
Even a service process running as root generally only has access to the resources it needs. Even if a program is vulnerable, the scope of the impact is limited to the resources it is allowed to access. Security is greatly increased.
The main body of this permission management mechanism is the process, also known as mandatory access control (MAC).
MAC is subdivided into two ways, one is called Category Security (MCS) mode, and the other is called Multi-Level Security (MLS) mode.
The following actions are in MCS mode.
2.4 Comparison of DAC and MAC
Here is a picture to illustrate.
As you can see, in DAC mode, as long as the corresponding directory has the permissions of the corresponding user, it can be accessed. In MAC mode, it is also limited by the range of directories that processes are allowed to access.
3. Basic concepts of SELinux
3.1 Subject
It can be completely equated with a process.
Note: For ease of understanding, unless otherwise specified, the process is regarded as the main body below.
3.2 Object
Resources accessed by the principal. It can be files, directories, ports, devices, etc.
Note: For ease of understanding, unless otherwise specified, the following documents or directories are regarded as objects.
3.3 Policy & Rule
There are usually a large number of files and processes in the system, and in order to save time and overhead, we usually only selectively regulate certain processes.
And which processes need to be regulated and how to control them is determined by policy.
There are multiple rules in a policy. Some rules can be enabled or disabled as needed (hereinafter referred to as Boolean rules).
The rules are modular and extensible. When installing a new application, the application can add rules by adding new modules. Users can also manually add or subtract rules.
In the CentOS 7 system, there are three sets of policies, namely:
1. targeted: Controls most network service processes. This is the policy used by the system by default (all below are used).
2. Minimum: Based on targeted, only selected network service processes are regulated. Generally not.
3. MLS: Multi-level security protection. Regulate all processes. This is the strictest policy, and the configuration is very difficult. Generally, it is not used unless there are extremely high requirements for security.
Policies can be set in /etc/selinux/config.
3.4 Security Context
Security context is at the heart of SELinux.
Security context I divide it into "process security context" and "document security context".
A Process Security Context typically corresponds to multiple Document Security Contexts.
Only when the security context of the two corresponds can a process access the file. Their correspondence is determined by the rules in the policy.
The file security context is determined by where the file was created and the process that created it. And the system has a set of default values, and users can also set the default values.
It's important to note that simply moving files doesn't change the security context of your files.
The structure and meaning of the security context
The security context has four fields, separated by colons. Shape such as: system_u:object_r:admin_home_t:s0.
3.5 SELinux Working Mode
SELinux has three modes of operation, namely:
1. enforcing: Enforced mode. Violations of SELinux rules will be blocked and logged to the logs.
2. Permissive: Tolerance mode. SELinux rule violations are only logged in the logs. Generally for debugging.
3. disabled: Turn off SELinux.
SELinux working mode can be set in /etc/selinux/config.
If you want to switch from disabled to enforcing or permissive, you will need to restart the system. And vice versa.
Enforcing and Permissive modes can be quickly switched with the Setenforce 1|0 command.
It is important to note that if the system has been running with SELinux turned off for a while, the first restart after SELinux is turned on may be slower. Because the system has to create a safe context for the files on disk (I said I restarted for about 10 minutes and thought it was dead...... )。
SELinux logs need to be logged with the help of auditd.service, please do not disable it.
3.6 SELinux Workflow
Here is a quote from a picture, without much explanation.
Note: The security text above refers to the security context.
4. Basic SELinux operations
4.1 Query the security context of a file or directory
Command basic usage
ls -Z
Examples of usage
Query the security context of /etc/hosts.
ls -Z /etc/hosts
Execution results
-rw-r--r--. root root system_u:object_r:net_conf_t:s0 /etc/hosts
4.2 Query the security context of the process
Command basic usage
ps auxZ | grep -v grep | grep
Examples of usage
Query the security context of Nginx-related processes.
ps auxZ | grep -v grep | grep nginx
Execution results
system_u:system_r:httpd_t:s0 root 7997 0.0 0.0 122784 2156 ? Ss 14:31 0:00 nginx: master process /usr/sbin/nginx
system_u:system_r:httpd_t:s0 nginx 7998 0.0 0.0 125332 7560 ? S 14:31 0:00 nginx: worker process
4.3 Manually modify the security context of a file or directory
Command basic usage
chcon [...]
Option function -u Modify the user field of the security context -r Modify the role field of the security context -t Modify the type field of the security context -l Modify the level field of the security context --reference Modify the security context consistent with the specified file or directory -R Recursive operation -h Modify the security context of the soft link (modify the corresponding file of the soft link without this option)
Examples of usage
Modify the security context of test to aaa_u:bbb_r:ccc_t:s0.
chcon -u aaa_u -r bbb_r -t ccc_t test
4.4 Revert the security context of a file or directory to its default value
Command basic usage
restorecon [options] [...]
Option Function - V Print Operation Procedure - R Recursive Operation
Examples of usage
After you add some web files to the directory of your Nginx server, set the correct security context for these new files.
restorecon -R /usr/share/nginx/html/
4.5 Query Boolean rules and their status in the system
Command basic usage
getsebool -a
Since the command queries either all rules or only one rule, it usually queries all rules first and then filters with grep.
Examples of usage
Query Boolean rules related to httpd.
getsebool -a | grep httpd
Execution results
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
#以下省略
4.6 Switching a Boolean rule
Command basic usage
setsebool [option]
Option function -P restart still takes effect
Examples of usage
Turn on httpd_anon_write rules.
setsebool -P httpd_anon_write on
4.7 Add a Default Security Context for a Directory
Command basic usage
semanage fcontext -a -t "(/.*)?"
Note: The default security context of a directory or file can be viewed by using the semanage fcontext -l command in conjunction with grep filtering.
Examples of usage
After you add a new site directory /usr/share/nginx/html2 to Nginx, you need to set the same default security context for it as the original directory.
semanage fcontext -a -t httpd_sys_content_t "/usr/share/nginx/html2(/.*)?"
4.8 Add ports that are allowed by certain types of processes
Command basic usage
semanage port -a -t -p
Note: The port numbers allowed for various service types can be viewed by using the semanage port -l command with grep filtering.
Examples of usage
For Nginx, you need to use port 10080 for HTTP services.
semanage port -a -t http_port_t -p tcp 10080
5. SELinux error analysis and resolution
5.1 Understanding SELinux Logs
When SELinux is enabled, some normal behavior of many services is considered a violation (both in the title and in the errors below).
At this time, we need to use SELinux violation logs to analyze and solve them.
SELinux violation logs are saved in /var/log/audit/audit.log.
/var/log/audit/audit.log 的内容大概是这样的。
type=LOGIN msg=audit(1507898701.391:515): pid=8523 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=25 res=1
type=USER_START msg=audit(1507898701.421:516): pid=8523 uid=0 auid=0 ses=25 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_ keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
...
The file is a lot of content, and it's mixed with a lot of system audit logs that have nothing to do with SELinux errors. We'll use the sealert utility to help with the analysis (if the prompt can't find the command, install the setroubleshoot package).
5.2 Analyze errors with sealert
Command basic usage
sealert -a /var/log/audit/audit.log
After executing the command, the system needs to take some time to analyze the violations in the logs and provide an analysis report. |
Posted on 7/5/2019 11:25:50 AM
|
|
|
|
Landlord|
Posted on 7/22/2021 5:17:58 PM
|
