SELinux implements what's known as MAC (Mandatory Access Control). This is implemented on top of what's already present in every Linux distribution, the DAC (Discretionary Access Control).
In a traditional security model, we have three entities: User, Group, and Other (u,g,o) who can have a combination of Read, Write, and Execute (r,w,x) permissions on a file or directory.
At any one time, SELinux can be in any of three possible modes:
- Enforcing
- Permissive
- Disabled
Permissive mode is like a semi-enabled state. SELinux doesn't apply its policy in permissive mode, so no access is denied. However any policy violation is still logged in the audit logs. It's a great way to test SELinux before enforcing it.
We can run the
getenforce command to check the current SELinux mode. getenforce
We can also run the
sestatus command: sestatus
The main configuration file for SELinux is /etc/selinux/config.
An SELinux policy defines user access to roles, role access to domains, and domain access to types.
Every regular Linux user account is mapped to one or more SELinux users.
A role defines which users can access that process.
Roles come into play because part of SELinux implements what's known as Role Based Access Control (RBAC).
Subjects and Objects
A subject is a process and can potentially affect an object.
An object in SELinux is anything that can be acted upon. This can be a file, a directory, a port, a tcp socket, the cursor, or perhaps an X server. The actions that a subject can perform on an object are the subject's permissions.
Domains are for Subjects
A domain is the context within which an SELinux subject (process) can run. That context is like a wrapper around the subject. It tells the process what it can and can't do.
Types are for Objects
A type is the context for a file's context that stipulates the file's purpose.
SELinux policy defines user access to roles, role access to domains, and domain access to types. First the user has to be authorized to enter a role, and then the role has to be authorized to access the domain. The domain in turn is restricted to access only certain types of files.
The policy itself is a bunch of rules that say that so-and-so users can assume only so-and-so roles, and those roles will be authorized to access only so-and-so domains. The domains in turn can access only so-and-so file types.
User -> Role -> Domain -> Types
SELinux security decisions come into play after DAC security has been evaluated.
ls -Z
A file is said to have been labelled with its security context when you have this information available for it. Let's take a closer look at one of the security contexts.
-rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/logrotate.conf
system_u:object_r:etc_t:s0
The second part specifies the SELinux role, which is object_r.
What's most important here is the third part, the type of the file that's listed here as etc_t. This is the part that defines what type the file or directory belongs to. We can see that most files belong to the etc_t type in the
/etc directory. Hypothetically, you can think of type as a sort of "group" or attribute for the file: it's a way of classifying the file. The fourth part of the security context, s0, has to do with multilevel security or MLS. Basically this is another way of enforcing SELinux security policy, and this part shows the sensitivity of the resource (s0).
ps -efZ | grep 'httpd\|vsftpd'
system_u:system_r:httpd_t:s0 root 7126 1 0 16:50 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND system_u:system_r:httpd_t:s0
SELinux Users are suffixed by "u", roles are suffixed by "r" and types (for files) or domains (for processes) are suffixed by "_t".
SELinux Audit Logs
/var/log/audit/audit.log/var/log/messages
No comments:
Post a Comment