SELinux

Security Enhanced Linux is a security feature included in UMN's RHEL 9 build. HEAT's SELinux Documentation.

What is it and why is it useful?

SE Linux is a Mandatory Access Control (MAC) system developed by the NSA for Linux. It works in tandem with Linux's Discretionary Access Control (DAC).

DAC defines ownership and access permissions at the user and group level (CHMOD +rwx, etc). MAC is a set of fine grained policies that stay in place even when DAC is changed.

How does it work?

SELinux enforces policies based on SEContext Labels. Everything is labeled. Files and Directories store labels in extended attributes. Processes, Ports, etc have labels managed by the kernel in memory.

There are two types of policies: booleans and modules. Booleans are on/off switches. Modules are custom policies.

How do I use it?

Helpful Introduction Videos / Section References

The following videos are very useful in learning the basics of SELinux:

• Security Enhanced Linux for mere mortals by Thomas Cameron. 43 mins. Great overview on how to use SE Linux. Start here. The other two videos are good supplements.
• About SE Linux by Linux Tips. 22 mins.
• SE Linux by uAdmin. 10 mins.

Things to remember:

Bash

setenforce 0 # permissive 
setenforce 1 # enforcing

getenforce # check which mode is on
sestatus # like getenforce but with more information

semanage # manage context and policies
chcon # change context
restorecon -vR directory/to/fix/ # sets everything in a directory to its configured correct context and outputs everything that it fixed.

sealert -a /var/log/audit/audit.log # see all sealerts

getsebool -a # see all possible boolean switches. (there are many)

/etc/selinux/config # See your current policy. (symlinked to /etc/sysconfig/selinux)

You may need to restart processes such as httpd after changing SELinux enforcement.

The -Z flag will show SEContext Labels For example: ls -lZ or netstat -tnlpZ

Labels will look like this: system_u:object_r:httpd_config_t:s0 which has the format SELinux_User:SELinux_Role:SELinuxType:level(optional). The SEContext label system_u:object_r:httpd_config_t:s0 has the system_u user, object_r role, httpd_config_t type, and s0 level.

Logs are found in /var/log/audit/audit.log. You can use journalctl to tail logs.

Install setroubleshoot and setroubleshoot-server to assist in troubleshooting SELinux. Reboot or restart auditd after you install service auditd restart

When making changes to a context, set what the context should be first with semanage, then make the changes with restorecon -vR /foo.

You can reference another file/directory/etc with the correct context to set a new file/directory/etc context.chcon --reference good/reference/path path/to/change.

A file moved from one location to another maintains its context until restorecon or chcon is run.