Saturday, September 10, 2011

RHEL6 SELinux cheat sheet

SkyHi @ Saturday, September 10, 2011
Lot of admin turn SELinux off because it looks complicated. Here is a cheat sheet to make your life easier
Two important documentations about Selinux can be found here:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/index.html
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined_Services/index.html
—————————————————————————–
If you work on Centos or Redhat, install the following packages on your system:
setroubleshoot.noarch : Helps troubleshoot SELinux problems
setroubleshoot-plugins.noarch : Analysis plugins for use with setroubleshoot
setroubleshoot-server.noarch : SELinux troubleshoot server


[root@client1 ~]# yum install setroubleshoot
Start the setroubleshootd daemon:


[root@client1 ~]#setroubleshootd
—————————————————————————–
Get the status of selinux:
[root@client1 ~]#sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
Check for permissive or enforcing mode: 


[root@client1 ~]#getenforce
If you get back a 1 selinux is turned on if you get back a 0 its turned off.
Switch selinux modes from permissive to enforcing and back: 


[root@client1 ~]#setenforce 1 (will set enforcing mode)


[root@client1 ~]#setenforce 0 (will set permissive mode)
—————————————————————————–
Selinux AVC Log files:
All selinux logs can be found in /var/log/audit/audit.log
SELinux logfiles looks very crytpy without the tool sealert. Here an extract of the log without and with the command sealert:


[root@client1 ~]#less /var/log/audit/audit.log
type=DAEMON_START msg=audit(1304542876.396:4843): auditd start, ver=1.7.18 format=raw kernel=2.6.18-238.el5 auid=4294967295 pid=2553 subj=system_u:system_r:auditd_t:s0 res=success
type=CONFIG_CHANGE msg=audit(1304542876.570:4): audit_enabled=1 old=0 by auid=4294967295 subj=system_u:system_r:auditd_t:s0 res=1


[root@client1 ~]# sealert -a /var/log/audit/audit.log | less
found 1 alerts in /var/log/audit/audit.log
——————————————————————————–
Summary:
SELinux is preventing nagios (nagios_t) “getattr” to /var/nagios/objects.cache
(var_t).
Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]
SELinux denied access requested by nagios. It is not expected that this access
is required by nagios and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /var/nagios/objects.cache,
restorecon -v ‘/var/nagios/objects.cache’
If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access – see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
—————————————————————————–
SELinux bool variables:
Each service has its own ruleset. The Selinux bools can be found with the command getsebool
Here and example for the httpd service


[root@client1 ~]# getsebool -a | grep httpd
allow_httpd_anon_write –> off
allow_httpd_sys_script_anon_write –> off
httpd_builtin_scripting –> on
httpd_can_network_connect –> off
httpd_can_network_connect_db –> off
httpd_can_network_relay –> off
httpd_can_sendmail –> on
If you would start the apache server you would not be able to connect to it, because the httpd_can_network_connect is turned off. 


Set sebool to on:
[root@client1 ~]# setsebool -P httpd_can_network_connect =on
Now you are able to start the apache server and connect to it.


Selinux Manpage

[root@client1 ~]#man httpd_selinux
—————————————————————————–
Restore default security context of files or directories (File labeling):
Check filecontext:
[root@client1 ~]# ls -Z
drwxr-xr-x root root root:object_r:httpd_sys_content_t nagvis
drwxr-xr-x root root root:object_r:httpd_sys_content_t nconf


[root@client1 ~]# restorecon -v /var/www/html/index.html 


[root@client1 ~]# restorecon -Rv /var/www/html/index.html
 
To check if a restore is needed:
[root@client1 ~]# restorecon -Rv -n /var/www/html


Set new security context not persistent:
[root@client1 ~]# chcon -Rv –type=httpd_sys_content_t /html


Set new security context not persistent:
[root@client1 ~]# semanage fcontext -a -t httpd_sys_content_t “/html(/.*)?”
—————————————————————————–
Open non standard ports for httpd service:
[root@client1 ~]# semanage port -a -t http_port_t – p tcp 81


List all the ports managed permitted by selinux
[root@client1 ~]# semanage port -l
—————————————————————————–
Create selinux rule:
[root@client1 ~]# grep security_context_t /var/log/audit/audit.log | audit2allow -m nagios1 > nagios.te


now review the rules in the .te file.
Create selinux module:
[root@client1 ~]# grep security_context_t /var/log/audit/audit.log | audit2allow -M nagios1


Install the module:
[root@client1 ~]# semodule -i nagios1.pp




REFERENCES
http://www.salsaunited.net/blog/?p=89