The 10 commandments to avoid disabling SELinux

Well, they are 10 ideas or commands actually ūüėČ
Due to my new role at Alfresco as Senior DevOps Security Architect, I’m doing some new cool stuff (that I will be publishing here soon) and also learning a lot and helping a little bit with my knowledge on security to the DevOps team.
One of the goals I promised myself was to ‚Äúnever disable SELinux‚ÄĚ, even if that means to learn more about it and spend time on it. I may say that it‚Äôs being a worth it investment of my time and here you go some results of it.

This article is not about what is or what is not SELinux, you have the Wikipedia for that. But a brief description could be: a MAC (Mandatory Access Control) implementation in Linux that prevents a process to access to other processes or files that is supposed to not to have access (open, read, write files, etc.)

If you are here is because you want to finally start using SELinux and you are really interested on make it work, to tame this wild horse. Let me just say something, if you are really worry about security and have dozens of Linux servers in production, keep SELinux enabled, keep it ‚ÄúEnforcing‚ÄĚ, no question.
Once said that, here is my list. It is not an exhaustive list, I’m looking forward to see your insights in the comments:
  1. Enable SELinux in Enforcing mode:
    • In configuration files (need restart)
      • /etc/sysconfig/selinux (RedHat/CentOS 6.7 and older)
      • /etc/selinux/config (RedHat/CentOS 7.0 and newer)
    • Through commands (no restart required)
      • setenforce¬†Enforcing
    • To check the status use
      • sestatus # or command getenforce
  2. Use the right tools. To do cool things you need cool tools, we will need some of them:
    • yum¬†install¬†-y¬†setools-console¬†policycoreutils-python¬†setroubleshoot-server
    • policycoreutils-python¬†comes¬†with¬†the¬†great¬†semanage¬†command,¬†the¬†lord¬†of¬†the¬†SELinux¬†commands
    • setools-console¬†comes¬†with¬†seinfo,¬†sesearch¬†and¬†sechecker¬†among¬†others
    • from setroubleshoot-server package we will use sealert to easily identify issues
  3. Get to know what is going on: Dealing with SELinux happens mostly during installation, configuration and tests of Linux services. Therefore, in case something in your system is not working properly or in the same manner as with SELinux disabled. When you are configuring and installing a service or application on a server and something is not working as expected, not starting as it should to, you always think ‚ÄúDamn SELinux, let‚Äôs disable it‚ÄĚ. Forget about that, you have to check the proper place to see what is going on with it: the Audit logs. Check /var/log/audit/audit.log and look for lines with ‚Äúdenied‚ÄĚ.
    • tail¬†-f¬†/var/log/audit/audit.log¬†|¬†perl¬†-pe¬†‘s/(\d+)/localtime($1)/e’
    • the perl command is to convert the Epoch time (or UNIX or POSIX time) inside the audit.log file to human readable time.
  4. See the extended attributes in the file system that SELinux use:
    • ls -ltraZ # most important here is the Z
    • ls¬†-ltraZ¬†/etc/nginx/nginx.conf will show:
      • -rw-r–r–.¬†root¬†root¬†system_u:object_r:httpd_config_t:s0¬†/etc/nginx/nginx.conf
      • where¬†system_u: is the user (not always a user of the system), object_r: role and ¬†httpd_config_t: is the object type, other objects can be a directory, a port or socket and types of an object can be a config file, log file, etc.; finally s0 means the level or category of that object.
  5. See the SELinux attributes that applies to a running process:
    • ps¬†auxZ
      • You need to know this command in case of issues.
  6. Who am I for SELinux:
    • id -Z
      • You need to know this command in case of issues.
  7. Check, enable or disable defined modes (enforcing or permissive) per deamon:
    • getsebool¬†-a # list all current status
    • setsebool¬†-P¬†docker_connect_any¬†1 # allow Docker to connect to all TCP ports
    • semanage¬†boolean¬†-l # is another alternative command
    • semanage¬†fcontext¬†-l # to see al contexts where SELinux applies
  8. Add a non default directory or file to be used by a given daemon:
    • For a folder used by a service, i.e.: change Mysql data directory:
      • Change your default data directory in /etc/my.cnf
      • semanage¬†fcontext¬†-a¬†-t¬†mysqld_db_t¬†“/var/lib/mysql-default/(/.*)?”
      • restorecon¬†-Rv¬†/var/lib/mysql-default
      • ls¬†-lZ¬†/var/lib/mysql-default
    • For a new file used by a service, i.e.: a new index.html file for Apache:
      • semanage¬†fcontext¬†-a¬†-t¬†httpd_sys_content_t ‘/myweb/web1/html/index.html’
      • restorecon¬†-v¬†‘/myweb/web1/html/index.html’
  9. Add a non default port to be used by a given service:
    • i.e.: If you want nginx to listen in other additional port:
      • semanage¬†port¬†-a¬†-t¬†http_port_t¬†-p¬†tcp¬†2100
      • semanage¬†port¬†-l | grep ¬†http_port # check if the change is effective
  10. Spread the word!
    • SELinux¬†is¬†not¬†easy¬†but¬†writing¬†easy¬†tips¬†make¬†people¬†using¬†it¬†and¬†making¬†the¬†Internet¬†a¬†safer¬†place!

4 thoughts to “The 10 commandments to avoid disabling SELinux”

  1. Great post Toni. Most commercial products recommend to disable SELinux at least while installing. I agree is easier to just disable it altogether, but NOT THE SAFEST thing to do. A good admin should know how to administer the software specially while leaving it on… thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.