SELinux - JA Smith

- security enhanced linux - most used on RHEL, whereas debian uses apparmor - LKM for MAC and security developed by NSA - `sestatus` shows selinux info - three different modes: enforcing, disabled, permissive - `getenforce` shows current mode - enforcing = stops commands that violate policy and logs occurrence - permissive = does not stop commands that violate policy and logs occurrence - disabled = no policy enforcement, no logging - `sudo setenfore permissive` or `sudo setenforce enforcing` to switch to modes without persistence - must change `/etc/selinux/config` config file and reboot for persistence - `SELINUXTYPE=X` - X = targeted, minimum, MLS - targeted = all processes are targeted - minimum = only selected processes are targeted - MLS = multi-level security protection - fine-grained protections based on context - `ls -lZ` Z flag shows SELinux labels/contexts for files - user field : role field : type field : sensitivity field - for example, `unconfined_u:object_r:admin_home_t:s0` - system users are mapped to SELinux users as shown in user field - role field is what a user or daemon can do with a file/device - type field is commonly modified - sensitivity field only apples to MLS - modifying context fields - `chcon -t new_role_t file_name` to manually set type field - `restorecon file_name` restores context for file based on policy - `restorecon -R *` restores context of all files in current directory based on policy - add file named `.autorelabel` in root directory to `restorecon` on entire system upon reboot and deletes itself - creating new policies - `SEmanage fcontext -a -t httpd_sys_content_t .` changes context policy for current directory such that new files created in or moved/copied to the current directory get the `httpd_sys_content_t` type field - SELinux booleans - `SEmanage boolean --list` shows available setting including current and default states - `SEmanage boolean --modify --on setting_name` enables noted setting with persistence - `setsebool setting_name 1` enables noted setting without persistence - `setsebool -P setting_name on` enables noted setting with persistence