RHEL6 SELinux cheat sheet

Lot of admin turn SELinux off because it looks complicated. Here is a cheat sheet to make your life easier

Two important documentations about Selinux can be found here:

http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/index.html

http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined_Services/index.html

—————————————————————————–

If you work on Centos or Redhat, install the following packages on your system:

setroubleshoot.noarch : Helps troubleshoot SELinux problems

setroubleshoot-plugins.noarch : Analysis plugins for use with setroubleshoot

setroubleshoot-server.noarch : SELinux troubleshoot server

[root@client1 ~]# yum install setroubleshoot

Start the setroubleshootd daemon:

[root@client1 ~]#setroubleshootd

—————————————————————————–

Get the status of selinux:

[root@client1 ~]#sestatus

SELinux status: enabled

SELinuxfs mount: /selinux

Current mode: enforcing

Mode from config file: enforcing

Policy version: 21

Policy from config file: targeted

Check for permissive or enforcing mode:

[root@client1 ~]#getenforce

If you get back a 1 selinux is turned on if you get back a 0 its turned off.

Switch selinux modes from permissive to enforcing and back:

[root@client1 ~]#setenforce 1 (will set enforcing mode)

[root@client1 ~]#setenforce 0 (will set permissive mode)

—————————————————————————–

Selinux AVC Log files:

All selinux logs can be found in /var/log/audit/audit.log

SELinux logfiles looks very crytpy without the tool sealert. Here an extract of the log without and with the command sealert:

[root@client1 ~]#less /var/log/audit/audit.log

type=DAEMON_START msg=audit(1304542876.396:4843): auditd start, ver=1.7.18 format=raw kernel=2.6.18-238.el5 auid=4294967295 pid=2553 subj=system_u:system_r:auditd_t:s0 res=success

type=CONFIG_CHANGE msg=audit(1304542876.570:4): audit_enabled=1 old=0 by auid=4294967295 subj=system_u:system_r:auditd_t:s0 res=1

[root@client1 ~]# sealert -a /var/log/audit/audit.log | less

found 1 alerts in /var/log/audit/audit.log

——————————————————————————–

Summary:

SELinux is preventing nagios (nagios_t) “getattr” to /var/nagios/objects.cache

(var_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was

permitted due to permissive mode.]

SELinux denied access requested by nagios. It is not expected that this access

is required by nagios and this access may signal an intrusion attempt. It is

also possible that the specific version or configuration of the application is

causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore

the default system file context for /var/nagios/objects.cache,

restorecon -v ‘/var/nagios/objects.cache’

If this does not work, there is currently no automatic way to allow this access.

Instead, you can generate a local policy module to allow this access – see FAQ

(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable

SELinux protection altogether. Disabling SELinux protection is not recommended.

Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)

against this package.

—————————————————————————–

SELinux bool variables:

Each service has its own ruleset. The Selinux bools can be found with the command getsebool

Here and example for the httpd service

[root@client1 ~]# getsebool -a | grep httpd

allow_httpd_anon_write –> off

allow_httpd_sys_script_anon_write –> off

httpd_builtin_scripting –> on

httpd_can_network_connect –> off

httpd_can_network_connect_db –> off

httpd_can_network_relay –> off

httpd_can_sendmail –> on

If you would start the apache server you would not be able to connect to it, because the httpd_can_network_connect is turned off.

Set sebool to on:

[root@client1 ~]# setsebool -P httpd_can_network_connect =on

Now you are able to start the apache server and connect to it.

Selinux Manpage

[root@client1 ~]#man httpd_selinux

—————————————————————————–

Restore default security context of files or directories (File labeling):

Check filecontext:

[root@client1 ~]# ls -Z

drwxr-xr-x root root root:object_r:httpd_sys_content_t nagvis

drwxr-xr-x root root root:object_r:httpd_sys_content_t nconf

[root@client1 ~]# restorecon -v /var/www/html/index.html

[root@client1 ~]# restorecon -Rv /var/www/html/index.html

To check if a restore is needed:

[root@client1 ~]# restorecon -Rv -n /var/www/html

Set new security context not persistent:

[root@client1 ~]# chcon -Rv –type=httpd_sys_content_t /html

Set new security context not persistent:

[root@client1 ~]# semanage fcontext -a -t httpd_sys_content_t “/html(/.*)?”

—————————————————————————–

Open non standard ports for httpd service:

[root@client1 ~]# semanage port -a -t http_port_t – p tcp 81

List all the ports managed permitted by selinux

[root@client1 ~]# semanage port -l

—————————————————————————–

Create selinux rule:

[root@client1 ~]# grep security_context_t /var/log/audit/audit.log | audit2allow -m nagios1 > nagios.te

now review the rules in the .te file.

Create selinux module:

[root@client1 ~]# grep security_context_t /var/log/audit/audit.log | audit2allow -M nagios1

Install the module:

[root@client1 ~]# semodule -i nagios1.pp