Security Enhanced Linux (SELinux), an open source project sponsored by the National Security Agency to help implement mandatory access controls (MAC), was first introduced in Red Hat's distribution with Red Hat Enterprise Linux 4 (RHEL4). In our review of RHEL4 and SELinux in 2005, we were excited about the possibilities and the GUI interface that came with it, but we were cautious about the software package's ability to capture the market. Despite the user-friendly GUI, SELinux was difficult to configure and hard to understand. The documentation wasn't much help either. Most administrators were just turning off SELinux.
Red Hat clearly understood that some changes were necessary. They were either intimidated by its complexity or feared the possible damage that a poorly configured system could do to their applications. On RHEL 4, there was no easy way to determine why, if an application stopped working, whether or not the problem was due to SELinux.
Red Hat hopes to change this with several new features and enhancements in RHEL 5. New
monitoring tools, multi-level security integration, policy modules and utilities will provide RHEL5
users the added security of SELinux with less difficulty.
SELinux Troubleshooter
One of these enhancements is the new SELinux Troubleshooter. Written in Python, setroubleshoot is a
tool that watches the audit log files for access vector cache (AVC) messages and sends reports when
things
Requires Free Membership to View
go bump in the night. The daemon continuously watches audit logs for errors and then
translates them into laymen's terms for you. SELinux denials were one of the most common problems
that administrators reported, which is why most decided to deactivate SELinux. Another daemon,
setroubleshootd, receives connections which examine the data and alerts listeners. This tool
maintains its own log file, under /var/log/setroubleshoot, and includes the use of the sealert
command. This is a GUI desktop notification function, which contacts setroubleshootd, the local
server daemon, and essentially registers itself as an alert listener.
To begin, start the browser:
# sealtert –b
This system is made up of three components, including the alert feature, setroublesoot and the
audit subsystem. The audit subsystem reports the actual AVC messages. When the kernel sends a
message that SELinux denies authorization for something, it creates this AVC message. Each message
is tagged into a denial event, which setroubleshoot can assemble into complete events. The tool
merges all these independent messages into single denial events.
New domains, policy modules
The extent that SELinux monitors the operations of services in RHEL5 has significantly increased
since the last version. In RHEL4, only fifteen services had domains defined, while in RHEL5 over
200 target services are governed by the SELinux system. It is recommended that every program
shipped by Red Hat and started on boot should have a domain defined. The benefit here is that it is
much less likely for processes governed under SELinux running on RHEL5 to be compromised,
increasing the comfort of security administrators. Another benefit is the introduction of policy
modules, which make the process of modifying SELinux policies much easier. In RHEL4, one had to go
through many steps (downloading source, editing code, using make) to rebuild the policy tools. With
policy modules, these setups are not necessary. The audit2allow utility gives you the ability now
to generate policy modules (allow rules) directly from audit.log messages. One can also configure
these polices using the system-config-selinux utility. This much improved GUI lets you modify the
policy you need changed from a set of pre-defined parameters. Also, it is very easy to change
system policies. You no longer need to edit configuration files, you only need to check or uncheck
boxes. This is available out of the box and is fully integrated with RHEL5.
You can also use the semanage utility to configure elements of these polices without any
recompilation of policy sources. The semodule command is another useful one. For example, this
command lists out the policies:
[root@172_29_137_21 selinux]# semodule -l amavis 1.1.0 ccs 1.0.0 clamav 1.1.0 dcc 1.1.0
evolution 1.1.0 iscsid 1.0.0 mozilla 1.1.0 mplayer 1.1.0 nagios 1.1.0 oddjob 1.0.1 pcscd 1.0.0
pyzor 1.1.0 razor 1.1.0 ricci 1.0.0 smartmon 1.1.0
Multi-level security integration
Another important enhancement is the multi-level security (MLS) integration into RHEL5. This model
allows RHEL5 to get EAL4+ LSLPP certifications, which means that RHEL5 is now considered a trusted
OS and can be sold to Government agencies which require the tightest security polices. MLS allows
users to label files with categories. To turn the system into a trusted system in RHEL 5, install
the policy (using the selinux-policy-mls utility) and make changes to the selinux config files to
reference MLS. Prior to MLS, there was Type enforcement (TE), which is the primary mechanism and
role based access control (RBAC). I'm still not thrilled about the fact that Red Hat still does not
have a special SELinux guide for RHEL5. If Red Hat is really going to make SELinux an important
part of its distribution, it needs to provide strong documentation so users do not have to fumble
through the web looking for pieces of information. While there have been major improvements and
tighter integration between RHEL5 and SELinux, Red Hat still has a way to go before it is user
friendly enough for most IT departments. Better documentation will help in their efforts. The small
chapter in the RHEL deployment guide (Chapter 43, Security and SELinux) isn't enough.
Deploying SELinux
Let's look at the Z parameter. Many utilities such as ps, lsof and netstat are optimized for
SELinux, using the Z parameter.
[root@172_29_137_21 selinux]# ps -aeZ | more LABEL PID TTY TIME CMD system_u:system_r:init_t 1
? 00:00:01 init system_u:system_r:kernel_t 2 ? 00:00:00 migration/0 system_u:system_r:kernel_t 3 ?
00:00:00 ksoftirqd/0 system_u:system_r:kernel_t 4 ? 00:00:00 watchdog/0 system_u:system_r:kernel_t
5 ? 00:00:00 migration/1 system_u:system_r:kernel_t 6 ? 00:00:00 ksoftirqd/1
Where SELinux is not installed, this is what you will see:
[root@172_29_137_21 selinux]# netstat -Z SELinux is not enabled on this machine.
We can also run the sestatus and genforce commands for further information on the status of
SELinux on our system.
[root@1 [root@172_29_137_21 selinux]# sestatus SELinux status: disabled [root@172_29_137_21
selinux]#72_29_137_21 selinux]# [root@172_29_137_21 selinux]# getenforce Disabled
[root@172_29_137_21 selinux]#
How can we turn on SELinux when it is disabled? The simplest way is to edit the selinux config
file and change the SELINUX parameter, which can take three values: enforcing, permissive and
disabled. In our case, we made it permissive. This is the option where alerts will be sent, though
polices will not yet be strictly enforced. I recommend this as a good first step towards SELinux
deployment.
# This file controls the state of SELinux on the system. # SELINUX= can take one of these
three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints
warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=permissive #
SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons
are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted
After editing this file you must reboot your system in order for the change to take effect.
Let's look at the status now, after the reboot.
[root@172_29_137_21 ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current
mode: permissive Mode from config file: permissive Policy version: 21 Policy from config file:
targeted
Perhaps the best new utility available is the system-config-selinux utility. Almost everything
can be displayed or configured from here. If you are using X, make sure that you turn on x11
forwarding on your ssh client.
************************************************************* [root@172_29_137_21 ~]#
system-config-selinux /usr/share/system-config-selinux/system-config-selinux.py:68: Warning:
IA__g_object_get_valist: object class `GnomeProgram' has no property named `default-icon' xml =
gtk.glade.XML ("/usr/share/system-config-selinux/system-config-selinux.glade",
domain=PROGNAME)
SELinux and RHEL5 are a better marriage than SELinux and RHEL4 ever were. The utilities are more
focused, more user-friendly and more powerful. Setting up policies and administering the systems
are easy and MLS, allowing this Linux distribution to be certified as a trusted system, is icing on
the cake. Red Hat should publish more detailed documentation on SELinux and RHEL5: until that
happens, I fear that administrators will continue to shun SELinux.
About the author: Ken Milberg is a systems consultant with two decades of experience working
with Unix and Linux systems. He is a SearchEnterpriseLinux.com
Ask the Experts advisor and columnist. .
This was first published in October 2007
Join the conversationComment
Share
Comments
Results
Contribute to the conversation