Tip

SELinux tutorial: Commands and management

When considering using SELinux on your servers, it helps to know some basic commands and management tools. Here, in part three of this SELinux tutorial, commands are provided to help you secure your Linux servers.

    Requires Free Membership to View

 

Function

Command

chcon is used to label a file or files with a specified security context

chcon

checkpolicy is a tool used to compile policy sources into a binary policy file. Generally it is not called directly, but invoked by the policy's Makefile.

checkpolicy

The newrole command is used to switch roles. Typically the command would be issued as newrole -r sysadm_r to transition to the sysadm_r role for system administration tasks.

newrole

sestatus displays the current status of SELinux, including the status (either permissive or enforcing), policy version, and the settings of all policy booleans.

 

sestatus

Display SELinux boolean conditions

getsebool

Set SElinux boolean conditions

setsebool

The newrole command is used to switch roles. Typically the command would be issued as newrole -r sysadm_r to transition to the sysadm_r role for system administration tasks.

newrole

fixfiles can be used to relabel the entire filesystem based on the current policy, or to relabel a packaged application's files based on the information included in that application's rpm package.

fixfiles

Beside these new SELinux commands, some built-in Linux commands like cp,mv,ls and ps are modified along with enablement of SELinux to use –Z flag.Also id command is modified to diplay user's security context alongwith default security attributes of user. 

SELinux configuration tricks
Beside the security context management for files and individual processes on Linux server, SELinux has more security features. It is nearly impossible to cover each and every capability of SELinux and underlying flask security model in this article, but I’ve highlighted the key ones here.

Port management: You can manage access to your system's ports through SELinux. By default SELinux allows access to default ports for applications (for example port 22 for ssh), but once SELinux is enabled, you can reconfigure any application to listen to any non-default port as well.

To get full list of SELinux managed ports, you can use following command:

#/home/root>semanage port –l

To change ssh to listen to port 24 instead of 22

#/home/root> semanage port –a –t ssh_port_t –p tcp 24

Then restart ssh related services.

User management: You can  make your server "really hard to break" with the help of strict user management features of  SELinux.They can play an important role in any SELinux policy. However in targeted policy (default SELinux policy), every domain runs in a single role and TE is used to separate the confined processes from other processes.

So, in the targeted SELinux policy, processes and objects are always appear as system_u, and all default Linux users as user_u as shown below


Click on image for larger version

But in a strict policy, some system accounts may run under a generic, unprivileged user_u identity, while other accounts may have direct identities in the policy database.

Customized Policy Modules: Sometimes we may face situation where built in SELinux policies and boolean conditions may not be sufficient. In this kind of situation, we can make use of the audit2allow command to definee our own customized SELinux policy. For example, if denial errors are logged in audit log for any ftp related services , we can use following syntax to generate our own customized SELinux policy module:

#/home/root> # grep ftpd_t /var/log/audit/audit.log | audit2allow -M ftplocal

Later on this customized ftp related policy module can be loaded into current SELinux targeted policy as follows:

#/home/root> semodule –i ftplocal

SELinux has been ignored by many administrators due to lack of documentation and skills. But, the permissive mode of SELinux with default targeted policy is a safe starting point for any Linux administrator. If you are ready to test it out, I advise running it for a few days, observe the logs for any recururring errors or warnings, and if there are no errors, switch to enforcing mode.

It is also worth noting that if you are running some specific databases or applications (like MySql or Oracle), you should look into version-specific docuementation for SELinux related instructions before enforcing SELinux policies on your server.

ABOUT THE AUTHOR: Khurram Shiraz is Technical Consultant at GBM Kuwait. He has worked with high availability technologies and monitoring products such as HACMP, RHEL Clusters and ITM,and implemented IBM & EMC SAN/ NAS Storage. He also designs and implements high availability, parallel computing and DR solutions based on IBM pSeries, Linux and Windows infrastructure.

This was first published in February 2011

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.