This tip covers SELinux configuration on RHEL 5. RHEL provides both graphic user interface (GUI) and command line options to configure SELinux. To prove the simplicity of SELinux, this tip uses the RHEL GUI to enable SELinux.
To enable SELinux from RHEL GUI, select system> Administration> Security Level and Firewall. Go to the SELinux Tab and set SELinux to "permissive mode." Then restart your server.
Starting with SELinux permissive mode on your server is a good best practice. In this mode, you can feel and touch SELinux with your server and applications/databases without affecting anything. You have to carefully watch audit log messages for a testing period, and check for any warnings or denial errors generated by your applications and databases during any kind of operations.
After restarting my RHEL server in the permissive mode of SELinux, I found nothing different. I logged in through root user and checked the status of SELinux environment by using the sestatus command.
Now that SELinux is enabled and operating in permissive mode, it is time to go to management of SELinux. Fortunately, RHEL has provided a GUI to perform SELinux policy management that can be initiated by root user invoking the system-config-SELinux command. This command will bring up the main interface that can be used on RHEL or Fedora Linux as shown below:
On the left pane of the above screen , you can find main selections for SELinux management. The second option "Boolean" contains Boolean conditions for SELinux management for most of the default services and processes. The same conditions can be listed by the getsebool command. If, for example, you want to know all existing Boolean conditions about ftpd deamon only, you can use the same command as follows:
To change a Boolean condition such as allow_ftpd_use_cifs=off, which means that FTP deamon can not use cifs protocol for public files transfer, we can click the condition in the Boolean tab of system-config-SELinux interface as shown below.This activity will simply allow FTP services to use cifs protocol for public file transfers. You can simply verify this change by executing getsebool and grep only for ftpd deamon.
Securing Web servers using SELinux security cotexts
Suppose that we want to run a production Apache Web server on our Linux server. However, this server will be hosting some of our critical applications and will be exposed to the internet, we want to make sure that this Web server should be secured as much as it can be.
If you start Web services and try to configure your Web server to execute some CGI script like hello.pl, without customizing any SELinux settings, errors will be logged into Linux system and SELinux audit logs. To see these errors in SELinux audit logs, execute sealert –b.This will open SELinux audit logs as shown below:
Now the question is, why has this happened? Answer is simple, because hello.pl is a CGI executable and it should belong to httpd_sys_script_exec_t domain rather than belonging to httpd_sys_content_t.
We can use chcon command to resolve this issue:
root@test3 cgi-bin]# ls -lZ *.pl
-rwxr-xr-x apache apache root:object_r:httpd_sys_content_t hello.pl
[root@test3 cgi-bin]# chcon -v --type=httpd_sys_script_exec_t hello.pl
context of hello.pl changed to root:object_r:httpd_sys_script_exec_t[root@test3 cgi-root@test3 cgi-bin]# ls -lZ *.pl
-rwxr-xr-x apache apache root:object_r:httpd_sys_script_exec_t hello.pl
Now we should be able to see, our Web server executing hello.pl without having any alert or error being logged in SELinux.
By configuring SELinux in this manner, is very difficult for any intruder to use any unauthorized CGI or perl script to gain control over system. Similarly any attempt to change document root to any subdirectories of any existing user on system will also fail unless that subdirectory and index file inside that subdirectory is added into the httpd domain.
So, let's assume that user John on our Linux server creates subdirectory html. After creation of this directory and index.html file, you will find that this directory and file will be created with default context of user_home_t as shown below
Until and unless this default context is changed to proper httpd conext domain by either using chcon command (shown below)or by semanage command, any attempt to serve this index.html file by Web server will be declined by SELinux and errors will be logged in the audit trail.
Editor's note: The last SELinux tutorial in this series will cover some important SELinux commands.
ABOUT THE AUTHOR: Khurram Shiraz is Technical Consultant at GBM Kuwait. He has worked with high availability technologies and monitoring products such as HACMP, RHEL Clusters and ITM,and implemented IBM & EMC SAN/ NAS Storage. He also designs and implements high availability, parallel computing and DR solutions based on IBM pSeries, Linux and Windows infrastructure.
This was first published in January 2011