Protect CentOS Linux system with SELinux

In many cases users simply turn off SELinux due to lack of understanding of this great security feature provided with every RedHat , CentOS , Fedora and some other Linux distributions. Another popular alternative, available on Novell’s SuSE Linux and Canonical’s Ubuntu platform, is called AppArmor. In this article we will take closer look at SELinux , and its basic management and functionality.

SELinux

Security-Enhanced Linux (SELinux) was developed by the U.S. National Security Agency to provide a level of mandatory access control. It goes beyond the discretionary access control associated with file permissions and ACLs. In essence, SELinux limits the damage if there is a security breach. For example, if the system account associated with an FTP service is compromised, SELinux makes it more difficult to use that account to compromise other services.
Basic Features of SELinux

SELinux assigns different contexts to each file, known as subjects, objects, and actions. In the SELinux world, a subject is a process, such as a command in action, or an application such as the Apache web server in operation. An object is a file. An action is what may be done by the subject to the object. For example, the Apache web server process can take objects such as web pages and display them for the clients of the world to see. The contexts associated with SELinux are fine-grained. In other words, if a cracker breaks in and takes over your web server, SELinux contexts prevent that cracker from using that breach to break into other services. To see the context of a particular file, run the ls -Z command.

How to configure and use SELinux

First thing you need to know is how to set SELinux mode. There are three available modes for SELinux: enforcing, permissive, and disabled. The enforcing and disabled modes are self-explanatory. SELinux in permissive mode means that any SELinux rules that are violated are logged, but the violation does not stop any action. If you want to change the basic status of SELinux, change the SELINUX directive. The next time you reboot, the changes are applied to the system. If SELinux is configured in enforcing mode, it protects systems in one of two ways: in targeted mode or in mls mode. The default is targeted, which allows you to customize what is protected by SELinux in a fine-grained manner. In contrast, MLS goes a step further, using the Bell-La Padula model developed for the Department of Defense. That model, as suggested in the /etc/selinux/targeted/setrans.conf file, supports layers of security between levels c0 and c3. While the c3 level is listed as “Top Secret,” the range of available levels goes all the way up to c1023. Such fine-grained levels of secrecy have yet to be fully developed. If you want to explore MLS, install the selinux-policy-mls RPM.
There are some essential commands that can be used to review and configure basic SELinux settings. To see the current status of SELinux, run the getenforce command; it returns one of three self-explanatory options: enforcing, permissive, or disabled. The sestatus command provides more information, with output similar to the following.

[root@b booleans]# getenforce
Enforcing
[root@b booleans]# sestatus

SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted

[root@b booleans]#
# setenforce enforcing
# setenforce permissive

This changes the /selinux/enforce boolean. As booleans, you could substitute 1 and 0, respectively, for enforcing and permissive. To make this change permanent, you’ll have to modify the SELINUX variable in the /etc/sysconfig/selinux file. However, changes to detailed SELinux booleans require different commands. Alternatively In that case, the setenforce command will not work. Instead, you’ll have to set

SELINUX=enforcing

in the

/etc/sysconfig/selinux

file. And that requires a “relabel,” where SELinux labels are applied to each file on the local system.

SELinux Boolean Settings
Most SELinux settings are boolean—in other words, they’re activated and deactivated by setting them to 1 or 0. Once set, the booleans are stored in the /selinux/booleans directory. These settings can be read with the getsebool and modified with the setsebool commands.
For example to allow users to ftp to there home directory you will need to fo the following.

  1. Run and verify that output is allow_ftpd_full_access –> off
    # getsebool allow_ftpd_full_access
  2. # setsebool allow_ftpd_full_access on
  3. Now when you execute <pre># getsebool allow_ftpd_full_access</pre> the output should be allow_ftpd_full_access –> on

List and Identify SELinux File Contexts

If you’ve enabled SELinux, the ls -Z command lists current SELinux file contexts. For example, to configure a nonstandard directory for an FTP server, make sure the context matches the default FTP directory. Consider the following command:

# ls -Z /var/ftp
drwxr-xr-x root root system_u:object_r:public_content_t pub

The contexts are the system user (system_u) and system objects (object_r), for type sharing with the public (public_content_t). If you create another directory for FTP service, you’ll need to assign the same security contexts to that directory. For example, if you create an /ftp directory as the root user and run the

ls -Zd /ftp command, you’ll see the contexts associated with the /ftp directory as shown:
drwxr-xr-x. root root unconfined_u:object_r:root_t ftp

To change the context, use the chcon command. If there are sub directories, you’ll want to make sure changes are made recursively with the -R switch. In this case, to change the user and type contexts to match /var/ftp, run the following command:

# chcon -R -u system_u -t public_content_t /ftp