Selinux(SECURITY ENHANCED )
Getting hands on with a real world use case @ SELinux , its easy earlier i had fear what is it, but SELinux can’t be easier than this .
Access control → LSM →SELinux (order of implimatation)
mark:-no need to pay attention to the AC and LSM (not of any concern in this article)will refer SELinux
Access control
Access control are of various types:-
- Role Based Access Control (RBAC)
- Multi level Security(MLS)
- Multi-Category Security (MCS)
- Type Enforcement (TE)
LSM
LSM ie Linux security module , use to manage acess control policies for security and its further divided into further two parts
- DAC(discrete Acess Control) ->based on modes ie read write and execute
- MAC(Manditory Acess Control) →based on context/lable
SELinux
SELinux= DAC + MAC
to see extra information about SELinux, you can install extra package ie
yum install -y setools
here in this article i , am going to cover only type based part of selinux
following is the command to see the type enforcement of various files and folders
now, lets see we have three modes in selinux namely, permessive, enforcing and disable as you can see in the following image , i also have used cmd (setenforce and getenforce)to set it to enforcing and permissive . remember there is no command to disable selinux , for doing so required changes to be made on config file of selinux at the location /etc/selinux/config and for making the requiered changes we need to reboot the system. then selinux will finally be disabled.
Knowing SELinux commands, by reffering small usecase or scenario, suppose a sysadmin is setting up apache web server with following commands
once the webserver is set up , now admin creates a html type file in his own root directory or some other directory other than apache documentroot ie(/var/www/html) so what will happen is the html file will get the type as the default type for its own/parent folder
in the folloing image , our wip directory is /root/websonu and there i have created a index.html file, and then i have also shown the selinux type of the html file ie “admin_home_t” , then i have checked what should be the type to be in the httpd_t context and the type was “httpd_sys_content_t”
hence we need to change the context to required context with the command “chcon — reference /var/www/html index.html”, alternative command “restorecon -vR /var/www/html”
then again check the context type of index.html file its sucessfully changed to required context.
oops, let me show what will happen if above context was not changed to required , so leme againg replace it to as earlier context and then i will curl our webserver and which will show the error
lets check what is the error now, with the command “journalctl -xe” the following image show the error and also suggest the requires changes to get rid of the error , and also in the log file its clearly mentioned that the type label is preventing selinux to get the acess.
onec the changes are made we are able to acess the web page hosted on our web server reffer the following image
one more thing that, there are various rules set by default so some time we need to set by our usecase, being an sys admin of webserver we need to turn off cgi-bin as script can be run using the cgi-bin of apache webserver, so leme show you the various booleans set by default to our system and then will turn off the cgi boolean of httpd to be safe from intruders of running scripts via cgi-bin.
