Why disable SELinux (III/III)

We have covered quite some ground in the previous posts as part1 and part2. Lets conclude this here with the part 3.

Targeted Policy

The Red Hat Targeted Policy targets certain services for special protection through SELinux.
Web services: httpd, squid
Name and network services: bind, ncsd,dhcpd
Authentication services: ypbind, winbindd
Database services: postgresql, mysqld
Administrative services: portmap, syslogd, ntpd, snmpd
To view these services run the system-config-selinux command. Under the Booleans section are a list of services that can be protected by SELinux. There are more than 100 such protected services in latest version of RED HAT.

Policy Booleans

Security policy is the rule permitting what a subject (process) can do to an object (file). The security policy for the protected services are already set by RED HAT in the form of Booleans. The Policy Booleans allow runtime modifications of the security policy without having to load a new policy. The protected policy defines a default value for each Boolean, typically false. Use ‘getsebool’ and ‘setsebool’ tools to manage the Booleans. Setsebool -P will recompile the policy with the change.
NB: In case if there is no policy Boolean for your requirement, you can create a new policy and set it as a policy boolean.
Let me explain it with an example.
Type command getsebool |grep httpd and you will get a list like the one given below.
httpd_enable_cgi=1 #Allow httpd to execute CGI scripts
httpd_enable_homedirs=1 #allow httpd to read home directories
httpd_ssi_exec=1 #allow httpd to execute SSI scripts.
Suppose you do not want httpd to execute CGI scripts, all you have to do is to set the httpd_enable_cgi boolean to 0. For that you can use the following command
setsebool httpd_enable_cgi 0 or
echo 0 > /selinux/Booleans/httpd_enable_cgi
Then setsebool –P command to recompile the policy.

Apache: Protected service

I shall explain a protected service Apache to get an idea about this. Apache web server is one of the most important services protected by target policy. Web servers are open to the world and hence very much vulnerable for external attacks. Web server provide various methods of manipulating data. We can read data or we can run commands on the client (CGI) or run commands on the server (SSI and hence the web server is a protected service of SELinux. There are targeted policies for this service already set by RED HAT. So regardless of the configuration set in web server configuration files, we can turn on or off the abilities of a web server using SELinux policy.
Configuration files, log files, binary files and content have their own SELinux security context.
/usr/sbin/httpd system_u:object_r:httpd_exec_t
/etc/httpd/conf /* system_u:object_r:httpd_conf_t
/var/log/httpd/* system_u:object_r:httpd_log_t
/var/www/html/* system_u:object_r:httpd_sys_content_t
/var/www/cgi-bin/* system_u:object_r:httpd_sys_script_exec_t
/etc/init.d/httpd system_u:object_r:initrc_exec_t
NB: Note the naming of type for each files. It is related to the nature of file. For example, the log files have type httpd_log_t and executing files are having type httpd_exec_t

Special configuration Booleans for Apache

Web server deliver different forms of content but the ability to server certain types of content should be set in SELinux. Some of the Booleans to be noted are given below.
httpd_enable_cgi — we can turn this Boolean on if we want cgi scripts to be executed
httpd_ssi_exec —- we can turn this Boolean on if we want to execute a command on the server.
httpd_enable_homedirs — This permits the use of ~username feature of web sever allowing all users to create their own content in a subdirectory of their home directory.
Turn off any Booleans for features that you are not using.
So unless there is a Boolean or a special policy rule, one protected service cannot interact with another protected service. Similarly an unprotected program under unconfined type also cannot interact with a protected service. Suppose if you write your own script, it will be in unconfined type and is unprotected. If the script is to manipulate some data from web server file which is protected, it will not work.

Troubleshooting: ‘avc: denied’, setroubleshoot

If an application does not work as expected look at the ‘avc: denied’ message to figure out what is wrong. Check the audit log at /var/log/audit/audit.log if auditd is running. Otherwise the audit messages will be found in /var/log/messages.
eg:- The following is an example of an error that occurred attempting to access a web page.
audit(1105758604.519:420): avc : denied { getattr } fir oud=5954 exe=/usr/sbin/httpd path=/var/www/html/ dev=hdb2 ino=921135 scontext=root:system_r:httpd_t tcontext=usr_u:object_r:user_home_t tclass=dir
The above log messages says that an executable file /usr/sbin/httpd with source context root:system_r:httpd_t is denied access to directory /var/www/html with target context user_u:object_r:user_home_t.
setroubleshootd daemon is a part of setroubleshoot RPM. It watches for AVC errors and sends an alert to /var/log/messages. In the alert messages it says us to run sealert command. When we run sealert command as mentioned by the setroubleshoot daemon, we will get an overview of the error and its solution in a human readable format.

Policy Utilities

Several tools are available for manipulating and analyzing policies.
apol is used to analyze the policy.
seaudit is used to audit the policy file or the log files.
seaudit_report is pulls the AVC denied messages from /var/log/messages
checkpolicy will check the syntax of the policy.
sesearch will search the policy file for allow,type or audit lines.
sestatus show the current SELinux status.
audit2allow translates avc denied messages in /var/log/audit/audit.log to allow messages for use in the policy file.
seinfo shows information about the policy such as how many conditional expressions, Booleans and users occur in the policy.
SELinux is not a final word in securing linux. It can be used along with our traditional security mechanisms and developments are still going on in this field to include more services under its targeted policies. SELinux is definitely a big relief to the system administrator to secure his server from external attacks. I hope you will think twice before disabling SELinux to fix an issue.


About the Author :

Jimmy Works as Senior Software Engineer in Bobcares. He joined Bobcares back in Jan 2007. During his free time, he watches movies, and enjoys reading.

Co-Authored by Sankar.H



Security specialists will audit, update, patch, harden and monitor your server 24/7.

Starting at $69.99/month