Need help?

Our experts will login to your server within 30 minutes to fix urgent issues.

Customer support or server support, make your own solution using our support configuration wizard.

Why disable SELinux (II/III)

We have covered basics of SELinux, and security contexts in the last blog. Now we move on to detailed explanation of policies and archiving SELinux attributes etc.

Targeted, strict and MLS Policies

Redhat supports three policies – Targeted, Strict and MLS. The targeted policy is the default policy, under which every subject and object runs in unconfined_t domain, except for the specific targeted daemons. The objects on the system that are in the unconfined_t domain have no restrictions. The daemons that are part of the targeted policy run in their own domains and are restricted in every operation they perform on the system. Demons that are exploited like network services, which are usually vulnerable to attacks, can be protected by confining them to a specific domain.

There are over 100 targeted daemons. A few of them are :
Dhcpd, httpd, mysqld,named, nscd, ntpd, portmap, postgres, snmpd, squid, syslogd, bind, ypbind.

In strict policy, every subject is in the confined domain. This is a much more complex environment. Even root user will have restricted privileges. MLS policy is used in military applications.

Where is the Policy

Default path for the policy is /etc/selinux/
/etc/selinux/targeted – root folder for targeted policies
/etc/selinux/targeted/contexts – location of the security context information and configuration files which are used on runtime by various applications.

Security Context Information

To view the security context information associated with files, you can use the ls command with the –Z option.
ls –Z
eg: –
rw-r—r— root root system_u:object_r:boot_t config-2.6.18-el5
drwxr-xr-x root root system_u:object_r:boot_t grub
To view the security context information associated with a user use id –Z
id –Z
eg: root:system_r:unconfined_t:SystemLow-SystemHigh
To view the security context information associated with processes you can use ps with –Z option.
ps –Z
eg:
root:system_r:httpd_t 17995 ? 00:00:01 httpd

Archiving

In traditional security system, we have attributes for every file. In SELinux, we use ‘extended attributes’. So if you want to archive files having security contexts, you should include all extended attributes associated with the files along with SELinux and ACLs.

Archiving using star

We can use tool ‘star’ for archiving the extended attributes. star is very similar to tar command. To archive the SELinux attributes, use the –xattr –H=exustar options with star .

Simple archive :
eg:-
star –xattr -H=exustar –c –f etc.star /etc

Archive using gzip :
eg:-
star –xattr –H=exustar –c –z –f etc.star.gz /etc

Extracting a star archive that has been compressed using gzip
eg:-
[root@stationX]# cd /tmp/
[root@stationX]# star -x –z –f /etc.star.gz

Archiving using rsync :
rsync can also preserve extended attributes. It can be applied, if we want to copy a particular directory to a remote machine.
eg:-
[root@stationX]# rsync –e ssh –avAHPX /etc root@stationY:/tmp/
Note: getfattr can be used to view the extended attributes of files and directories.
eg:-
getfattr –d –m security.selinux –R /etc

Controlling SELinux : setenforce, getenforce, sestatus

When SELinux is enabled, there are two modes: permissive and enforcing.

Permissive mode is ‘warn-only’ mode. That is, it allows all processes access to the file system using the standard discretionary access control, but it will log all access violations.
Enforcing mode allows SELinux to control access to the system using Mandatory Access Control and thus enforces SELinux policy.
SELinux policy may be adjusted or disabled through a number of utilities.
These modes can be controlled dynamically using the setenforce command. It can be permanently set in the file /etc/selinux/config. (/etc/sysconfig/selinux).
setenforce 0|1. ( 0 is permissive and 1 is enforcing)
getenforce returns the SELinux mode. This could be enforcing, permissive or disabled.
You can control SELinux using graphical system-config-selinux tool as well.
The kernel option ‘enforcing=0’ can be passed through GRUB, at boot time to set SELinux in warn-only mode. ‘enforcing=1’ sets enforcing mode.
sestatus shows the actual SELinux settings.

More on SELinux to come very soon. Keep visiting the Blog!

Jimmy


About the Author :

Jimmy Works as Senior Software Engineer in Bobcares. He joined Bobcares back in Jan 2007. During his free time, he watches movies, and enjoys reading.


Co-Authored by Sankar.H


Bobcares
Bobcares is a server management company that helps businesses deliver uninterrupted and secure online services. Our engineers manage close to 51,500 servers that include virtualized servers, cloud infrastructure, physical server clusters, and more.
MORE ABOUT BOBCARES