Stop disabling SELinux!

Powered by SC Magazine
 

Don't let one problem policy ruin everything.

The push to cloud transforms the way we apply information security principles to systems and applications.

Perimeters of the past, secured heavily with traditional network devices in the outermost ring, lose effectiveness day by day. Shifting the focus to defense in depth brings the perimeter down to the individual cloud instances running your application.

Security-Enhanced Linux, or SELinux, forms an effective part of that perimeter.

SELinux operates in the realm of mandatory access control (MAC).  The design of MAC involves placing constraints on what a user (a subject) can do to a particular object (a target) on the system.

In contrast, discretionary access control (DAC) allows a user with certain access to use discretion to limit or allow access to certain files, directories, or devices.  You can set any file system permissions that you want but SELinux can override them with ease at the operating system level.

Consider a typical server running a web application.  An attacker compromises the web application and executes malicious code via the web server daemon itself.  SELinux has default policies that prevent the daemon from initiating communication on the network.  That limits the attacker’s options to attack other services or servers.

In addition, SELinux sets policies on which files and directories the web server can access, regardless of any file system permissions.  This protection limits the attacker’s access to other sensitive parts of the file system even if the administrator set the files to be readable to the world.

This is where SELinux shines.  Oddly enough, this is the point where many system administrators actually disable SELinux on their systems.

Denials

Troubleshooting these events, called AVC denials, without some helpful tools is challenging and frustrating.  Each denial flows into to your audit log as a cryptic message.  

Most administrators will check the usual suspects, like firewall rules and file system permissions.  As frustration builds, they disable SELinux and notice that their application begins working as expected.

SELinux remains disabled and hundreds of helpful policies lie dormant solely because one policy caused a problem.

Disabling SELinux without investigation frustrated me to the point where I started a site at stopdisablingselinux.com.  The site is a snarky response to Linux administrators who reach for the disable switch as soon as SELinux gets in their way.

All jokes aside, here are some helpful tips to use SELinux effectively:

  • Use the setroubleshoot helpers to understand denials

Working through denials is easy with the setroubleshoot-server package. When a denial occurs, you still receive a cryptic log message in your audit logs. However, you also receive a message via syslog that is very easy to read. Your server can email you these messages as well. The message contains guidance about adjusting SELinux booleans, setting contexts, or generating new SELinux policies to work around a really unusual problem. When I say guidance, I mean that the tools give you commands to copy and paste to adjust your policies, booleans and contexts

  • Review SELinux booleans for quick adjustments

Although the myriad of SELinux user-space tools isn’t within the scope of this article, getsebool and togglesebool deserve a mention.  Frequently adjusted policies are controlled by booleans that are toggled on and off with togglesebool.  Start with getsebool –a for a full list of booleans and then use togglesebool to enable or disable the policy.

  • Quickly restore file or directory contexts

Shuffling files or directories around a server can cause SELinux denials due to contexts not matching their original values.  This happens to me frequently if I move a configuration file from one system to another.  Correcting the context problem involves one of two simple commands.  The restorecon command applies the default contexts specific to the file or directory.  If you have a file in the directory with the correct context, use chcon to fix the context on the wrong file by giving it the path to the file with the correct context.

Here are some additional links with helpful SELinux documentation:

  • Major Hayden is Chief Security Architect and Linux Engineer at Rackspace.

    Copyright © SC Magazine, Australia


     
     
     
    Top Stories
    Frugality as a service: the Amazon story
    Behind the scenes, Amazon Web Services is one lean machine.
     
    Negotiating with the cloud email megavendors
    [Blog post] Lessons from Woolworths’ mammoth migration.
     
    Qld govt to move up to 149k staff onto Office 365
    Australia's largest deployment, outside of the universities.
     
     
    Sign up to receive iTnews email bulletins
       FOLLOW US...

    Latest VideosSee all videos »

    The great data centre opportunity on Australia's doorstep
    The great data centre opportunity on Australia's doorstep
    Scott Noteboom, CEO of LitBit speaking at The Australian Data Centre Strategy Summit 2014 in the Gold Coast, Queensland, Australia. http://bit.ly/1qpxVfV Scott Noteboom is a data centre engineer who led builds for Apple and Yahoo in the earliest days of the cloud, and who now eyes Asia as the next big opportunity. Read more: http://www.itnews.com.au/News/372482,how-do-we-serve-three-billion-new-internet-users.aspx#ixzz2yNLmMG5C
    Interview: Karl Maftoum, CIO, ACMA
    Interview: Karl Maftoum, CIO, ACMA
    To COTS or not to COTS? iTnews asks Karl Maftoum, CIO of the ACMA, at the CIO Strategy Summit.
    Susan Sly: What is the Role of the CIO?
    Susan Sly: What is the Role of the CIO?
    AEMO chief information officer Susan Sly calls for more collaboration among Australia's technology leaders at the CIO Strategy Summit.
    Meet the 2014 Finance CIO of the Year
    Meet the 2014 Finance CIO of the Year
    Credit Union Australia's David Gee awarded Finance CIO of the Year at the iTnews Benchmark Awards.
    Meet the 2014 Retail CIO of the Year
    Meet the 2014 Retail CIO of the Year
    Damon Rees named Retail CIO of the Year at the iTnews Benchmark Awards for his work at Woolworths.
    Robyn Elliott named the 2014 Utilities CIO of the Year
    Robyn Elliott named the 2014 Utilities CIO of the Year
    Acting Foxtel CIO David Marks accepts an iTnews Benchmark Award on behalf of Robyn Elliott.
    Meet the 2014 Industrial CIO of the Year
    Meet the 2014 Industrial CIO of the Year
    Sanjay Mehta named Industrial CIO of the Year at the iTnews Benchmark Awards for his work at ConocoPhillips.
    Meet the 2014 Healthcare CIO of the Year
    Meet the 2014 Healthcare CIO of the Year
    Greg Wells named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at NSW Health.
    Meet the 2014 Education CIO of the Year
    Meet the 2014 Education CIO of the Year
    William Confalonieri named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at Deakin University.
    Meet the 2014 Government CIO of the Year
    Meet the 2014 Government CIO of the Year
    David Johnson named Government CIO of the Year at the iTnews Benchmark Awards for his work at the Queensland Police Service.
    Q and A: Coalition Broadband Policy
    Q and A: Coalition Broadband Policy
    Malcolm Turnbull and Tony Abbott discuss the Coalition's broadband policy with the press.
    AFP scalps hacker 'leader' inside Australia's IT ranks.
    AFP scalps hacker 'leader' inside Australia's IT ranks.
    The Australian Federal Police have arrested a Sydney-based IT security professional for hacking a government website.
    NBN Petition Delivered To Turnbull's Office
    NBN Petition Delivered To Turnbull's Office
    UTS CIO: IT teams of the future
    UTS CIO: IT teams of the future
    UTS CIO Chrissy Burns talks data.
    New UTS Building: the IT within
    New UTS Building: the IT within
    The IT behind tomorrow's universities.
    iTnews' NBN Panel
    iTnews' NBN Panel
    Is your enterprise NBN-ready?
    Introducing iTnews Labs
    Introducing iTnews Labs
    See a timelapse of the iTnews labs being unboxed, set up and switched on! iTnews will produce independent testing of the latest enterprise software to hit the market after installing a purpose-built test lab in Sydney. Watch the installation of two DL380p servers, two HP StoreVirtual 4330 storage arrays and two HP ProCurve 2920 switches.
    The True Cost of BYOD
    The True Cost of BYOD
    iTnews' Brett Winterford gives attendees of the first 'Touch Tomorrow' event in Brisbane a brief look at his research into enterprise mobility. What are the use cases and how can they be quantified? What price should you expect to pay for securing mobile access to corporate applications? What's coming around the corner?
    Ghost clouds
    Ghost clouds
    ACMA chair Chris Chapman says there is uncertainty over whether certain classes of cloud service providers are caught by regulations.
    Was the Snowden leak inevitable?
    Was the Snowden leak inevitable?
    Privacy experts David Vaile (UNSW Cyberspace Law and Policy Centre) and Craig Scroggie (CEO, NextDC) claim they were not surprised by the Snowden leaks about the NSA's PRISM program.
    Latest Comments
    Polls
    Which bank is most likely to suffer an RBS-style meltdown?





       |   View results
    ANZ
      20%
     
    Bankwest
      9%
     
    CommBank
      11%
     
    National Australia Bank
      17%
     
    Suncorp
      24%
     
    Westpac
      19%
    TOTAL VOTES: 1498

    Vote