iTnews

Stop disabling SELinux!

By Major Hayden, Rackspace, Chief Security Architect and Linux Engineer on Apr 19, 2013 2:44PM

Don't let one problem policy ruin everything.

The push to cloud transforms the way we apply information security principles to systems and applications.

Perimeters of the past, secured heavily with traditional network devices in the outermost ring, lose effectiveness day by day. Shifting the focus to defense in depth brings the perimeter down to the individual cloud instances running your application.

Security-Enhanced Linux, or SELinux, forms an effective part of that perimeter.

SELinux operates in the realm of mandatory access control (MAC).  The design of MAC involves placing constraints on what a user (a subject) can do to a particular object (a target) on the system.

In contrast, discretionary access control (DAC) allows a user with certain access to use discretion to limit or allow access to certain files, directories, or devices.  You can set any file system permissions that you want but SELinux can override them with ease at the operating system level.

Consider a typical server running a web application.  An attacker compromises the web application and executes malicious code via the web server daemon itself.  SELinux has default policies that prevent the daemon from initiating communication on the network.  That limits the attacker’s options to attack other services or servers.

In addition, SELinux sets policies on which files and directories the web server can access, regardless of any file system permissions.  This protection limits the attacker’s access to other sensitive parts of the file system even if the administrator set the files to be readable to the world.

This is where SELinux shines.  Oddly enough, this is the point where many system administrators actually disable SELinux on their systems.

Denials

Troubleshooting these events, called AVC denials, without some helpful tools is challenging and frustrating.  Each denial flows into to your audit log as a cryptic message.  

Most administrators will check the usual suspects, like firewall rules and file system permissions.  As frustration builds, they disable SELinux and notice that their application begins working as expected.

SELinux remains disabled and hundreds of helpful policies lie dormant solely because one policy caused a problem.

Disabling SELinux without investigation frustrated me to the point where I started a site at stopdisablingselinux.com.  The site is a snarky response to Linux administrators who reach for the disable switch as soon as SELinux gets in their way.

All jokes aside, here are some helpful tips to use SELinux effectively:

  • Use the setroubleshoot helpers to understand denials

Working through denials is easy with the setroubleshoot-server package. When a denial occurs, you still receive a cryptic log message in your audit logs. However, you also receive a message via syslog that is very easy to read. Your server can email you these messages as well. The message contains guidance about adjusting SELinux booleans, setting contexts, or generating new SELinux policies to work around a really unusual problem. When I say guidance, I mean that the tools give you commands to copy and paste to adjust your policies, booleans and contexts

  • Review SELinux booleans for quick adjustments

Although the myriad of SELinux user-space tools isn’t within the scope of this article, getsebool and togglesebool deserve a mention.  Frequently adjusted policies are controlled by booleans that are toggled on and off with togglesebool.  Start with getsebool –a for a full list of booleans and then use togglesebool to enable or disable the policy.

  • Quickly restore file or directory contexts

Shuffling files or directories around a server can cause SELinux denials due to contexts not matching their original values.  This happens to me frequently if I move a configuration file from one system to another.  Correcting the context problem involves one of two simple commands.  The restorecon command applies the default contexts specific to the file or directory.  If you have a file in the directory with the correct context, use chcon to fix the context on the wrong file by giving it the path to the file with the correct context.

Here are some additional links with helpful SELinux documentation:

  • SELinux Project Wiki

  • Red Hat Enterprise Linux 6 SELinux Guide

  • Dan Walsh's Blog 

    •

  • Major Hayden is Chief Security Architect and Linux Engineer at Rackspace.

    Got a news tip for our journalists? Share it with us anonymously here.

    Copyright © SC Magazine, Australia

    Tags:
    access controls blog dac fixer linux mac policy rackspace security selinux

    Partner Content

    Beat the DDoS blackmails in 2021
    Partner Content Beat the DDoS blackmails in 2021
    Why companies fail at picking cloud modernisation partners
    Partner Content Why companies fail at picking cloud modernisation partners
    Shut the door on ransomware
    Partner Content Shut the door on ransomware
    MSI shows first laptops with Wi-Fi 6E, Nvidia RTX 30 graphics
    Partner Content MSI shows first laptops with Wi-Fi 6E, Nvidia RTX 30 graphics

    Sponsored Whitepapers

    Five questions to ask before you upgrade to a SIEM solution
    Five questions to ask before you upgrade to a SIEM solution
    Effectively addressing advanced threats
    Effectively addressing advanced threats
    The risky business of open source
    The risky business of open source
    Ensure your e-signatures are legally binding
    Ensure your e-signatures are legally binding
    Mitigating open source risk in your organisation
    Mitigating open source risk in your organisation

    Events

    • On-Demand Webinar: How Poly and Microsoft are Embracing Future Work Environments
    • Beat the DDoS blackmailers in 2021
    By Major Hayden, Rackspace, Chief Security Architect and Linux Engineer
    Apr 19 2013
    2:44PM
    0 Comments

    Related Articles

    • Geolocation threats rise following demonstration of router hacking that can pinpoint a person's home
    • US Treasury breached by hackers
    • NSA, FBI expose Russian intelligence hacking tool
    • Boothole GRUB2 bug breaks Secure Boot on Linux and Windows
    Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

    Most Read Articles

    Australia Post is building a digital twin of its delivery network

    Australia Post is building a digital twin of its delivery network
    Google threatens to withdraw search engine in Australia

    Google threatens to withdraw search engine in Australia
    Trump pardons former Google self-driving car engineer

    Trump pardons former Google self-driving car engineer
    NBN Co runs fixed wireless tower on diesel generator for over two years

    NBN Co runs fixed wireless tower on diesel generator for over two years
    You must be a registered member of iTnews to post a comment.
    Log In | Register
    All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
    Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.