iTnews

Stop disabling SELinux!

By Major Hayden on Apr 19, 2013 2:44PM

Don't let one problem policy ruin everything.

The push to cloud transforms the way we apply information security principles to systems and applications.

Perimeters of the past, secured heavily with traditional network devices in the outermost ring, lose effectiveness day by day. Shifting the focus to defense in depth brings the perimeter down to the individual cloud instances running your application.

Security-Enhanced Linux, or SELinux, forms an effective part of that perimeter.

SELinux operates in the realm of mandatory access control (MAC).  The design of MAC involves placing constraints on what a user (a subject) can do to a particular object (a target) on the system.

In contrast, discretionary access control (DAC) allows a user with certain access to use discretion to limit or allow access to certain files, directories, or devices.  You can set any file system permissions that you want but SELinux can override them with ease at the operating system level.

Consider a typical server running a web application.  An attacker compromises the web application and executes malicious code via the web server daemon itself.  SELinux has default policies that prevent the daemon from initiating communication on the network.  That limits the attacker’s options to attack other services or servers.

In addition, SELinux sets policies on which files and directories the web server can access, regardless of any file system permissions.  This protection limits the attacker’s access to other sensitive parts of the file system even if the administrator set the files to be readable to the world.

This is where SELinux shines.  Oddly enough, this is the point where many system administrators actually disable SELinux on their systems.

Denials

Troubleshooting these events, called AVC denials, without some helpful tools is challenging and frustrating.  Each denial flows into to your audit log as a cryptic message.  

Most administrators will check the usual suspects, like firewall rules and file system permissions.  As frustration builds, they disable SELinux and notice that their application begins working as expected.

SELinux remains disabled and hundreds of helpful policies lie dormant solely because one policy caused a problem.

Disabling SELinux without investigation frustrated me to the point where I started a site at stopdisablingselinux.com.  The site is a snarky response to Linux administrators who reach for the disable switch as soon as SELinux gets in their way.

All jokes aside, here are some helpful tips to use SELinux effectively:

  • Use the setroubleshoot helpers to understand denials

Working through denials is easy with the setroubleshoot-server package. When a denial occurs, you still receive a cryptic log message in your audit logs. However, you also receive a message via syslog that is very easy to read. Your server can email you these messages as well. The message contains guidance about adjusting SELinux booleans, setting contexts, or generating new SELinux policies to work around a really unusual problem. When I say guidance, I mean that the tools give you commands to copy and paste to adjust your policies, booleans and contexts

  • Review SELinux booleans for quick adjustments

Although the myriad of SELinux user-space tools isn’t within the scope of this article, getsebool and togglesebool deserve a mention.  Frequently adjusted policies are controlled by booleans that are toggled on and off with togglesebool.  Start with getsebool –a for a full list of booleans and then use togglesebool to enable or disable the policy.

  • Quickly restore file or directory contexts

Shuffling files or directories around a server can cause SELinux denials due to contexts not matching their original values.  This happens to me frequently if I move a configuration file from one system to another.  Correcting the context problem involves one of two simple commands.  The restorecon command applies the default contexts specific to the file or directory.  If you have a file in the directory with the correct context, use chcon to fix the context on the wrong file by giving it the path to the file with the correct context.

Here are some additional links with helpful SELinux documentation:

  • SELinux Project Wiki

  • Red Hat Enterprise Linux 6 SELinux Guide

  • Dan Walsh's Blog 

  • Major Hayden is Chief Security Architect and Linux Engineer at Rackspace.

    Got a news tip for our journalists? Share it with us anonymously here.

    Copyright © SC Magazine, Australia

    Tags:
    access controls blog dac fixer linux mac policy rackspace security selinux

    Partner Content

    Tackling cybersecurity in 2021
    Partner Content Tackling cybersecurity in 2021
    COVID puts agile IT under the microscope
    Promoted Content COVID puts agile IT under the microscope
    IBM now offers sovereign security capabilities in Australia
    Partner Content IBM now offers sovereign security capabilities in Australia
    Setting a path to self-funded mainframe-to-cloud modernisation with Micro Focus
    Promoted Content Setting a path to self-funded mainframe-to-cloud modernisation with Micro Focus

    Sponsored Whitepapers

    Is the technology refresh dead?
    Is the technology refresh dead?
    DevSecOps: A framework for digital innovation
    DevSecOps: A framework for digital innovation
    Encryption: Protect your most critical data
    Encryption: Protect your most critical data
    Overcoming data security challenges in a hybrid, multicloud world
    Overcoming data security challenges in a hybrid, multicloud world
    Move beyond passwords
    Move beyond passwords

    Events

    • On-Demand Webinar: How Poly and Microsoft are Embracing Future Work Environments
    • [Webinar] - Transformation versus compliance – a guide for CXOs
    • Masters of Microsoft Licensing
    By Major Hayden
    Apr 19 2013
    2:44PM
    0 Comments

    Related Articles

    • Geolocation threats rise following demonstration of router hacking that can pinpoint a person's home
    • US Treasury breached by hackers
    • NSA, FBI expose Russian intelligence hacking tool
    • Boothole GRUB2 bug breaks Secure Boot on Linux and Windows
    Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

    Most Read Articles

    Aussie Broadband to white label its services

    Aussie Broadband to white label its services

    Vodafone hit by nationwide 4G outage

    Vodafone hit by nationwide 4G outage

    ATO loses its cyber security chief

    ATO loses its cyber security chief

    Virgin Australia rebuilds its IT leadership team

    Virgin Australia rebuilds its IT leadership team

    You must be a registered member of iTnews to post a comment.
    Log In | Register
    All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
    Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.