Security-Enhanced Linux (SELinux) is an implementation of a mandatory access control (MAC) mechanism in the Linux kernel, which further enforces MAC after traditional discretionary access controls (DAC) are checked.
Processes and files are labeled with an SELinux context, which includes an SELinux user, role, type, and level. Within SELinux, all of this information are used to form the access control decisions. For performance reason, SELinux decisions are cached, and the cache is named the Access Vector Cache (AVC). In Fedora, SELinux provides a combination of Role-Based Access Control (RBAC), Type Enforcement (TE), and Multi-Level Security (MLS).
The command sestatus allows us to get the status of a system running SELinux. Here is an example output of command sestatus:
$setstatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
The output shows that the SELinux is enabled and is currently running in the enforcing mode the same as current configuration. It also tells us that the configuration root directory is /etc/selinux and a targeted policy is used for MAC. The status could be enabled, disabled, or permissive, where permissive means that SELinux should print warnings instead of enforcing. The command setenforce allows us to modify the running mode of SELinux. Changes should be made in the configuration file /etc/selinux/config if we want it be persistent.
All processes and files are labeled with a type (part of SELinux
context). The option -Z allows us to find the type (security context) of a file/process. For examples:
$ls -Z /etc/shadow
----------. root root system_u:object_r:shadow_t:s0 /etc/shadow
It shows that the security context (user, role, type, level) of the file /etc/shadow is system_u:object_r:shadow_t:s0.
$ps -eZ|grep passwd
unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 2630 pts/0 00:00:00 passwd
It tells that the security context of the process passwd run by a regular user is unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023.
The type of a process defines its domain. Processes are separated from each other by running in their own domains. The SELinux policy defines rules that determine how processes interact with files, and how processes interact with each other. Only what is specifically allowed by the rules is permitted. By default, every operation is denied and audited. The audited log will be saved in file /var/log/audit/audit.log or /var/log/messages depending on whether audit daemon (auditd) is running or not.
The command sesearch allows us to search the rules in a SELinux policy. The rules will be displayed in the following format:
allow <src_domain> <dst_type> : <class> { permission [ permission [ ... ] ] } ;
To verify that the process passwd is allowed to access the shadow password file /etc/shadow, we may issue:
$sesearch -s passwd_t -t shadow_t -c file -p write -A
and its output will be something similar to:
allow passwd_t shadow_t : file { ioctl read write create ... } ;
No comments:
Post a Comment