SELinux Crash Course

     

Let’s start by stating I’m by no means an SELinux expert, but after the CentOS 7.4 upgrade hurdle I sure am more informed than I was with 7.3. So SELinux is a security mechanism that has a bunch of policies to allow stuff to happen. Anything not included in those policies will be blocked from happening.

The first thing you wanna do is:

yum install policycoreutils-python setools-console

The single most important log file you need to check is /var/log/audit/audit.log. You can also check these events with the aureport tool if you wish. If you want to find any recent denied events, you might do so with a grep:

grep denied /var/log/audit/audit.log

Or if you wanna see it live:

tail -f /var/log/audit/audit.log | grep denied

To see if SELinux is enabled at all (it is, unless you or someone else explicitly turned it off):

sestatus

From what I understand, processes run under a certain source context and what they want to access is in a certain target context.

To query the list of available types which contexts can have:

seinfo -t | sort

To check the context of processes:

ps auxZ

Similarly, to see the context of the contents of a directory:

ls -alZ

For the list of installed SELinux modules:

semodule -l

You can change the context of a directory:

semanage fcontext -a -t var_lib_t /web
restorecon -v /web

First semanage sets up the context, then you need restorecon to perform the actual relabeling. Note that this only changes the context of the directory itself, but nothing inside it. To do the same recursively:

semanage fcontext -a -t var_lib_t "/web(/.*)?"
restorecon -rv /web

To remove a context entry and apply the change:

semanage fcontext -d "/web"
restorecon -v /web

Let’s see an example denied event from the audit log:

type=AVC msg=audit(1505388256.060:145109): avc:  denied  { name_connect } for  pid=5674 comm="java" dest=43 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:whois_port_t:s0 tclass=tcp_socket

If you want to allow this specific action, put this in foobar.log (where foobar is the desired name of the policy module), then you can:

audit2allow -i foobar.log -M foobar
semodule -i foobar.pp

In case you’re crazy enough to write your own policy modules (.te files), you can deploy them with a script like this, let’s call it sedeploy.sh:

#!/bin/sh

set -e

MODULE=${1}

# this will create a .mod file
checkmodule -M -m -o ${MODULE}.mod ${MODULE}.te

# this will create a compiled semodule
semodule_package -m ${MODULE}.mod -o ${MODULE}.pp

# this will install the module
semodule -i ${MODULE}.pp

Where the module name will be the first parameter of the script.

Welp, that’s it for now. Stayed tuned, because next time I’ll provide some specifics regarding SELinux + Tomcat on EL 7.4.

Credits: thanks a lot for the folks of #centos for their help!