7. Workload Considerations : SELinux


SELinux is about rules for which process can access which files, directories, ports etc.

SELinux meets Common Criteria, FIPS standard. SELinux has granular settings, based on user, role, category, sensitivity level etc.  SELinux is available on Debian, Redhat and SUSE Linux distribution. 

SELinux has 3 conceptual quantities 

(1) Contexts: labels for file, process and ports. Example: user, role, type, level . -Z to see context and chcon command to change context. commands extended support for Z : ps, ls, cp, mv, mkdir

By default file context do not change, when we move file.

Use restorecon command to restore context as per parent directory. 

use 'semanage fcconext' command to set default settings for future object in directory. to apply on existing objects, use restorecon command. 

semanage fccconext is policycoreutils-python package

(2) Rules : access control 

(3) Policies : Set of rules. 

Default policy is to deny any access. Rules are added to allow access. Allowed actions via "Access Vector Cache" 

SELinux enforcement mode

Refer file /etc/selinux/config OR /etc/sysconfig/selinux

1. Enforcing

- SELinux is operative
- by default access denied. 
- all audited violations are logged, except the ones with dontaudit 

sudo setenforce Enforcing 

2. Permissive

- SELinux is operative
- Access is allowed. but warning generated for denied access. 
- dontaudit event remains silent

sudo setenforce Permissive 

3. Disable

- SELinux is completely disabled. 
- reboot the system to enter or exit this mode. 
- After enabling SELinux again, first boot will take longer time. 

SELINUX=disabled at config file
OR
add kernel parameter selinux=0

getenforce and setenforce function. sestatus utility to display current mode and policy. seinfo command shows more details, with policy file. 

Default SELinux Policies 

Sensitivity levels and categories are not used in default policy. 

1. Targeted
Not for init process
Not for user process
for network service process
memory restrictions for all process, to avoid buffer overflow

2. Minimum
same as targeted, but only applicable to selected process

3. Multi-Level Security (MLS)
fine-grained security domains with particular policies

changing policy need reboot and time consuming file re-labeling. 

SELinux Booleans

possible values: on or off
commands
  • setsebool
  • getsebool
  • semanage boolean -l

Monitoring SELinux Access

install setroubleshot-server package. restart auditd daemon. 
Raw errors will be tagged as AVC error and appended to audit.log
These tools, collect issue at runtime. log them, and suggest solution 


0 comments:

Post a Comment