CSUF LogoCSUF Site Navigation
optics.csufresno.edu

F14 Security SELinux

Department of Electrical and Computer Engineering
Assistant Professor Gregory R. Kriehn
Forums
Wiki
F14 SELinux

selinux, or Security Enhanced Linux, was developed by the National Security Agency (NSA) to harden Linux systems from potential attacks. Back around Fedora Core 2'ish, selinux started to be incorporated in the distribution, leading to many headaches and much frustration for all involved. selinux, in my opinion, is a bear to work with, but the potential benefits outweigh the frustration it can lead to at times. And the default security policy implemented by Fedora certainly has gotten better over the past couple of years  it used to be a bit too tight, leading to newly installed applications sometimes refusing to launch, httpd refusing to serve web pages, samba refusing to allow incoming connections (and the like :p), but the developers seem to have loosened it up a bit. This in turn has made using it much more manageable.

I personally have not had time to sit down and wade through the books of documentation that have been written on the subject, so the only thing that I am going to do here is provide a couple of the more useful commands when making changes to (or setting up) a system. To start, launch the security configuration tool:
~> system-config-selinux
You will be prompted for the root password, since we are going to use the Fedora GUI interface for a change (do not use sudo to launch it). Click on Boolean to browse through the various options. There are several items that need to be enabled (this is critical) when setting up various applications and installing new programs. I've included here a summary of the settings that need to be checkedHowever, this list is not exclusive, as the default policy has other boxes checked as well.  DO NOT uncheck them. Just make sure that the following options ARE checked. In my opinion, it is best to set all of the necessary options now, so that you do not forget to do it later and then have to spend hours trying to figure out what the problem is (which I've done before).

Apache
      httpd_tty_comm
      httpd_builtin_scripting
     httpd_read_user_content
      httpd_unified
      httpd_enable_homedirs
      httpd_enable_cgi

If you plan on running a web server, these will do. The Allow HTTPD to read home directories option is extremely important if you plan on placing personal web stuff in a /home/[user]/www directory, which, as the astute of you should have already noticed, I have done for this web server.

Global (General)
      read_default_t
      allow_execstack
     allow_execmem

Ensuring these options are checked will allow the successful installation of applications like the nvidia kernel module, java, etc. Stanton Finley's installation notes regarding the nvidia kernel module does the same thing by telling you to type commands such as:
~> sudo setsebool -P allow_execstack=1
~> sudo setsebool -P allow_execmod=1
which enable the second and fourth global options. 

Global (NFS)
      nfs_export_all_ro
      nfs_export_all_rw
      use_nfs_home_dirs

The last option for me is critical. This server allows my local home directory to be mounted (only!) by my laptop to ensure file synchronization (when used in conjunction with some rsync scripts). It also allows me to back up that same file system on a remote NFS partition for hourly, daily, weekly, and monthly backups via a Linux RAID 5 server. NFS is a beautiful thing when used correctly. More on that later.


Samba
      samba_run_unconfined
      samba_enable_home_dirs

There are many times while I am teaching in class that I wish to pull up information from my Linux server via the campus wireless network while I am in Windows (example programs, saved circuit simulation schematics, etc). Since all of my relevant data is stored in my home directory, it only makes sense to allow Samba access to it.

Once done, click File -> Quit to exit.

There are many people out there who simply tell you to turn off selinux completely, or to fully disable any daemons that you might want to use (such as httpd) for specific services. This simply opens up a security hole in your system and invites further problems down the road. Learn how to use a tool correctly, and it won't bite you in the butt later on.

The Fedora documents on selinux have a couple of interesting points that will help alleviate potential difficulties as well:


Q:  My application isn't working as expected and I am seeing avc: denied messages. How do I fix this?

A:
 This message means that the current SELinux policy is not allowing the application to do something. There are a number of reasons this could happen.

First, one of the files the application is trying to access could be mislabeled. If the AVC message refers to a specific file, inspect its current label with ls -alZ /path/to/file
. If it seems wrong, use the command restorecon -v /path/to/file to restore the file's default context. If you have a large number of denials related to files, you may want to use fixfiles relabel, or run restorecon -R /path to recursively relabel a directory path.

Denials are sometimes due to a configuration change in the program that triggered the denial message. For example, if you change Apache to also listen on port 8800, you must also change the security policy, apache.te. Refer to External Link List for more information about writing policy.

If you are having trouble getting a specific application like Apache to work, refer to How to use system-config-securitylevel for information on disabling enforcement just for that application.

Q:  I installed Fedora Core on a system with an existing /home partition, and now I can't log in.

A:  Your /home partition is not labeled correctly. You can easily fix this two different ways. If you just want to relabel /home recursively:
~> sudo /sbin/restorecon -v -R /home
If you want to be sure there are no other files incorrectly labeled, you can relabel the entire file system:
~> sudo /sbin/fixfiles relabel
You must have the policycoreutils package installed to use  fixfiles.

Often times, if you are having a problem, either setting file security contexts for specific directories by using restorecon, or fixing the security contexts by relabeling them using fixfiles relabel will help alleviate the problem. After you either make a major change to your system or are installing a new program, it would be wise to do either one of those two things. As an example, if I choose to modify the index.html file for my web server (which is located in /var/www/html/index.html), using Nvu in Windows (which has happened before at home), and then scp it over to the server, selinux will not allow httpd to serve the page 
and justifiably so. The file has no security context, and just changed from what it had been previously. This is a major indication from selinux's point of view that there is a problem (hacker?, break in?). But it's a simple fix:
~> sudo restorecon -v /var/www/html/index.html
or
~> sudo fixfiles relabel /var/www/html/index.html
That's it. Serving the root document web page works again. Therefore, again, I suggest that after a major change to the operating system, such as what we are doing here by changing the system-wide configuration and installing new programs, that the
~> sudo /sbin/fixfiles relabel
command be run to relabel the entire file system.

Lastly, SELinux now comes with a troubleshoot browser, called setroubleshoot. You can use it to examine errors that have occurred and use it to fix potential problems.

Remember: The purpose of selinux is protection. It would be wise to learn at least the basics, as I have done, opposed to just throwing it out the window.