SELinux Configuration

Overview

Discretionary access control (DAC) determines whether a resource can be accessed based on users, groups, and other permissions. It does not allow the system administrator to create comprehensive and fine-grained security policies. SELinux (Security-Enhanced Linux) is a module of the Linux kernel and a security subsystem of Linux. SELinux implements mandatory access control (MAC). Each process and system resource has a special security label. In addition to the principles specified by the DAC, the SELinux needs to determine whether each type of process has the permission to access a type of resource.

By default, openEuler uses SELinux to improve system security. SELinux has three modes:

  • permissive: The SELinux outputs alarms but does not forcibly execute the security policies.
  • enforcing: The SELinux security policies are forcibly executed.
  • disabled: The SELinux security policies are not loaded.

Configuration Description

  • Obtain the SELinux running status:

    # getenforce
    Enforcing
    
  • Set the enforcing mode when SELinux is enabled:

    # setenforce 1
    # getenforce
    Enforcing
    
  • Set the permissive mode when SELinux is enabled:

    # setenforce 0
    # getenforce
    Permissive
    
  • Disable SELinux when SELinux is enabled. (A reboot is required.)

    1. Modify the SELinux configuration file /etc/selinux/config and set SELINUX=disabled.
    # cat /etc/selinux/config | grep "SELINUX="
    SELINUX=disabled
    2. Reboot the system.
    

    reboot

    3. The status is changed successfully.
    

    getenforce

    Disabled

  • Set the permissive mode when SELinux is disabled:

    1. Modify the SELinux configuration file /etc/selinux/config and set SELINUX=permissive.
    # cat /etc/selinux/config | grep "SELINUX="
    SELINUX=permissive
    2. Create the **.autorelabel** file in the root directory.
    

    touch /.autorelabel

    3. Reboot the system. The system will restart twice.
    

    reboot

    4. The status is changed successfully.
    

    getenforce

    Permissive

  • Set the enforcing mode when SELinux is disabled:

    1. Set SELinux to the permissive mode.
    2. Modify the SELinux configuration file /etc/selinux/config and set SELINUX=enforcing.
    # cat /etc/selinux/config | grep "SELINUX="
    SELINUX=enforcing
    
    1. Reboot the system.
    # reboot
    
    1. The status is changed successfully.
    # getenforce
    Enforcing
    

SELinux Commands

  • Query the SELinux status. SELinux status indicates the SELinux status. enabled indicates that SELinux is enabled, and disabled indicates that SELinux is disabled. Current mode indicates the current mode of the SELinux.

    # sestatus
    SELinux status:                 enabled
    SELinuxfs mount:                /sys/fs/selinux
    SELinux root directory:         /etc/selinux
    Loaded policy name:             targeted
    Current mode:                   enforcing
    Mode from config file:          enforcing
    Policy MLS status:              enabled
    Policy deny_unknown status:     allowed
    Memory protection checking:     actual (secure)
    Max kernel policy version:      31
    

Adding Policies

  • Obtain and add missing policies based on the audit logs. (The audit service must be enabled and SELinux access denial logs must exist in audit logs.)

    1. Check whether the audit logs contain SELinux access denial logs. Use the actual audit log path.
    # grep avc /var/log/audit/audit.log*
    
    1. Query missing rules.
    # audit2allow -a /var/log/audit/audit.log*
    
    1. Generate a policy module based on the missing rule and name it demo.
    # audit2allow -a /var/log/audit/audit.log* -M demo
    ******************** IMPORTANT ***********************
    To make this policy package active, execute:
    semodule -i demo.pp
    
    1. Load the demo policy module.
    # semodule -i demo.pp
    
  • Compose and add the SELinux policy module.

    1. Compose the FC file (if the security context of file creation is involved).
    # cat demo.fc 
    /usr/bin/example	--	system_u:object_r:example_exec_t:s0
    /resource	--	system_u:object_r:resource_file_t:s0
    
    1. Compose the TE file (example).
    # cat demo.te 
    module demo 1.0;
    require
    {
    	role unconfined_r;
    	role system_r;
    	type user_devpts_t;
    	type root_t;
    	attribute file_type;
    	attribute domain;
    	class dir { getattr search add_name create open remove_name rmdir setattr write };
    	class file { entrypoint execute getattr open read map setattr write create };
    	class process { sigchld rlimitinh siginh transition setcap getcap };
    	class unix_stream_socket { accept bind connect listen recvfrom sendto listen create lock read write getattr setattr getopt setopt append shutdown ioctl connectto };
    	class capability { chown dac_override dac_read_search };
    	class chr_file { append getattr ioctl read write };
    };
    role unconfined_r types example_t;
    role system_r types example_t;
    type example_exec_t, file_type;
    type resource_file_t, file_type;
    type example_t, domain;
    allow example_t user_devpts_t : chr_file { append getattr ioctl read write };
    allow example_t file_type : dir { getattr search };
    allow example_t example_exec_t : file { entrypoint execute getattr map open read };
    allow domain example_exec_t : file { execute getattr map open read };
    allow example_t example_exec_t : process { sigchld };
    allow domain example_t : process { rlimitinh siginh transition };
    allow example_t resource_file_t : file { create getattr open read setattr write };
    allow example_t root_t : dir { add_name create getattr open remove_name rmdir search setattr write };
    allow example_t example_t : unix_stream_socket { accept append bind connect create getattr getopt ioctl listen listen lock read recvfrom sendto setattr setopt shutdown write };
    allow example_t domain : unix_stream_socket { connectto };
    allow example_t example_t : capability { chown dac_override dac_read_search };
    allow example_t example_t : process { getcap setcap };
    type_transition domain example_exec_t : process example_t;
    type_transition example_t root_t : file resource_file_t "resource";
    
    1. Compile demo.te as demo.mod.
    # checkmodule -Mmo demo.mod demo.te
    
    1. Package demo.mod and demo.fc as a policy module file.
    semodule_package -m demo.mod -f demo.fc -o demo.pp
    
    1. Load the policy module.
    # semodule -i demo.pp
    
    1. Delete the loaded policy module file.
    # semodule -r demo
    libsemanage.semanage_direct_remove_key: Removing last demo module (no other demo module exists at another priority).
    

Function Verification

  • SELinux adopts an whitelist mechanism. Modules that are not configured with proper policies may fail to run properly due to lack of permissions. It is necessary to verify the functions of the modules and configure reasonable rules.
    1. Check whether the audit service is enabled:
    # systemctl status auditd
    
    1. Set the SELinux mode to permissive. (Alarms are printed, but SELinux polices are not enforced. For details, see Configuration Description.)
    # getenforce
    Permissive
    
    1. Execute all function cases of the test module and check the SELinux access denial logs in the audit logs.
    # grep avc /var/log/audit/audit.log*
    
    1. Analyze access denial logs and filter out missing rules.
    type=AVC msg=audit(1596161643.271:1304): avc: denied { read } for pid=1782603 comm="smbd" name=".viminfo" dev="dm-0" ino=2488208 scontext=system_u:system_r:smbd_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file permissive=1
    Indicates that the smbd process (security context: system_u:system_r:smbd_t:s0) is denied the permission to read the .viminfo file (security context: staff_u:object_r:user_home_t:s0).
    permissive=1 indicates that the permissive mode is running. This log records only the operations that are not forbidden.
    
    1. Supplement the missing rules by referring to Adding Policies.

Precautions

  • Before enabling SELinux, you are advised to upgrade selinux-policy to the latest version using DNF. Otherwise, applications may fail to run properly. For example:

    dnf update selinux-policy -y
    
  • If the system cannot be started due to improper SELinux configuration (for example, a policy is deleted by mistake or no proper rule or security context is configured), you can add selinux=0 to the startup parameters to disable SELinux.

  • After SELinux is enabled, permission check is performed on access behaviors, which affects the operating system performance to some extent (related to the frequency of access operations in the running environment).

有奖捉虫

“有虫”文档片段

存在的问题

提交类型 issue
有点复杂...
找人问问吧。
PR
小问题,全程线上修改...
一键搞定!
问题类型
规范和低错类

● 错别字或拼写错误;标点符号使用错误;

● 链接错误、空单元格、格式错误;

● 英文中包含中文字符;

● 界面和描述不一致,但不影响操作;

● 表述不通顺,但不影响理解;

● 版本号不匹配:如软件包名称、界面版本号;

易用性

● 关键步骤错误或缺失,无法指导用户完成任务;

● 缺少必要的前提条件、注意事项等;

● 图形、表格、文字等晦涩难懂;

● 逻辑不清晰,该分类、分项、分步骤的没有给出;

正确性

● 技术原理、功能、规格等描述和软件不一致,存在错误;

● 原理图、架构图等存在错误;

● 命令、命令参数等错误;

● 代码片段错误;

● 命令无法完成对应功能;

● 界面错误,无法指导操作;

风险提示

● 对重要数据或系统存在风险的操作,缺少安全提示;

内容合规

● 违反法律法规,涉及政治、领土主权等敏感词;

● 内容侵权;

您对文档的总体满意度

非常不满意
非常满意
创Issue赢奖品
根据您的反馈,会自动生成issue模板。您只需点击按钮,创建issue即可。