The most significant security feature of any Linux system is providing access control— often called Discretionary Access Control (DAC)—which allows the owner of an object (such as a file) to set security attributes for it (for example, deciding who can read or write to a file using the chown and chmod commands). While this old and very simple security system was sufficient in ancient UNIX times, it does not meet all the modern requirements of security, where servers and services are constantly connected to the Internet.
Often, security breaches can be initiated by attackers exploiting buggy or misconfigured applications and the permissions to them. This is why the SELinux has been developed. Its main purpose is to enhance the security of the DAC system in Linux. It does so by adding an additional security layer on top of DAC, which is called Mandatory Access Control (MAC), and which can provide fine-grain access control to every single component of your system. SELinux has already been enabled on CentOS 7 and is absolutely recommended for any server connected directly to the Internet. Here in this process, we will install additional tools and configure them to better manage your SELinux system, and help in the troubleshooting and monitoring process.
To Start With: What Do You Need?
To complete this process, you will require a working installation of the CentOS 7 operating system with root privileges and a connection to the Internet in order to download additional packages. For the best learning experience, it is also preferred that you work through this chapter segment process by process, in the order that they appear, because they build upon each other.
The Process
Throughout this book, we already applied programs such as semanage from the rpm policecoreutils-python package to manage our SELinux environment. If you missed installing it, we will begin this process by doing so (skip step 1 if you have already done this before):
- Log in as root and install the following basic toolkit to work with SELinux:
yum install policycoreutils-python - Now, we need some additional tools that will also be needed later in the course.
yum install setools setools-console setroubleshoot* - Next, install and configure the SELinux manual pages as they are not available by default on CentOS 7, but are important for getting detailed information about specific policies, security contexts, and SELinux Booleans later. First, we need to install another package:
yum install policycoreutils-devel - Afterwards, let’s generate all the man pages for all SELinux security context policies currently available on the system, and then update the manual pages database afterwards:
sepolicy manpage -a -p /usr/share/man/man8; mandb
How Does It Work?
By following this process, we installed all the tools needed for our daily work with SELinux. Also, we generated all available SELinux manual pages, which will be our primary source of information when working with SELinux, and also for troubleshooting SELinux services later.
SELinux has two primary and fundamental terms that we need to understand before diving into the remaining processes: labels (or more technically, security contexts) and policies. From SELinux’s perspective, a Linux system is divided into a number of different objects. Objects, for example, are all files, processes, users, sockets, and pipes in a system. In a SELinux context, every such object gets a special label. SELinux policies are the rules to control access to these objects using the labels defined on them: On every access attempt to such an object (for example, a file read), all SELinux policies available to the system will be searched if there is a rule for the specific label to make access control decisions (allow or deny the access).
So, what did we learn from this experience?
A lot of system administrators seem to avoid SELinux like the plague, and a trend in a lot of instruction manuals and tutorials leans towards disabling it altogether right after the installation of CentOS 7 because people seem to fear it and don’t want to mess with it, or are even frustrated if some networking service is not working correctly out-of-the-box. Often, they blame SELinux for any connection problems, so it often looks easier to disable it altogether rather than find out the true reasons by delving into the inner workings of SELinux. If you are disabling it, you are missing out one of the most critical security features of CentOS 7 that can prevent a lot of harm to your system in the event of an attack! In the last few years, the SELinux project has evolved very much and is easier to use than ever. A lot of convenient tools for working with it have emerged, and we get more of a complete set of policies to work with all the major applications and services available. By installing these tools, we are now ready to use SELinux and work with it in the most convenient way possible.
There's more…
There are three different modes when it comes to SELinux. While Enhanced is the only true mode that really protects us and enhances our server’s security, there are two other modes: Disabled and Permissive. Disabled means SELinux is turned off, which will never be an option for us in this book and is not discussed any further as it does not make sense to get rid of this fantastic CentOS feature. When disabled, our system is not enhanced by SELinux and the good old DAC system is the only source of protection we have at hand. Permissive mode means SELinux is turned on, the policy rules are loaded, and all objects are labeled with a specific security context, but the system is not enforcing these policies. This is like a dry-run parameter that a lot of Linux based command-line tools have: it simulates the system under SELinux enhanced security protection, and the system logs every SELinux policy violation as it would when running for real. This is a great way to debug the system, or to analyze the consequences that a normal, enforced run would have had on the system.
Often, it is used if you are unsure about the impact of using SELinux. As this mode does not really provide us with any additional security, we will eventually need to switch to Enforcing mode if we want enhanced security! Again, this is the only mode that protects us; SELinux is fully running with all the policies loaded and is enforcing these rules on the system. You should always aim for Enforcing mode on any system! To view the current mode, use the command sestatus. We can see the current SELinux mode in the Current mode line in the output. On CentOS 7, SELinux is in Enforcing mode by default, which again tells us that the system is fully protected by it. To change this mode to permissive mode, use the command setenforce permissive. Now, validate your setting using sestatus again. To revert your changes back to Enforcing mode, use setenforce enforcing. Setting the SELinux mode using setenforce is only setting it temporarily, and it will not survive a reboot (take a look at the Mode from config file in the sestatus output). To change this permanently, open the /etc/selinux/config file and change the SELINUX= configuration parameter.
