SELinux Troubleshooting Part 1
Overview:
SELinux is “Security-Enhanced Linux” and is a set of mechanisms within the kernel that provides layers of security using Mandatory Access Controls.
Mandatory Access Controls (MAC) defines a framework where every process (which SELinux refers to as “subjects”) interacts with other parts of the system (including files, devices, sockets, ports and other processes (which SELinux refers to as “objects”). SELinux allows you to define a set of rules that state at a very granular level what level of permission a subject has to an object.
By default in an SELinux environment everything is blocked and has to be granted permissions to allow anything to work. This is a philosophy in security referred to as “least permission” or “Allow by exception”.
Vendor implementation varies widely and in most cases the installation of the operating system will automatically grant the necessary permissions for those services and processes that are installed by default however you should review the policy set after installation to ensure against inappropriate privileges that may exceed (or not provide) what your individual needs are.
“Type Enforcement” defines a “type” for every 'subject' (process) on th system and the SELinux policy defines these Types and places “security labels” on the files using “xattrs” or “Extended Attributes”.
Directories and Files:
/etc/selinux/
/etc/selinux/
/etc/selinux/config - The SELinux Configuration file - (Note that this file defines which policy is currently in use. i.e. you may have a “test” policy and a “production” policy with very different rules.
/etc/syslog.conf – may be used to redirect messages from the /var/log/messages to some other destination.
/etc/selinux/booleans
/etc/selinux/contexts
/etc/selinux/targeted/policy/policy.## (the ## represents a two digig policy version number.
Logging:
messages from SELinux are logged to /var/log/messages which you can access using dmesg or using grep to filter on “selinux_messages”
There are two primary places to get messages from SELinux. The “WebTool” and the console.
To get messages from the console you need to be connected as root and then change roles to become the sysadm_r users
you can also use the tool “audit2allow” which will read the 'selinux_messages” lines from your /var/log/messages file and interpret them into an allow list that you can use either to determine what is being blocked. Keep in mind of course that just because something is being blocked doesn't mean you should allow it through.
auditd daemon) is running, SELinux denials are logged into the audit log file. The default audit log file is /var/log/audit/audit.log. In a situation where the auditd daemon is not running, AVC denials are logged in /var/log/messages.
No comments:
Post a Comment