SELinux security

Anyone (including me) playing around with something more than default servers (cPanel, webmin/virtualmin/cloudmin, plesk, ispconfig…etc) knows that selinux = off. That’s the Law.  But what about a minimum policy ? Targeted and mls can’t and shouldn’t work on environments like a web server with home users. But if you need at least the essential protection of selinux continue reading…


Quick ‘n dirty guide. Just the basics. No time to explain everything.

First of all we need the minimum policy. Get it.

yum install selinux-policy-minimum

Now we need to enable selinux and change policy from targeted to minimum.
Edit /etc/selinux/config to something like this:


Reboot to your newly SELINUXed OS. setenforce won’t work if it’s completely off. Also check grub.conf for a selinux=off parameter. Remove it and reboot if exists.

You can check with “sestatus” if selinux is armed and ready to go:

[root@devbox audit]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        minimum
[root@devbox audit]#

A few things will blow, check /var/log/audit/audit.log with grep “avc” to see what’s crying. I was testing on a box with webmin and virtualmin so a few things didn’t ran as expected. Let’s fix them. Webmin couldn’t write in /tmp, let’s check and fix it.

[root@devbox audit]# grep "avc" audit.log
type=AVC msg=audit(1392580143.021:7): avc:  denied  { write } for  pid=1477 comm="ifconfig" path="/tmp/.webmin/" dev=vda1 ino=526924 scontext                                                                      tclass=file
type=AVC msg=audit(1392580450.842:74): avc:  denied  { write } for  pid=1677 comm="ifconfig" path="/tmp/.webmin/" dev=vda1 ino=526924 scontex                                                                     0 tclass=file
type=AVC msg=audit(1392580749.787:141): avc:  denied  { write } for  pid=1859 comm="ifconfig" path="/tmp/.webmin/" dev=vda1 ino=526924 sconte                                                                     s0 tclass=file
type=AVC msg=audit(1392581049.850:220): avc:  denied  { write } for  pid=2091 comm="ifconfig" path="/tmp/.webmin/" dev=vda1 ino=526922 sconte                                                                     s0 tclass=file

We will create a new policy for these.
First we isolate the selinux denies:

[root@devbox audit]# cat audit.log | audit2allow -M allowPolicy

It will create 2 files. allowPolicy.pp and allowPolicy.te. You can see the policy we have just created in .te file:

[root@devbox audit]# cat allowPolicy.te

module allowPolicy 1.0;

require {
        type ifconfig_t;
        type file_t;
        type sshd_t;
        type unlabeled_t;
        class file { write getattr };

#============= ifconfig_t ==============
allow ifconfig_t file_t:file write;

#============= sshd_t ==============
allow sshd_t unlabeled_t:file getattr;
[root@devbox audit]#

Let’s enable it:

To make this policy package active, execute:

semodule -i allowPolicy.pp

[root@devbox audit]# semodule -i allowPolicy.pp

Tested with virtualmin and 3 users in it. Until now everything works well. Will do a thorough test again with mail and spamassassin. Didn’t check those out yet.
If you clear the logs and reboot, you can see audit.log will be clean. It won’t deny access to webmin about ifconfig.

Let’s play now with selinux attributes.

SELinux booleans

Check what you can do with minimum selinux policy using

[root@devbox audit]# getsebool -a

You will get a list like this:

[root@devbox audit]# getsebool -a
allow_console_login --> off
allow_daemons_dump_core --> on
allow_daemons_use_tcp_wrapper --> off
allow_daemons_use_tty --> off
allow_domain_fd_use --> on
allow_execheap --> off
allow_execmem --> off
allow_execmod --> off
allow_execstack --> off
allow_gssd_read_tmp --> on
allow_mount_anyfile --> on
allow_polyinstantiation --> off
allow_ptrace --> off
allow_ssh_keysign --> off
allow_sysadm_exec_content --> on
allow_unconfined_nsplugin_transition --> on
allow_user_mysql_connect --> off
allow_user_postgresql_connect --> off
allow_write_xshm --> off
allow_xserver_execmem --> off
allow_ypbind --> off
authlogin_radius --> off
cron_can_relabel --> off
daemons_enable_cluster_mode --> on
dhcpc_exec_iptables --> off
domain_kernel_load_modules --> off
fcron_crond --> off
fips_mode --> on
global_ssp --> off
init_upstart --> on
logging_syslog_can_read_tmp --> off
logging_syslogd_can_sendmail --> off
mmap_low_allowed --> off
nscd_use_shm --> off
secure_mode --> off
secure_mode_insmod --> off
secure_mode_policyload --> off
ssh_chroot_full_access --> off
ssh_chroot_manage_apache_content --> off
ssh_chroot_rw_homedirs --> off
ssh_sysadm_login --> off
unconfined_login --> on
unconfined_mmap_zero_ignore --> off
unconfined_mozilla_plugin_transition --> off
use_fusefs_home_dirs --> off
use_nfs_home_dirs --> on
use_samba_home_dirs --> off
user_direct_dri --> off
user_direct_mouse --> off
user_ping --> off
user_rw_noexattrfile --> on
user_setrlimit --> off
user_tcp_server --> off
user_ttyfile_stat --> off
vbetool_mmap_zero_ignore --> off
xdm_exec_bootloader --> off
xdm_sysadm_login --> off
xserver_object_manager --> off

Most useful here that I set to off was:

allow_execheap --> off
allow_execmem --> off
allow_execmod --> off
allow_execstack --> off

Turn booleans on and off using setsebool -P boolean 1 like that:

setsebool -P allow_execmem off

There is also this in minimum policy:

allow_polyinstantiation --> off

It turns to be quite handy, check post about polyinstantiation

That’s a basic guide to selinux minimum policy and sebooleans. How to shut them off and on. You will get a running virtualmin/webmin system.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.