SELinux security

Anyone (including me) playing around with something more than default servers (cPanel, webmin/virtualmin/cloudmin, plesk, ispconfig…etc) knows that selinux = off. That’s the Law.  But what about a minimum policy ? Targeted and mls can’t and shouldn’t work on environments like a web server with home users. But if you need at least the essential protection of selinux continue reading…

 

Quick ‘n dirty guide. Just the basics. No time to explain everything.

First of all we need the minimum policy. Get it.

Now we need to enable selinux and change policy from targeted to minimum.
Edit /etc/selinux/config to something like this:

Reboot to your newly SELINUXed OS. setenforce won’t work if it’s completely off. Also check grub.conf for a selinux=off parameter. Remove it and reboot if exists.

You can check with “sestatus” if selinux is armed and ready to go:

A few things will blow, check /var/log/audit/audit.log with grep “avc” to see what’s crying. I was testing on a box with webmin and virtualmin so a few things didn’t ran as expected. Let’s fix them. Webmin couldn’t write in /tmp, let’s check and fix it.

We will create a new policy for these.
First we isolate the selinux denies:

It will create 2 files. allowPolicy.pp and allowPolicy.te. You can see the policy we have just created in .te file:

Let’s enable it:

To make this policy package active, execute:

semodule -i allowPolicy.pp

Tested with virtualmin and 3 users in it. Until now everything works well. Will do a thorough test again with mail and spamassassin. Didn’t check those out yet.
If you clear the logs and reboot, you can see audit.log will be clean. It won’t deny access to webmin about ifconfig.

Let’s play now with selinux attributes.

SELinux booleans

Check what you can do with minimum selinux policy using

You will get a list like this:

Most useful here that I set to off was:

Turn booleans on and off using setsebool -P boolean 1 like that:

There is also this in minimum policy:

It turns to be quite handy, check post about polyinstantiation

That’s a basic guide to selinux minimum policy and sebooleans. How to shut them off and on. You will get a running virtualmin/webmin system.