333.2 Mandatory Access Control
Weight: 5
Description: Candidates should be familiar with mandatory access control (MAC) systems for Linux. Specifically, candidates should have a thorough knowledge of SELinux. Also, candidates should be aware of other mandatory access control systems for Linux. This includes major features of these systems but not configuration and use.
Key Knowledge Areas:
Understand the concepts of type enforcement, role based access control, mandatory access control and discretionary access control
Configure, manage and use SELinux
Awareness of AppArmor and Smack
Partial list of the used files, terms and utilities:
getenforce
setenforce
selinuxenabled
getsebool
setsebool
togglesebool
fixfiles
restorecon
setfiles
newrole
setcon
runcon
chcon
semanage
sestatus
seinfo
apol
seaudit
audit2why
audit2allow
/etc/selinux/*
Understanding Mandatory Access Control
DAC vs. MAC
The security model used by most mainstream operating systems is based on Discretionary Access Control (DAC), which enforces security by ownership. If a user owns a file, he is allowed to set the read, write, and execute permissions for that file. In this model, users control the data at their discretion. The owner of the system does not have total control over the system; the users do.
However, the biggest concern with the Linux model is the danger presented by the root account. This super-user has the power to control all files and processes. If the root account, or a process that runs with its privileges, is compromised, an attacker can take control of the system and its data.
A more secure approach would limit or even eliminate the need for a root account, and shift the power from the user accounts to the owner of the system. This is MAC’s approach.
MAC makes the enforcement of security policies mandatory instead of discretionary, as you might imagine from the name Mandatory Access Control. Security policies can be set by the system owner and implemented by a system or security administrator. Once these policies are in place, users cannot override them, even if they have root privileges. With MAC, file and process protection is independent of owners.
Mandatory Access Control (MAC):
MAC is the security style provided through systems such as SELinux and AppArmor.
Access is controlled through context rather than by the owner.
Each system resource has a type associated with it, and the kernel will only let users who have access to the given type to access the resource. This is known as Type Enforcement (TE).
MAC is further enforced through Role assignment, also known as Roles Based Access Control (RBAC)
Discretionary Access Control (DAC):
The owner controls permission.
Traditional POSIX permissions are an example of DAC.
famous MAC Systems :
• SELinux
• AppArmor
• Smack
SELinux
Overview
Security-Enhanced Linux (SELinux) is a security architecture for Linux® systems that allows administrators to have more control over who can access the system. It was originally developed by the United States National Security Agency (NSA) as a series of patches to the Linux kernel using Linux Security Modules (LSM).
SELinux was released to the open source community in 2000, and was integrated into the upstream Linux kernel in 2003.
SELinux is an implementation of Mandatory Access Control (MAC). Depending on the security policy type, SELinux implements either Type Enforcement (TE), Roles Based Access Control (RBAC) or Bell-La Padula Model Multi-Level Security (MLS).
How does SELinux work?
SELinux defines access controls for the applications, processes, and files on a system. It uses security policies, which are a set of rules that tell SELinux what can or can’t be accessed, to enforce the access allowed by a policy.
When an application or process, known as a subject, makes a request to access an object, like a file, SELinux checks with an access vector cache (AVC), where permissions are cached for subjects and objects.
If SELinux is unable to make a decision about access based on the cached permissions, it sends the request to the security server. The security server checks for the security context of the app or process and the file. Security context is applied from the SELinux policy database. Permission is then granted or denied.
If permission is denied, an "avc: denied" message will be available in /var/log.messages.
How to configure SELinux
There are a number of ways that you can configure SELinux to protect your system. The most common are targeted policy or multi-level security (MLS).
Targeted policy is the default option and covers a range of processes, tasks, and services. MLS can be very complicated and is typically only used by government organizations.
You can tell what your system is supposed to be running at by looking at the /etc/sysconfig/selinux file. The file will have a section that shows you whether SELinux is in permissive mode, enforcing mode, or disabled, and which policy is supposed to be loaded.
where
Enforcing: Access violations are denied.
Permissive: Access violations are allowed but logged.
When ever you make a change you do need to reboot the system
Enabling SELinux
If SELinux has been disabled in your environment, you can enable SElinux by editing /etc/selinux/config and setting SELINUX=permissive. Since SELinux was not currently enabled, you don’t want to set it to enforcing right away because the system will likely have things mislabeled that can keep the system from booting.
You can force the system to automatically relabel the filesystem by creating an empty file named .autorelabel in the root directory and then rebooting. If the system has too many errors, you should reboot while in permissive mode in order for the boot to succeed. After everything has been relabeled, set SELinux to enforcing with /etc/selinux/config and reboot, or run setenforce 1.
If a sysadmin is less familiar with the command line, there are graphic tools available that can be used to manage SELinux.
SELinux provides an additional layer of security for your system that is built into Linux distributions. It should remain on so that it can protect your system if it is ever compromised.
Checking SELinux Mode of Operation
sestatus
SELinux is enabled by default and works in the “Enforcing” mode, which is its default mode. You can determine this by opening the SELinux configuration file or by running the “sestatus” command.
seinfo
seinfo allows for a way to query parts of a provided SELinux policy. You might need to install setools
package if it is not available in your linux distribution.
apol
apol , A GUI SELinux policy analysis tool that has similar functionality to seinfo except in GUI form. You might need to install setools-ui package for that.
This can also be verified by running getenforce command.
Enabling and disabling SELinux:
getenforce
setenforce
The second command to know is how to set an SELinux status. The command for this is setenforce. With this command, you can change the SELinux status from any one of the following:
disabled: SELinux is disabled
permissive: SELinux prints warnings instead of enforcing policies
enforcing: SELinux enforces security policies
keep it mind that this is for the time we arerunning here and if you reboot the system it would retrieve the values from the /etc/sysconfig/selinux config file, and reenable it on reboot.
turn it back on:
Booleans
There are a number of SELinux security settings control through booleans. Booleans allow parts of SELinux policy to be changed at runtime, without any knowledge of SELinux policy writing. This allows changes, such as allowing services access to NFS volumes, without reloading or recompiling SELinux policy.
semanage
For a list of Booleans, an explanation of what each one is, and whether they are on or off, run the semanage boolean -l
command as the Linux root user.
you might need to install policycoreutils-python-utils-2.9-19.el8.noarch for that.
The following example does not list all Booleans:
The SELinux boolean
column lists Boolean names. The Description
column lists whether the Booleans are on or off, and what they do.
getsebool
The getsebool -a
command lists Booleans, whether they are on or off, but does not give a description of each one. The following example does not list all Booleans:
Run the getsebool
boolean-name
command to only list the status of the boolean-name Boolean:
Use a space-separated list to list multiple Booleans
setsebool
Run the setsebool
utility in the setsebool
boolean_name
on/off
form to enable or disable Booleans.The following example demonstrates configuring the httpd_can_network_connect_db
Boolean:
1.By default, the httpd_can_network_connect_db
Boolean is off, preventing Apache HTTP Server scripts and modules from connecting to database servers:
2.To temporarily enable Apache HTTP Server scripts and modules to connect to database servers, run the setsebool httpd_can_network_connect_db on
command as the Linux root user.
3.Use the getsebool httpd_can_network_connect_db
command to verify the Boolean is enabled:
This allows Apache HTTP Server scripts and modules to connect to database servers.
4.This change is not persistent across reboots. To make changes persistent across reboots, run the setsebool -P
boolean-name
on
command as the Linux root user:
To temporarily revert to the default behavior, as the Linux root user, run the
setsebool httpd_can_network_connect_db off
command. For changes that persist across reboots, run thesetsebool -P httpd_can_network_connect_db off
command.
SELinux Contexts – Labeling Files
On systems running SELinux, all processes and files are labeled in a way that represents security-relevant information. This information is called the SELinux context. For files, this is viewed using the ls -Z
command:
In this example, SELinux provides a user (unconfined_u
), a role (object_r
), a type (user_home_t
), and a level (s0
). This information is used to make access control decisions. On DAC systems, access is controlled based on Linux user and group IDs. SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first.
Note: By default, newly-created files and directories inherit the SELinux type of their parent directories.
SELinux provides multiple commands for managing the file system labeling, such as chcon
, semanage fcontext
, restorecon
, and matchpathcon
.
chcon
The chcon
command changes the SELinux context for files. However, changes made with the chcon
command are not persistent across file-system relabels, or the execution of the restorecon
command. SELinux policy controls whether users are able to modify the SELinux context for any given file. When using chcon
, users provide all or part of the SELinux context to change. An incorrect file type is a common cause of SELinux denying access.
Quick Reference
Run the
chcon -t
type
file-name
command to change the file type, where type is an SELinux type, such ashttpd_sys_content_t
, and file-name is a file or directory name:Run the
chcon -R -t
type
directory-name
command to change the type of the directory and its contents, where type is an SELinux type, such ashttpd_sys_content_t
, and directory-name is a directory name:
The following example demonstrates changing the type, and no other attributes of the SELinux context. The example in this section works the same for directories, for example, if file1
was a directory.
1.Change into your home directory.
2.Create a new file and view its SELinux context:
In this example, the SELinux context for file1
includes the SELinux unconfined_u
user, object_r
role, user_home_t
type, and the s0
level.
3.Enter the following command to change the type to samba_share_t
. The -t
option only changes the type. Then view the change:
Tools for managing SELinux contexts on files
restorecon
4.Use the following command to restore the SELinux context for the file1
file. Use the -v
option to view what changes:
In this example, the previous type, samba_share_t
, is restored to the correct, user_home_t
type. When using targeted policy (the default SELinux policy in Red Hat Enterprise Linux), the restorecon
command reads the files in the /etc/selinux/targeted/contexts/files/
directory, to see which SELinux context files should have.
filefix
fixfiles - fix file SELinux security contexts . What this command does is the the same as restorcon command. for more information read man 8 fixfiles.
setfiles
setfiles may be used to set SELinux file security contexts.
Tools for testing SELinux contexts and roles:
Part of SELinux is the Role-Based Access Control (RBAC) security model. The role is an attribute of RBAC. SELinux users are authorized for roles, and roles are authorized for domains. The role serves as an intermediary between domains and SELinux users. The roles that can be entered determine which domains can be entered; ultimately, this controls which object types can be accessed. This helps reduce vulnerability to privilege escalation attacks.
newrole
Run a new shell in a new context. read man newrole
for more information.
this command is used rarely, most admins prefer using existing roles.
runcon
runcon — Run a command in a given SELinux Context.
General purpose SELinux management commands
semanage
semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. This includes the mapping from Linux usernames to SELinux user identities as well as security context mappings for various kinds of objects, such as network ports, interfaces, and nodes (hosts) as well as the file context mapping.
arguments:
import Import local customizations
export Output local customizations
login Manage login mappings between linux users and SELinux confined users
user Manage SELinux confined users (Roles and levels for an SELinux user)
port Manage network port type definitions
interface Manage network interface type definitions
module Manage SELinux policy modules
node Manage network node type definitions
fcontext Manage file context mapping definitions
boolean Manage booleans to selectively enable functionality
permissive Manage process type enforcement mode
dontaudit Disable/Enable dontaudit rules in policy
ibpkey Manage infiniband pkey type definitions
ibendport Manage infiniband end port type definitions
there are number of man pages for rach sub-commands!:
All of the semanage
commands that add or modify the targeted policy configuration store information in *local
files under the /etc/selinux/targeted
directory tree. These files all have warnings that they should not be edited directly but are used to preserve customization. When the SELinux and policy packages are updated, these local customization files are left in place and applied to the updated policy.
Lets take a look at three of them:
semanage boolean
With semanage boolean, you can enable and disable sets of allow rules, which makes it possible to allow different rule sets for different use cases. For example, say you have a web server that must allow the reading of user content, such as data from their home directories. Out of the box, SELinux isn’t going to allow for that. With the semanage boolean command, you can enable that feature.
We can use the semanage boolean command to list out all available HTTP-related policies with the command semanage boolean -l | grep httpd
You will see several entries like:
httpd_read_user_content (off , off) Allow httpd to read user content
Each listing includes the name of the boolean, the boolean’s current and persistent state and a description of the boolean. As you can see above, the httpd_read_user_content boolean is set to off. Lets enable it, Simple:
semanage boolean -m --on httpd_read_user_content
With the -m option we’re instructing SELinux that we’re modifying a record (in this case httpd_read_user_context) with the option that follows (–on).
That's it, from know on SELinux will allow the reading of user content by the web server.
semanage fcontext
The semanage fcontext command is used to manage file context definitions, which contain additional information (such as SELinux user, role, type and level) to make access control decisions. File context is one of the biggest issues admins face with SELinux. You might have created a new directory to house SSH host keys, but without the correct file context, SELinux won’t all SSH access to that directory. What should we do? You change the file context of the new directory with semanage fcontext.
As with boolean, fcontext has policies it can work with. To see a full listing of the available policies issue the command semanage fcontext -l
can help us.
To list all SSH daemon-related policies, use the command semanage fcontext -l | grep sshd
.In that listing you’ll see the following entries:
/etc/ssh/primes regular file system_u:object_r:sshd_key_t:s0
/etc/ssh/ssh_host.*_key regular file system_u:object_r:sshd_key_t:s0
/etc/ssh/ssh_host.*_key.pub regular file system_u:object_r:sshd_key_t:s0
Let’s say you want to house your SSH host keys in /data/keys. You create the directory, move all the keys into the new home and change the sshd_config file to match the new mapping. When you attempt to use SSH, it fails. Why? Because /data/keys doesn’t have the proper fcontext. You can fix that with the following two commands:
sudo semanage fcontext -a -t sshd_key_t '/data/keys/*.*'
sudo restorecon -r /data/keys
We have to use the restorecon command to set the security context on the new files–after we’ve created the new policy with semanage fcontxt. The regular expression *.* catches all files within the directory.
semanage port
semanage port allows you to run a service on a custom port. If you attempt to run a service on a custom port, the service will fail. Let’s say you want to run the SSH daemon on a non-standard port. If you simply configure sshd_config for this, you’ll find SELinux will block you from gaining access as SELinux isn’t aware that you’ve made this change.
For example, If you want to change the SSH port to 2112:
semanage port -a -t ssh_port_t -p tcp 2112
You would then have to add the port to the firewall with the commands:
sudo firewall-cmd --add-port=2112/tcp --permanent
sudo firewall-cmd --reload
At this point you could finally SSH into the SELinux-enabled server, using the non-standard port.
To list all of the available port policies, try command
semanage port -l
Troubleshooting SELinux AVC Messages on the Command Line
When SELinux denies an action, an Access Vector Cache (AVC) message is logged to the /var/log/audit/audit.log
and /var/log/messages
files or the journald
daemon logs it. If you suspect that SELinux denied an action that you attempted to do, follow these basic troubleshooting steps:
ausearch
1.Use the ausearch
utility to find any recent AVC messages and confirm that SELinux denies the action:
The -m
option specifies what kind of information ausearch returns.The -ts
option specifies the time stamp. For example -ts recent
returns AVC messages from the last 10 minutes or -ts today
returns messages from the whole day.
2.Use the journalctl
utility to view more information about the AVC message:
Replace [time]
with the time from the AVC message found in the first step. In this example, SELinux prevented the httpd
process from accessing the /var/log/httpd/error_log
file:
sealert
Use the sealert
utility to further inspect the AVC message:
Replace [message_ID]
with the number of the AVC message. see some example:
example1: SELinux prevented the httpd
process from accessing the /var/log/httpd/error_log
file because it was incorrectly labeled with the var_log_t
SELinux type:
example2: In this example, SELinux denied the passwd
process to access the /home/user/output.txt
file because there is no rule in the SELinux policy that allows passwd
to write to files labeled with the user_home_t
SELinux type:
you can use
sealert -a , --analyze file
to scan a log file and analyze its AVC's.
4.Perform actions according to suggestions provided by sealert
. For example, use the restorecon
utility to fix incorrectly labeled files or enable particular Booleans.
5.Repeat the action you attempted to do before SELinux denied it.
seaudit
A graphical tool for viewing logs and filtering based on certain SELinux Policies.
audit2allow
From the audit2allow(1) manual page: "audit2allow
– generate SELinux policy allow rules from logs of denied operations". After analyzing denials via “sealert Messages”, and if no label changes or Booleans allowed access, use audit2allow
to create a local policy module. After access is denied by SELinux, running the audit2allow
command presents Type Enforcement rules that allow the previously denied access.
Do not use the example in this section in production. It is used only to demonstrate the use of the audit2allow
utility.
The following example demonstrates using audit2allow
to create a policy module:
1.A denial and the associated system call are logged to /var/log/audit/audit.log
:
In this example, certwatch (comm="certwatch"
) was denied write access ({ write }
) to a directory labeled with the var_t
type (tcontext=system_u:object_r:var_t:s0
). Analyze the denial as per “sealert Messages”. If no label changes or Booleans allowed access, use audit2allow
to create a local policy module.
2.With a denial logged, such as the certwatch
denial in step 1, run the audit2allow -w -a
command to produce a human-readable description of why access was denied. The -a
option causes all audit logs to be read. The -w
option produces the human-readable description. The audit2allow
utility accesses /var/log/audit/audit.log
, and as such, must be run as the Linux root user:
As shown, access was denied due to a missing Type Enforcement rule.
3. Run the audit2allow -a
command to view the Type Enforcement rule that allows the denied access:
Important
Missing Type Enforcement rules are usually caused by bugs in SELinux policy, and should be reported in Red Hat Bugzilla. For Red Hat Enterprise Linux, create bugs against the Red Hat Enterprise Linux
product, and select the selinux-policy
component. Include the output of the audit2allow -w -a
and audit2allow -a
commands in such bug reports.
4.To use the rule displayed by audit2allow -a
, run the audit2allow -a -M
mycertwatch
command as the Linux root user to create custom module. The -M
option creates a Type Enforcement file (.te
) with the name specified with -M
, in your current working directory:
Also, audit2allow
compiles the Type Enforcement rule into a policy package (.pp
). To install the module, run the semodule -i
mycertwatch.pp
command as the Linux root user
Important
Modules created with audit2allow
may allow more access than required. It is recommended that policy created with audit2allow
be posted to an SELinux list, such as fedora-selinux-list, for review. If you believe their is a bug in policy, create a bug in Red Hat Bugzilla.
If you have multiple denials from multiple processes, but only want to create a custom policy for a single process, use the grep
command to narrow down the input for audit2allow
. The following example demonstrates using grep
to only send denials related to certwatch
through audit2allow
:
audit2why
While audit2allow generate SELinux policy allow/dontaudit rules from logs of denied operations. audit2why translates SELinux audit messages into a description of why the access was denied (audit2allow -w)
example, try:
MAC Alternatives
AppArmor
• Popular in Ubuntu.
• Known for being less complex to manage than SELinux.
• Works by assigning types to file paths rather than inodes.
• Two modes: Enforcement or Complain.
• The commands aa-genprof
and aa-logpro
f are used to craft policies.
Smack
• Must be compiled into the kernel.
• Uses extended file attributes for label assignment. (like what selinux does)
• Uses -Z
flag like SELinux.
• The chsmack
command may be used to query and set label information.
that'all.
.
.
.
resources:
https://www.linux.com/news/securing-linux-mandatory-access-controls/
https://www.redhat.com/en/topics/linux/what-is-selinux
https://linuxhint.com/basic-selinux-commands/
https://www.techtarget.com/searchdatacenter/tip/SELinux-tutorial-Commands-and-management
https://www.systutorials.com/docs/linux/man/8-fixfiles/
https://www.redhat.com/sysadmin/semanage-keep-selinux-enforcing
https://www.tutorialspoint.com/unix_commands/semanage.htm
https://linoxide.com/use-semanage-command-selinux-policy/
https://www.techrepublic.com/article/how-to-use-semanage-and-avoid-disabling-selinux/
https://access.redhat.com/articles/2191331
https://danwalsh.livejournal.com/24750.html
.
Last updated