2. SELinux Basics

Mandatory Access Control (MAC) SELinux
   
Benefits using the MAC model

• MAC requires more system administration/experties
• Some level of object oriented knowledge is required to configure. The objects in the system is divided in to 2
  

1. Subjects - users & process
2. Objects  - Files on the system (test/binary/sockets/named_pipes etc)

• Offers more granular/fine control of security. This means the ability to restrict at very lower level of  access to the objects.(eg:- read/write/entering to a directory,lock a file, access a different contex area with in  the memmory etc)
• SELInux is compiled in to the kernel and supported via LSM (Loadable security module) 

Determine the kernel supports SELinux
Step 1

# cd /boot/
# grep -i selinux config-`uname -ar`

    This will list the configuration of the selinux in the currently loaded kernel
Step 2

# sestatus -v

    This will tell the current status of the SELinux. "Policycoreutils" is the package which installs the
sestatus binary. This RPM also installs most used selinux binaries.

• SELinux (MAC-based system) requires labeling for objects and subjects In-order to determine the access using SElinux the subjects and objects should be labelled. Here we have to set the given role and permissions to the subject and it should get matched with the object roles and permissions. /usr/sbin/setfiles is the binary to set the labelling for subjects and objects.
• MAC based systems are Ideal for internet facing system running httpd,named,mysqld etc. The targeted  policy in SELinux ships with policies that supports these daemons.
• The MAC checks perform by SELinux occurs after the DAC based checks
• SELinux denies interaction between Subjects and Objects by default.
• SELinux supports Type Enforcement (TE) TE is the way for us to label and group various subjects and  objects.i.e, it ties the process(subjects) to files(Objects).
• TE also allows the creation of domains. Domains means assaigning various subjects into groups. i.e,  grouping httpd,htpasswd,htdigest into a group called httpd_r which equals a domain. And we can set permissions to this domain for accessing various objects.

    
SELinux MODES:
    SELinux functions in 3 Modes
1. Enforcing
    In this mode SELinux applies policies defined. In RedHat Linux the default policy is called "Targeted". This policy will be applied in the enforcing mode. Any violation to this policy will be results in deniel of access to object and  also creates a alarm.

2. Permissive
    The policy (Targeted) is applied, but instead of deniel it simply logs. it permites the subject for accessing  the objects . So this mode can be used to log the violation to test whether the application is compactable with the targeted policy.

3. Disabled
    The policy (Targeted) and SELinux is disabled.

Switching the SELinux Mode:

To enable the SELinux in permissive change the configuration at follwing file. This method requires the system
reboot

# cd /etc/selinux
# vim config
SELINUX=Permissive
#SELINUX=Enforcing
SELINUXTYPE=targeted

Another method of enabling SELinux, needs system reboot to enable SELinux

# system-config-securitylevel

    check the enabled mode only, this will makes the SELinux enabled in Permissive mode. and if need to
run in Enforcing mode have to select the Enforcing option.

3rd method of enabling SELinux

# vim /etc/grub.conf

#add the following to kernel line

selinux=1

#selinux=0 will run SELinux in Premissive mode

    This applies to all kernels that supports the SELinux (2.4 or 2.6)

Note:
Once the system is rebooted and running in Permissive mode we can use the following command to run the SELinux in to Enforcing mode without the system reboot

# echo 1 > /selinux/enforce

    The /selinux directory is same like /proc, a pseudo directory and all the files are saved in memory. all the SELinux labels will be presented at this directory.

SELinux Permissive mode:
    After enabling and rebooting the machine use the following to check the selinux status.

# sestatus

    This shows the status, SELinux mount point, mode (permissive or enforcing),policy version etc

• Permissive mode allows to run the applications and all the Violations to the security policy will  logged in   /var/log/messages.
• Policy version that ships with RHEL 4 is version 18. The policy is written in the source format based on  M4 macro language and compiled in to binary format.
• /etc/selinux/targeted houses the source and binary files of the policy targated. The source policy may not be installed but the binaries policy must be installed to operate SELinux
• /etc/selinux/targeted/policy contains the policy binary. selinux-policy-targated is the package installs the policy binary.
• /etc/selinux/targeted/booleans file defines the daemons that the targated policy covers.

Booting Process of SELinux (How INIT handles the SELinux startup):
    After the BIOS starts hands of control to GRUB.GRUB initializes the Kernel. Kernel then initializes all the hardwares and hands over to INIT, the very first process in the Linux machine. In a SELinux enviornment init has to take certain decision whether the SELinux can be supported or not.

1. /proc/filesystem contains the details about the filesystems that supported by the kernel INIT will search  for the "selinuxfs" in the /proc/filesystem. If this is not present the SELinux support will not be enabled.
2. If enforcing=1 or enforcing=0 is passed in to the kernel commandline at boot time in GRUB the INITwill attempt to start in Enforcing(enforcing=1) or Permissive(enforcing=0) mode respectively
3.  If there is no keyword defined to start through GRUB command line then the INIT will checks the/etc/selinux/config & starts the SELinux according to the config file. The GRUB command line overrides allthe configurations in the config file
4. Loads the SELinux enviornment which includes the mounting of /selinux
5. INIT reloads itself into the 'unconfined_t' domain. All process that are not targated will assossiated with the 'unconfined_t' domain.