📘 SELinux

Overview

Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC).

It is a set of kernel modifications and user-space tools added to various Linux distributions, designed to enforce strict access controls based on security policies.

SELinux implements a mandatory access control (MAC) system, which is a higher level of access control than the traditional discretionary access control (DAC) used in standard Linux systems.

This means that access decisions are enforced based on predefined security policies rather than user discretion.

SELinux operates by assigning a security context—a three-part label consisting of a user, role, and domain (or type)—to every process, file, network port, and other system resource.

These contexts are used by the SELinux policy to determine whether a process can access a specific resource. By default, SELinux blocks all access attempts, allowing only those explicitly permitted by the security policy.

This approach confines user programs and system services, limiting their privileges to the minimum required to function, thereby reducing the potential damage from malicious or flawed applications.

homepage

context doc

Basic concepts

A SELinux context consists of three required fields, and one optional field: user:role:type:range.

Every process and object in the system has a context.

ᐅ ls -Z /etc/shadow
system_u:object_r:shadow_t:s0 /etc/shadow

ᐅ ps -Z -L -C NetworkManager
LABEL                               PID     LWP TTY          TIME CMD
system_u:system_r:NetworkManager_t:s0 1328 1328 ?        00:00:00 NetworkManager
system_u:system_r:NetworkManager_t:s0 1328 1331 ?        00:00:00 gmain
system_u:system_r:NetworkManager_t:s0 1328 1332 ?        00:00:00 gdbus

Status

# getting status
ᐅ getenforce

# getting status
ᐅ sestatus

# changing status (O disable, 1 enforcing)
ᐅ sudo setenforce 0

# list booleans
ᐅ getsebool -a
ᐅ sestatus -b

# list contexts
ᐅ semanage fcontext -l

/etc/selinux/config

SELINUX=enforcing
SELINUXTYPE=targeted

Samba shares

Booleans

# Checking booleans
ᐅ getsebool -a | grep samba
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_load_libgfapi --> off
samba_portmapper --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_use_samba --> off
tmpreaper_use_samba --> off
use_samba_home_dirs --> off
virt_use_samba --> off

ᐅ getsebool samba_enable_home_dirs
samba_enable_home_dirs --> off

# Enable/disable booleans value
ᐅ sudo setsebool -P samba_enable_home_dirs on

Context

Getting current context:

ᐅ ls -Zd /media/guillaume

Note

From now on, every command is followed by his resulting context:

> system_u:object_r:unlabeled_t:s0 /media/guillaume

Changing current context:

ᐅ chcon -R -t samba_share_t /media/guillaume
> system_u:object_r:samba_share_t:s0 /media/guillaume

Reseting manual change:

ᐅ sudo restorecon -v /media/guillaume
> system_u:object_r:unlabeled_t:s0 /media/guillaume

Changing directory policy:

ᐅ sudo semanage fcontext -a -t samba_share_t "/media/guillaume(/.*)?"
ᐅ sudo semanage fcontext --list [| grep samba]
ᐅ sudo restorecon -v /media/guillaume

NetworkManager VPN

ᐅ sudo setsebool -P openvpn_run_unconfined on
ᐅ sudo semanage fcontext -a -t home_cert_t "/home/guillaume/VPN(/.*)?"
ᐅ sudo restorecon -R -v /home/guillaume/VPN

NFS share

ᐅ sudo setsebool -P nfs_export_all_rw 1\n
ᐅ sudo semanage fcontext -a -t public_content_t "/mnt/(/.*)?"
ᐅ sudo restorecon -F -R -v /mnt/