SELinux in Ubuntu
SELinux is a Mandatory Access Control (MAC) system which is a kernel (LSM) enhancement to confine programs to a limited set of resources. SELinux can be enabled in Ubuntu by installing the “selinux” meta-package, which will make the needed changes to the system, and install the Tresys policies for Ubuntu:
sudo apt-get install selinux
After installation, you will be prompted to reboot the system to label and activate SELinux.
When using SELinux, files, including directories and devices, are referred to as objects. Processes, such as a user running a command or the Mozilla® Firefox® application, are referred to as subjects.
The following is an example of the labels containing security-relevant information that are used on processes, Linux users, and files, on Linux operating systems that run SELinux. This information is called the SELinux context, and is viewed using the ls -Z command:
$ ls -Z file1
-rw-rw-r–. user1 group1 unconfined_u:object_r:user_home_t:s0 file1
In this example, SELinux provides a user (unconfined_u), a role (object_r), a type (user_home_t), and a level (s0). This information is used to make access control decisions. With DAC, access is controlled based only on Linux user and group IDs. It is important to remember that SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first.
Labels containing security-relevant information for SELinux.
Security-Enhanced Linux (SELinux) adds Mandatory Access Control (MAC) to the Linux kernel, and is enabled by default in Red Hat Enterprise Linux. A general purpose MAC architecture needs the ability to enforce an administratively-set security policy over all processes and files in the system
The following is an example of the labels containing security-relevant information that are used on processes, Linux users, and files, on Linux operating systems that run SELinux. This information is called the SELinux context, and is viewed using the ls -Z command:
$ ls -Z filename
-rwxrw-r– user1 group1 unconfined_u:object_r:user_home_t:s0 filename
On Linux operating systems that run SELinux, there are Linux users as well as SELinux users. SELinux users are part of SELinux policy. Linux users are mapped to SELinux users.
In this example, SELinux provides a user (unconfined_u), a role (object_r), a type (user_home_t), and a level (s0). This information is used to make access control decisions. With DAC, access is controlled based only on Linux user and group IDs. It is important to remember that SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first.
How to check SELinux Status
Use the command below to check the current status.
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 21
Policy from config file: targeted
We can also change the policy using setenforce command.
setenforce 0 - to disable
setenforce 1 - to enable
# setenforce –help
usage: setenforce [ Enforcing | Permissive | 1 | 0 ]
SELinux Policy for Your Parallels Plesk Panel Server
To configure SELinux you need to know the rules that should be added into the system policy.
SELinux reports all denied messages into the /var/log/audit/audit.log file and these messages can be easily converted into the rules using the /usr/bin/audit2allow utility.
cat /var/log/messages | /usr/bin/audit2allow
Also, /var/log/messages.* files can be examined for the SELinux deny messages.
SELinux Access Control
SELinux has 3 forms of access control:
Type Enforcement (TE): Type Enforcement is the primary mechanism of access control used in the targeted policy
Role-Based Access Control (RBAC): Based around SELinux users (not necessarily the same as the Linux user), but not used in the default targeted policy
Multi-Level Security (MLS): Not used and often hidden in the default targeted
policy.
