IT Knowledge Base
Security-Enhanced Linux (SELinux) is an implementation of security policies for operating systems that provides a mechanism to support and help control access in the linux kernel. On Red Hat Enterprise Linux 7 (RHEL 7), CentOS 7 and Oracle Linux 7 (OL7), SELinux services were installed by default. The following tutorial will show you the basic steps to permanently disable SELinux on OL7 – should works also on RHEL 7 and CentOS 7.
You can check the SELinux status with the following command:
[root@orclprod ~]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28
To disable SELinux you have to change the “SELINUX=enforcing” to “SELINUX=disabled” in the /etc/sysconfig/selinux configuration file:
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
Then reboot the server to take effect and check the SELinux status once again just to make sure:
[root@orclprod ~]# sestatus SELinux status: disabled
Use SELinux on Oracle Linux
SELinux is a set of kernel mods and user-space tools that provide another layer of system security, precise access control, system-wide admin-defined policies, and improved mitigation for privilege escalation attacks.
This tutorial guides you through using these user-space tools to help keep your system running in enforcing mode.
Objectives
In this lab, you’ll learn to:
- Check SELinux mode and status
- Understand SELinux security labels
- Work with SELinux network services
- Use SELinux users
- Change SELinux booleans
- Evaluate SELinux file contexts
Prerequisites
- A system with Oracle Linux 8 installed with the following configuration:
- a non-root user with sudo permissions
Setup Lab Environment
Note: When using the free lab environment, see Oracle Linux Lab Basics for connection and other usage instructions.
Create a User
An additional user allows testing the assignment of an SELinux user later in this lab.
- If not already connected, open a terminal and connect via ssh to the ol8-server system.
sudo useradd -u 8000 ralph echo "ralph:oracle" | sudo chpasswd
sudo mkdir /home/ralph/.ssh sudo cp /home/oracle/.ssh/authorized_keys /home/ralph/.ssh/authorized_keys sudo chown -R ralph:ralph /home/ralph/.ssh sudo chmod 700 /home/ralph/.ssh sudo chmod 600 /home/ralph/.ssh/authorized_keys
SELinux Mode and Status
Oracle Linux installs SELinux by default and runs in Enforcing mode.
- Confirm by checking the SELinux mode. It should be set to Enforcing .
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 31
SELinux Security Labels
Every process and system resource under SELinux has a security label called an SELinux context. The SELinux context, also called an SELinux label focuses on the security properties and ensures a consistent way to reference objects in the SELinux policy.
- Show the SELinux security label for a file.
-rw-r--r--. 1 root root system_u:object_r:passwd_file_t:s0 1892 Apr 13 14:39 /etc/passwd
The most important of these is the SELinux type, as the majority of SELinux targeted policy rules leverage SELinux types to define the allowed interaction between one object (e.g., process) and another (e.g., file).
The full output shows SELinux types exist for many different commands and services, such as ssh and sshd .
system_u:system_r:sshd_t:s0-s0:c0.c1023 root 2535 1 0 14:37 ? 00:00:00 /usr/sbin/sshd -D system_u:system_r:sshd_t:s0-s0:c0.c1023 root 18514 2535 0 15:21 ? 00:00:00 sshd: oracle [priv] unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 oracle 18528 18514 0 15:21 ? 00:00:00 sshd: oracle@pts/0 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 oracle 23611 18529 0 15:41 pts/0 00:00:00 grep --color=auto sshd
total 600 -rw-r--r--. 1 root root system_u:object_r:etc_t:s0 577388 Oct 9 2021 moduli -rw-r--r--. 1 root root system_u:object_r:etc_t:s0 1770 Oct 9 2021 ssh_config drwxr-xr-x. 2 root root system_u:object_r:etc_t:s0 28 Feb 18 08:51 ssh_config.d -rw-------. 1 root root system_u:object_r:etc_t:s0 4268 Apr 13 14:37 sshd_config -rw-r-----. 1 root ssh_keys system_u:object_r:sshd_key_t:s0 537 Apr 13 14:37 ssh_host_ecdsa_key -rw-r--r--. 1 root root system_u:object_r:sshd_key_t:s0 197 Apr 13 14:37 ssh_host_ecdsa_key.pub -rw-r-----. 1 root ssh_keys system_u:object_r:sshd_key_t:s0 432 Apr 13 14:37 ssh_host_ed25519_key -rw-r--r--. 1 root root system_u:object_r:sshd_key_t:s0 117 Apr 13 14:37 ssh_host_ed25519_key.pub -rw-r-----. 1 root ssh_keys system_u:object_r:sshd_key_t:s0 2635 Apr 13 14:37 ssh_host_rsa_key -rw-r--r--. 1 root root system_u:object_r:sshd_key_t:s0 589 Apr 13 14:37 ssh_host_rsa_key.pub
Similarly, if we were to examine the ssh command, we would be able to determine a similar mapping between ssh_home_t and ssh_exec_t .
-rwxr-xr-x. 1 root root system_u:object_r:ssh_exec_t:s0 775720 Oct 9 2021 /usr/bin/ssh
total 4 -rw-------. 1 oracle oracle unconfined_u:object_r:ssh_home_t:s0 404 Apr 13 14:39 authorized_keys
[oracle@ol-selinux ~]$ whoami oracle [oracle@ol-selinux ~]$ id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
SELinux and Network Services
SELinux tracks the configurations for the most commonly used network-based software packages within its internal database. This tracking allows SELinux to protect the system from externally-facing services prone to attacks.
Therefore, SELinux may prevent a service from working if you configure the software to use a non-standard directory or port.
To show what SELinux knows about a system’s standard ports, we need to use the SELinux utility semanage . Oracle Linux doesn’t install the utility by default, so install it.
- Determine which package provides the utility.
sudo dnf whatprovides semanage
sudo dnf install -y policycoreutils-python-utils
sudo semanage port -l | grep ssh
sudo sudo semanage port -a -t ssh_port_t -p tcp 2222
sudo semanage port -l | grep ssh
sudo semanage port -a -t ssh_port_t -p tcp 443
ValueError: Port tcp/443 already defined
The error occurred because we are trying to switch port 443 from the http_port_t type to the ssh_port_t type. For this to work, use the -m option, which modifies the port object record.
sudo semanage port -m -t ssh_port_t -p tcp 443
SELinux Users
Each Linux user is mapped to an SELinux user using an SELinux policy. This approach allows Linux users to inherit restrictions based on their SELinux user mapping. The default mapping in Oracle Linux is the __default__ login, which maps to the SELinux unconfined_u user.
- Get a listing of all the current Linux user mappings.
sudo semanage login -a -s guest_u ralph
uid=8000(ralph) gid=8000(ralph) groups=8000(ralph) context=guest_u:guest_r:guest_t:s0 guest_u:guest_r:guest_t:s0
Disable SELinux on Oracle Linux 7
Sometimes when I want to test something or write a prototype of some sort SELinux (Security-Enhanced Linux) kicks in and hinders me, given that it is enabled by default on OL 7 UEK 4. STOP! Before I let you continue to read take a mental note of my disclaimer: I am an advocate of having security turned on by default. It helps us provide better and obviously more secure systems which, in turn, helps the world save time and money. Security should never, ever be turned off for production systems!
With this being said, here are a couple of quick steps for how to get around it.tl;dr
Here is also a short video on this topic:
Current SELinux status
Linux provides a simple command sestatus — SELinux status tool that tells you, as the name suggests, the status of SELinux:
[root@localhost oracle]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 29
In my case it is, as per default, enabled. There are three modes for SELinux: enabled , disabled and permissive . I think that enabled and disabled are self explanatory, permissive is slightly different. Permissive is the setting to print warnings instead of enforcing SELinux. This is useful, for example, if you want to test something and see whether SELinux would or wouldn’t allow it. In my case, as this is a test machine, I shouldn’t really care much about whether I set it to disabled or permissive . However, given that security is a good thing and a must for production environments, I can’t see why I would ever set SELinux to disabled if I can have warnings instead and build my software to work with SELinux correctly. So I’m opting for the permissive status instead. Linux has another command that allows you to switch between enabled and permissive in the current running environment. That command is setenforce — modify the mode SELinux is running in . It takes just one parameter and only four values:
[root@localhost oracle]# setenforce Permissive [root@localhost oracle]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 29
That does the trick to set my current environment to permissive: Current mode: permissive . However, that is not a permanent setting. Note line 9 in the output above: Mode from config file: enforcing . That is the setting that the machine will pick up upon reboot. So there is one more task to perform.
Make SELinux status permanent
In order to make the SELinux mode permanent I have to do one more thing: Change the config file. This change is also easy, all you have to do is to open the config file /etc/sysconfig/selinux , set SELINUX=permissive and you are all set:
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted [root@localhost oracle]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 29