There are several ways of addressing SELinux policy violations. You can change security context, you can restore the context back to the default for that location, you can change a Boolean to allow the functionality in question to run, and lastly you can modify the SELinux security policy itself once you know what the issue is.
- [Speaker] Before we do this exercise, you might want to go into the Virtual Machine Manager window and create a snapshot of your VM. Click on the snapshot button in the toolbar, then click on plus, give your snapshot a name, and then click on Finish. Go back to your console and then go into the full screen mode. Now if we mess up the VM, we can just roll back to the snapshot and not have to reinstall. SELinux logs alerts when it's running in either enforcing or permissive mode. If the auditd service is running, SELinux logs to /var/log/audit/audit.log If the auditd service is not running, it logs to /var/log/messages.
Because our virtual machines are very new, there may not be any messages to look at, so we're going to generate SELinux denial message. Let's change the context of /se/shadow file. In a terminal, type in sudo chcon - t etc_t this is the type we're going to use /etc/shadow and hit Enter. Type in your password and hit Enter again. We can verify this by typing in sudo ls -lZ /etc/shadow and hit Enter and we can see the type is now etc_t This is not the correct context for this file, which is what we want in order to generate an error message.
The reason we created a VM snapshot is there's a chance we may lock ourselves out doing this. Now open another terminal and attempt to change your password. Type in passwd and hit Enter. Now change your password. Be sure to remember your new password. Linux will let you change your password but you'll also get an SELinux alert message in the system tray. Click on the message at the bottom of the window, and click on Show. This is the SELinux Alert Browser.
Click on the Troubleshoot button and it will explain the problem and give you several solutions. Usually the best, least intrusive solution is at the top. Naturally we aren't going to follow any of these because we know what the problem is since we created it. Each one of these solutions will tell you exactly what to do to solve the problem. Let's click on the bottom solution. This one actually creates a new SELinux Policy Module with rules. The all search command searches the audit logs for the word password and then sends us to the audit to allow command which builds a policy module allowing the action to happen.
We then insert this policy module into the security policy. Normally we consider creating a new policy module the last resort, because messing with the SELinux security policy can be complex. There are three ways of handling most SELinux errors. Number one, flip a Boolean to allow an action to happen. Booleans are easy to look through, and if you use semanage boolean /l to view them you get a short description as well. Often service configuration files will have comments in them explaining which Booleans to change.
Always check these first. The second thing is to change a file's type using chcon or semanage. File context can be incorrect when files are not copied correctly. Use restore con to restore the context first. This may solve the problem. If you have a custom configuration, then changing the type and the policy may be the best choice. For instance, if you wanted to put your MySQUL database in a non-standard location, you'll need to update the security context of the MySQL Directory and its files in the policy. The last resort is to create a new security policy module.
This isn't a bad option, just the most intrusive. When creating a policy module, we're actually modifying the security policy to allow something that was being denied. It's often better to find out why it was being denied first and then fix it before changing the security policy itself. Let's close the SELinux Alert Browser and go back to our first terminal. Type in clear and then type in sudo ausearch -m avc and hit Enter.
Ausearch will show all AVC error messages. AVC stands for access vector cache and is a RAM based cache of SELinux errors. This is the error message in my audit.log file. It's a fairly cryptic message, but if we zip down about halfway, we'll find what we're looking for. This is the denial. The subject wanted to create a new file which was denied, the subject being the password command. The file it wanted to create was the nshadow file. The subject type was passwd_t. And the objects type was etc_t.
You might notice that those error messages makes little sense. This is normal for SELinux. The reason for this is oftentimes the commands are denied and the commands are unaware of why so the commands behave somewhat erratically. If SELinux denies a subject from reading a file, that program may return an error message saying the file doesn't exist, when clearly you can see it in the file system. Before we end this video, let's put the context of our se shadow file back the way it was. Type in clear. And then type in sudo restorecon /etc/shadow and hit Enter.
Troubleshooting SELinux. If you get application or service failures and the error messages make no sense, then put SELinux in permissive mode and try again. If the operation is then successful, start digging through the audit logs for clues. Check for SELinux notifications on the desktop. You can spawn the SE Alert Browser by typing SE alert into a terminal as well. And follow the instructions in the SE Alert Browser window.
Instructor Grant McWilliams covers network and internet services administration, kernel management, and intrusion prevention. He shows how to make your systems more efficient with virtualization, manage users and groups, and lock everything down with SELinux mandatory access control. Plus, get access to 25 PDF "cheat sheets" and 100 practice questions so you can solidify and test your knowledge.
- Installing Linux on a physical machine
- Managing systemd services
- Managing reoccurring jobs with cron
- Limiting system access
- Configuring networking
- Creating, editing, and moving files and directories
- Analyzing text with grep and regular expressions
- Installing software and packages
- Managing the kernel
- Managing users, accounts, and groups
- Setting permissions
- Using access control lists
- Securing Linux with SELinux
- Accessing Linux remotely
- Configuring local storage