Administering SELinux in Oracle Linux

Describes SELinux and provides guidance on administering SELinux in Oracle Linux.

Traditional Linux security is based on a Discretionary Access Control (DAC) policy. In the DAC model of system security, access to resources such as files and processes is based solely on user identity and ownership. If malware or broken software is present on the system, it can do anything with files and resources that the user that started the process has permission to do. If the user is root or the application is running with elevated privileges (setuid or setgid to root), the process has root-access control over the entire file system.

To address this problem, the National Security Agency created Security Enhanced Linux (SELinux) to provide a greater level of control over files, processes, users, and applications in the Linux OS. The SELinux enhancement to the Linux kernel implements the Mandatory Access Control (MAC) policy, which lets you define a security policy that configures granular permissions for all users, programs, processes, files, and devices. The kernel's access control decisions are based on how sensitive the resources are from a security perspective, and not solely on the authenticated user identity.

When security-relevant access occurs, such as when a process opens a file, SELinux intercepts the operation in the kernel. If a MAC policy rule allows the operation, it continues. Otherwise, SELinux blocks the operation and returns an error to the process. The kernel checks and enforces DAC policy rules before MAC rules, so it doesn't check SELinux policy rules if DAC rules have already denied access to a resource.

SELinux Package Descriptions

SELinux contains several packages, each of which contain specific utilities that you can use to administer SELinux on Oracle Linux systems. Some packages are installed by default, while other packages are optional.

The following table lists the SELinux packages installed by default with Oracle Linux.


Package	Description
`policycoreutils`	Provides utilities such as `load_policy`, `restorecon`, `secon`, `setfiles`, `semodule`, `sestatus`, and `setsebool` for operating and managing SELinux.
`libselinux`	Provides the API that SELinux applications use to get and set process and file security contexts, and to obtain security policy decisions.
`python3-libselinux`	Contains Python bindings for developing SELinux applications.
`selinux-policy`	Provides the SELinux Reference Policy, which is used as the basis for other policies, such as the SELinux targeted policy.
`selinux-policy-targeted`	Provides the SELinux targeted policy, where objects outside the targeted domains run under DAC.
`libselinux-utils`	Provides the `avcstat`, `getenforce`, `getsebool`, `matchpathcon`, `selinuxconlist`, `selinuxdefcon`, `selinuxenabled`, and `setenforce` utilities.

The following table lists useful SELinux packages that aren't installed by default. Install any required packages using the dnf command.


Package	Description
`mcstrans`	Translates SELinux levels, such as `s0-s0:c0.c1023`, to an easier-to-read form, such as `SystemLow-SystemHigh`.
`policycoreutils-python-utils`	Provides Python utilities for operating SELinux, such as `audit2allow`, `audit2why`, `chcat`, and `semanage`.
`policycoreutils-sandbox`	Provides the sandbox utility for creating SELinux sandboxes to run commands in a tightly confined SELinux domain.
`selinux-policy-mls`	Provides a strict Multi-Level Security (MLS) policy as an alternative to the SELinux targeted policy.
`selinux-policy-doc`	Provides manual pages for many SELinux policy elements.
`setroubleshoot`	Lets you view `setroubleshoot-server` messages by using the `sealert` command.
`setroubleshoot-server`	Translates access-denial messages from SELinux into detailed descriptions that you can view on the command line using the `sealert` command.
`setools-console`	Provides the Tresys Technology SETools distribution of tools and libraries, which you can use to analyze and query policies, monitor and report audit logs, and manage file context.

For more information, see the SELinux Project Wiki for community documentation and the selinux(8) and other SELinux command manual pages.

SELinux Utilities

The following table describes the main utilities that you can use to administer SELinux and the packages that contain them.


Utility	Package	Description
`audit2allow`	`policycoreutils-python-utils`	Generates SELinux policy `allow` rules (and optional `dontaudit` entries) from audit logs of denied operations.
`audit2why`	`policycoreutils-python-utils`	Analyzes denial logs to explain why access was blocked and recommends relevant SELinux adjustments.
`avcstat`	`libselinux-utils`	Displays statistics for the SELinux Access Vector Cache (AVC).
`chcat`	`policycoreutils-python-utils`	Changes or removes the security category for a file or user.
`chcon`	`coreutils`	Changes the SELinux context of files and directories.
`fixfiles`	`policycoreutils`	Fixes the security context for file systems.
`getenforce`	`libselinux-utils`	Reports the current SELinux mode.
`getsebool`	`libselinux-utils`	Reports SELinux Boolean values.
`load_policy`	`policycoreutils`	Loads a new SELinux policy into the kernel.
`matchpathcon`	`libselinux-utils`	Queries the system policy and displays the default security context that's associated with the file path.
`restorecon`	`policycoreutils`	Resets the security context on one or more files.
`restorecond`	`policycoreutils`	Daemon that watches for file creation and sets the default file context.
`runcon`	`coreutils`	Runs a command within the specified context.
`sandbox`	`policycoreutils-sandbox`	Runs a command within an SELinux sandbox.
`sealert`	`setroubleshoot-server`, `setroubleshoot`	Acts as the user interface to the `setroubleshoot` system for diagnosing and explaining SELinux AVC denials and providing recommendations on how to prevent such denials.
`sechecker`	`setools-console`	Checks SELinux policies.
`secon`	`policycoreutils`	Displays the SELinux context from a file, program, or user input.
`sediff`	`setools-console`	Compares SELinux polices.
`seinfo`	`setools-console`	Queries SELinux policies.
`selinuxconlist`	`libselinux-utils`	Displays all SELinux contexts that are reachable by a user.
`selinuxdefcon`	`libselinux-utils`	Displays the default SELinux context for a user.
`selinuxenabled`	`libselinux-utils`	Indicates whether SELinux is enabled.
`semanage`	`policycoreutils-python-utils`	Manages SELinux policies.
`semodule`	`policycoreutils`	Manages SELinux policy modules.
`semodule_deps`	`policycoreutils`	Displays the dependencies between SELinux policy packages.
`semodule_expand`	`policycoreutils`	Expands a SELinux policy module package.
`semodule_link`	`policycoreutils`	Links SELinux policy module packages together.
`semodule_package`	`policycoreutils`	Creates a SELinux policy module package.
`sesearch`	`setools-console`	Queries SELinux policies.
`sestatus`	`policycoreutils`	Displays the SELinux mode and the SELinux policy that are in use.
`setenforce`	`libselinux-utils`	Changes the SELinux mode.
`setsebool`	`policycoreutils`	Sets SELinux Boolean values.
`setfiles`	`policycoreutils`	Sets the security context for one or more files.

Setting SELinux Modes

SELinux runs in either enforcing or permissive mode:

enforcing: The kernel denies access to users and programs if they aren't granted permissions by SELinux security policy rules. All denial messages are logged as AVC (Access Vector Cache) denials. This is the default mode.
permissive: The kernel doesn't enforce security policy rules but SELinux sends denial messages to a log file. This lets you see what actions would be denied if SELinux is running in enforcing mode. Use this mode to help you implement SELinux in a system effectively.

To display the current SELinux mode, run the following command:

getenforce

To set the current mode to enforcing, run the following command:

sudo setenforce enforcing

To set the current mode to permissive, run the following command:

sudo setenforce permissive

Note

The value that you set for a mode using setenforce doesn't persist across reboots. To configure the default SELinux mode, edit the configuration file for SELinux, /etc/selinux/config, and set the value of the SELINUX directive to enforcing, or permissive.

Disabling SELinux

You can fully disable SELinux by setting the selinux kernel parameter to zero.

Important

Oracle doesn't recommend disabling SELinux in production systems. Use permissive mode instead.

Set the required kernel parameter.
Use the grubby utility to set the selinux parameter to zero:
```
sudo grubby --update-kernel ALL --args selinux=0
```
Restart the system.
Check that SELinux is disabled.
Run the getenforce command and verify that the output is Disabled:
```
getenforce
Disabled
```
(Optional) Reenable SELinux
To reenable SELinux, enter the following command and restart the system:
```
sudo grubby --update-kernel ALL --remove-args selinux
```

Installing Policy Documentation

SELinux is complex, with many options for configuring access, using policies. You can obtain detailed information about the available policies from the manual pages that the selinux-policy-doc package provides. This task shows you how to access this information.

The policy documentation also contains information about users and roles. For example, you can read more about the SELinux unprivileged user_u user and the user_r role in the user_selinux(8) manual page. The policy documentation outlines the restrictions that apply for different security contexts and what Boolean options are available to customize the policy for an environment.

Install the package:
```
sudo dnf install -y selinux-policy-doc
```
Update the manual page database:
```
sudo mandb
```
Browse the SELinux policy manual pages. To get a complete listing of all the SELinux manual documentation, run:
```
man -k _selinux
```