Oracle Cloud Infrastructure Documentation

Administering SELinux Policies

Explains the available SELinux policy types on Oracle Linux and how to configure, switch, and customize them.

An SELinux policy describes the access permissions for all users, programs, processes, and files, and for the devices they act upon. You can configure SELinux to implement either the Targeted Policy or the Multi-Level Security (MLS) Policy. This chapter describes these SELinux policies and how to administer them.

Targeted Policy

A targeted policy applies access controls to a limited number of processes that are believed to be high-risk targets in an attack on a system. Targeted processes run in their own SELinux domain, known as a confined domain, which restricts access to files that an attacker could exploit. If SELinux detects that a targeted process is trying to access resources outside the confined domain, it denies access to those resources and logs the denial.

Only specific services run in confined domains. Examples are services that listen on a network for client requests, such as httpd, named, and sshd, and processes that run as root to perform tasks on behalf of users, such as passwd. Other processes, including most user processes, run in an unconfined domain where only DAC rules apply. If an attack compromises an unconfined process, SELinux doesn't prevent access to system resources and data.

The following table shows examples of SELinux domains.

Domain

Description

init_t

systemd

httpd_t

HTTP daemon threads

kernel_t

Kernel threads

syslogd_t

journald and rsyslogd logging daemons

unconfined_t

Processes that are started by Oracle Linux users run in the unconfined domain

Multi-Level Security Policy

A Multi-Level Security (MLS) policy applies access controls to different process levels. Each level has specific rules for user access, so users can't access information unless they have the required authorization for that process level.

In SELinux, MLS implements the Bell-LaPadula (BLP) model for system security, which applies labels to files, processes, and other system objects to control the flow of information between security levels. In a typical implementation, the labels for security levels might range from the most secure, top secret, through secret, and classified, to the least secure, unclassified.

For example, under MLS, you might configure a program labeled secret that can write to a file that's labeled top secret, but can't read from it. Similarly, you would configure the same program to read from and write to a file labeled secret, but only to read classified or unclassified files. So, information that passes through the program can flow upwards through the hierarchy of security levels, but not downwards.

The MLS policy is provided by the selinux-policy-mls package.

CAUTION

Oracle doesn't recommend using the MLS policy on a system that's running the X Window System. The X Window System is a complex system that lets many clients connect to a single X server, and it doesn't have the necessary security features to enforce MLS policy correctly.

Note

Switching to the MLS policy might restrict access for certain confined domains, and the system is likely to generate more SELinux denial messages. These denials can be frequent and difficult to resolve. SELinux denials are often more common when using the MLS policy for the following main reasons:

  • MLS disables the unconfined policy module.

  • MLS uses sensitivity levels.

Setting or Switching SELinux Policies

You can configure the default policy type by editing the /etc/selinux/config file and setting the value of the the SELINUXTYPE directive to targeted or mls.

Note

You can't change the policy type of a running system.

Before switching from one policy to another, change the SELinux mode to permissive. On first boot after changing the policy type, SELinux might relabel all files, which can take some time. Relabeling while in enforcing mode might prevent confined domains from accessing files, which would stop the system from starting correctly.

Customizing SELinux Policies

This task shows you how to customize an SELinux policy by turning features on or off using Boolean values. Any changes that you make are effective immediately.

  1. To display the Boolean values and their descriptions, use the following command: 
    sudo semanage boolean -l
    SELinux boolean                State  Default Description

abrt_anon_write                (off  ,  off)  Allow abrt to anon write
abrt_handle_event              (on   ,   on)  Allow abrt to handle event
abrt_upload_watch_anon_write   (on   ,   on)  Allow abrt to upload watch anon write
auditadm_exec_content          (on   ,   on)  Allow auditadm to exec content
...
  2. You can use the getsebool and setsebool commands to display and set the value of a specific Boolean. 
    getsebool boolean
sudo setsebool boolean on|off
  3. The following example shows how you to display and set the value of the abrt_anon_write Boolean: 
    getsebool abrt_anon_write
abrt_anon_write --> off
sudo setsebool abrt_anon_write on
getsebool abrt_anon_write
abrt_anon_write --> on
  4. To persist the new Boolean value across reboots, specify the -P option to setsebool, for example: 
    sudo setsebool -P abrt_anon_write on
getsebool abrt_anon_write
abrt_anon_write --> on