About Administering SELinux in Oracle Linux

1 About Administering SELinux in Oracle Linux

This chapter describes the SELinux feature and provides tasks for administering SELinux on Oracle Linux systems.

Note:

The content in this document was tested against Oracle Linux 8 and Oracle Linux 9, but also applies to most Oracle Linux releases, and might also apply to other distributions.

Traditional Linux security is based on a Discretionary Access Control (DAC) policy, which provides minimal protection from broken software or from malware that's running as a normal user or as root. Access to files and devices is based solely on user identity and ownership. Malware or broken software can do anything with files and resources that the user that started the process can do. If the user is root or the application is setuid or setgid to root, the process can have root-access control over the entire file system.

The National Security Agency created Security Enhanced Linux (SELinux) to provide a finer-grained level of control over files, processes, users, and applications in the Linux OS. The SELinux enhancement to the Linux kernel implements the Mandatory Access Control (MAC) policy, which enables you to define a security policy that provides granular permissions for all users, programs, processes, files, and devices. The kernel's access control decisions are based on all the security relevant information available, and not solely on the authenticated user identity.

When security-relevant access occurs, such as when a process opens a file, SELinux intercepts the operation in the kernel. If a MAC policy rule allows the operation, it continues. Otherwise, SELinux blocks the operation and returns an error to the process. The kernel checks and enforces DAC policy rules before MAC rules, so it doesn't check SELinux policy rules if DAC rules have already denied access to a resource.

SELinux Package Descriptions

SELinux contains several packages, each of which contain specific utilities that you can use to administer SELinux on Oracle Linux systems. Some packages are installed by default, while other packages are optional.

The following table describes the SELinux packages that are installed by default with Oracle Linux.

Package	Description
`policycoreutils`	Provides utilities such as `load_policy`, `restorecon`, `secon`, `setfiles`, `semodule`, `sestatus`, and `setsebool` for operating and managing SELinux.
`libselinux`	Provides the API that SELinux applications use to get and set process and file security contexts, and to obtain security policy decisions.
`python3-libselinux`	Contains Python bindings for developing SELinux applications.
`selinux-policy`	Provides the SELinux Reference Policy, which is used as the basis for other policies, such as the SELinux targeted policy.
`selinux-policy-targeted`	Provides the SELinux targeted policy, where objects outside the targeted domains run under DAC.
`libselinux-utils`	Provides the `avcstat`, `getenforce`, `getsebool`, `matchpathcon`, `selinuxconlist`, `selinuxdefcon`, `selinuxenabled`, `setenforce`, and `togglesebool` utilities.

The following table describes useful SELinux packages that aren't installed by default.

Package	Description
`mcstrans`	Translates SELinux levels, such as `s0-s0:c0.c1023`, to an easier-to-read form, such as `SystemLow-SystemHigh`.
`policycoreutils-python-utils`	Provides Python utilities for operating SELinux, such as `audit2allow`, `audit2why`, `chcat`, and `semanage`.
`selinux-policy-mls`	Provides a strict Multi-Level Security (MLS) policy as an alternative to the SELinux targeted policy.
`selinux-policy-doc`	Provides manual pages for many SELinux policy elements.
`setroubleshoot`	Enables you to view `setroubleshoot-server` messages by using the `sealert` command.
`setroubleshoot-server`	Translates access-denial messages from SELinux into detailed descriptions that you can view on the command line using the `sealert` command.
`setools-console`	Provides the Tresys Technology SETools distribution of tools and libraries, which you can use to analyze and query policies, monitor and report audit logs, and to manage file context.

Use the dnf command or another suitable package manager to install SELinux packages that you require for the system.

For more information, see the SELinux Project Wiki, the selinux(8) manual page, and other manual pages for the SELinux commands.

Using SELinux Utilities

The following table describes the utilities that you can use to administer SELinux and information about the packages that contain each utility.

Utility	Package	Description
`audit2allow`	`policycoreutils-python-utils`	Generates SELinux policy `allow_audit` rules from logs of denied operations.
`audit2why`	`policycoreutils-python-utils`	Generates SELinux policy `don’t_audit` rules from logs of denied operations.
`avcstat`	`libselinux-utils`	Displays statistics for the SELinux Access Vector Cache (AVC).
`chcat`	`policycoreutils-python-utils`	Changes or removes the security category for a file or user.
`findcon`	`setools-console`	Searches for file context.
`fixfiles`	`policycoreutils`	Fixes the security context for file systems.
`getenforce`	`libselinux-utils`	Reports the current SELinux mode.
`getsebool`	`libselinux-utils`	Reports SELinux Boolean values.
`indexcon`	`setools-console`	Indexes file context.
`load_policy`	`policycoreutils`	Loads a new SELinux policy into the kernel.
`matchpathcon`	`libselinux-utils`	Queries the system policy and displays the default security context that's associated with the file path.
`replcon`	`setools-console`	Replaces file context.
`restorecon`	`policycoreutils`	Resets the security context on one or more files.
`restorecond`	`policycoreutils`	Daemon that watches for file creation and sets the default file context.
`sandbox`	`policycoreutils-python-utils`	Runs a command in an SELinux sandbox.
`sealert`	`setroubleshoot-server`, `setroubleshoot`	Acts as the user interface to the `setroubleshoot` system for diagnosing and explaining SELinux AVC denials and providing recommendations on how to prevent such denials.
`sechecker`	`setools-console`	Checks SELinux policies.
`secon`	`policycoreutils`	Displays the SELinux context from a file, program, or user input.
`sediff`	`setools-console`	Compares SELinux polices.
`seinfo`	`setools-console`	Queries SELinux policies.
`selinuxconlist`	`libselinux-utils`	Displays all SELinux contexts that are reachable by a user.
`selinuxdefcon`	`libselinux-utils`	Displays the default SELinux context for a user.
`selinuxenabled`	`libselinux-utils`	Indicates whether SELinux is enabled.
`semanage`	`policycoreutils-python-utils`	Manages SELinux policies.
`semodule`	`policycoreutils`	Manages SELinux policy modules.
`semodule_deps`	`policycoreutils`	Displays the dependencies between SELinux policy packages.
`semodule_expand`	`policycoreutils`	Expands a SELinux policy module package.
`semodule_link`	`policycoreutils`	Links SELinux policy module packages together.
`semodule_package`	`policycoreutils`	Creates a SELinux policy module package.
`sesearch`	`setools-console`	Queries SELinux policies.
`sestatus`	`policycoreutils`	Displays the SELinux mode and the SELinux policy that are in use.
`setenforce`	`libselinux-utils`	Changes the SELinux mode.
`setsebool`	`policycoreutils`	Sets SELinux Boolean values.
`setfiles`	`policycoreutils`	Sets the security context for one or more files.
`togglesebool`	`libselinux-utils`	Flips the current value of an SELinux Boolean.

Setting SELinux Modes

SELinux runs in one of three modes:

Disabled: The kernel uses only DAC rules for access control. SELinux doesn't enforce any security policy because no policy is loaded into the kernel.
Enforcing: The kernel denies access to users and programs if they aren't granted permissions by SELinux security policy rules. All denial messages are logged as AVC (Access Vector Cache) denials. This is the default mode that enforces SELinux security policy.
Permissive: The kernel doesn't enforce security policy rules but SELinux sends denial messages to a log file. In this manner, you can see what actions would have been denied if SELinux were running in enforcing mode. This mode is intended to be used for diagnosing the behavior of SELinux.

To display current SELinux mode:

getenforce

To set the current mode to Enforcing:

sudo setenforce enforcing

To set the current mode to Permissive:

sudo setenforce permissive

The current value that you set for a mode using setenforce doesn't persist across reboots. To configure the default SELinux mode, edit the configuration file for SELinux, /etc/selinux/config, and set the value of the SELINUX directive to disabled, enforcing, or permissive.

Getting More Information

SELinux is complex. You can obtain information about different policies more easily by installing the selinux-policy-doc package and then navigating the associated manual pages.

Install the package:
```
sudo dnf install -y selinux-policy-doc
```
Update the manual page database:
```
sudo mandb
```
Start searching through the new SELinux policy manual pages. To get a complete listing of all the SELinux manual documentation, run:
```
man -k _selinux
```

The policy documentation contains information about users and roles. For example, you can read more about the SELinux unprivileged user_u user and the user_r role in the user_selinux(8) manual page. The policy documentation outlines the restrictions applied for different security contexts and what Boolean options are available to you to customize the policy for an environment.