SELinux stands for Security-Enhanced Linux, used for securing access control.
You must have heard of “chmod command” which is also used for security purpose, this is the discretionary access control which can be changed as required by the owner.The owner can define permissions to the owner, group & others for accessing the folder.
Suggested Read: https://peeptheworld.com/linux-file-permissions-umask/
But SELinux is a bit different. It is a mandatory access control, which means by default some permissions are set for a particular process to access its default files/directories. Hence SELinux plays a role of giving access or blocking access based on the predefined policies.
While installing a package some default directory/files are automatically created and when these directories/files are created, by default some label is also assigned to it.
This Label is SELinux Context name. Please also note here that when you start any service, it becomes a process and this process can only access the file/folder with the same context or Label assigned to it.
Confused ?? Don’t Worry!!
Here we are installing httpd package for HTTP services to open GUI/URL. When you run a program or start a service, it becomes a process, that process can only access some files which is predefined in SELinux. In other words, a process can only access the files with the same context or Label assigned to it.
Please go through the example, which will clear your concept completely.
1) Install httpd package to display a web page on explorer.
[root@Server1 /]# rpm -i httpd-tools-2.2.15-29.el6_4.x86_64 [root@Server1 /]# rpm -i httpd-2.2.15-29.el6_4.x86_64
2) Now after installing package, we will create a file named index.html inside the html default directory (/var/www/html) , as the page will read the content from this file. After this, we will restart the service to implement the changes.
[root@Server1 /]# echo "This is SElinux Test. Index html created on Default directory ." > /var/www/html/index.html [root@Server1 /]# service httpd restart
3) Now we will open the GUI with its Loopback IP (http://127.0.0.1) .You can open it with the server’s own IP also .Please find the screenshot of the GUI below:-
4) Now, lets check the Selinux part behind it. As I already mentioned that the Label of the process and the file should match in order to execute the service successfully. To check the Label or Context name we need to use ‘Z’ to display it.
[root@Server1 /]# ls -lZ /var/www/html/index.html -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html [root@Server1]# ps -efZ|grep -i httpd unconfined_u:system_r:httpd_t:s0 root 3045 1 0 23:13 ? 00:00:00 /usr/sbin/httpd unconfined_u:system_r:httpd_t:s0 apache 3048 3045 0 23:13 ? 00:00:00 /usr/sbin/httpd unconfined_u:system_r:httpd_t:s0 apache 3049 3045 0 23:13 ? 00:00:00 /usr/sbin/httpd unconfined_u:system_r:httpd_t:s0 apache 3050 3045 0 23:13 ? 00:00:00 /usr/sbin/httpd
In the above output, just check the ‘_t’ i.e target value of the file index.html is (httpd_sys_content_t) . And the target value of the Process is (httpd_t) . Here the httpd process is accessing index.html file whose labels are matched. Hence you could see the possitive result while opening GUI.
5) Now, what happens if the Label doesn’t match. For this let’s create an Index file in some other path (/webtest/index.html) other than httpd default path(/var/www/httpd/index.html).
[root@Server1 /]# mkdir /webtest [root@Server1 /]# echo "This is SElinux Test . Index html created on /webtest directory." > /webtest/index.html [root@Server1 /]# ls -lZ /webtest/index.html -rw-r--r--. root root unconfined_u:object_r:default_t:s0 index.html
6) Above you can see the label’s target value of the /webtest/index.html file is (default_t) which doesn’t match with the httpd process (httpd_t).We will open GUI , Let’s see if it works or not.
7) But before Opening GUI, we will have to add below entries in the httpd configuration file, as the index.html file is created in /webtest which is not its default path.Post this need to restart httpd service.
[root@Server1 /]# vi /etc/httpd/conf/httpd.conf Include conf.d/*.conf <Directory /webtest> AllowOverride None </Directory> alias /webtest /webtest [root@Server1 webdata /]# service httpd restart Stopping httpd: [ OK ] Starting httpd: httpd: [ OK ]
Now when we open GUI (http://127.0.0.1/webtest) , we get the negative result.You can clearly see below that the permission to access /webtest is denied because of the label mismatch.
8) Please note in the above example the selinux mode was enforcing mode, which means the Selinux is enabled.
[root@Server1 /]# getenforce Enforcing
9) Now Let’s also understand the SELinux different modes and its function.
Enforcing --> Block access based on the Predefined policy + Record the Logs as well. Permissive --> Don't Block access based on the Predefined policy + Record the Logs. Disabled --> Don't Block access based on the Predefined policy + Don't Record the Logs.
10) Now even if the label doesn’t match, still we can get the positive result by switching the Selinux mode to permissive or in a disabled state.
[root@Server1 /]# setenforce 0 [root@Server1 /]# getenforce Permissive
Now when we open GUI(http://127.0.0.1/webtest) , we will get positive results, as the SELinux is not enabled and hence all the predefined policies will be ignored.
11) But if we want the positive result even if the SELinux is in enabled mode, we will have to change the label’s target value of “/webtest/index.html” file to (httpd_sys_content_t) instead of (default_t). So that the process can access the file. This can be done by chcon command which is used to change the Context name or Label of the file/directory.
[root@Server1 /]# setenforce 1 [root@Server1 /]# getenforce Enforcing [root@Server1 /]# ls -lZ webtest/index.html -rw-r--r--. root root unconfined_u:object_r:default_t:s0 index.html [root@Server1 /]# chcon -R -t httpd_sys_content_t /webtest [root@Server1 /]# ls -lZ /webtest/index.html -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /webtest/index.html
12) Now if you open GUI(http://127.0.0.1/webtest) , We can see the positive result below, as the permission is granted for /webtest for http service , just by changing the Context name of /webtest directory.
Now you are good to go to define SELinux on your system.
Please leave your comments and feedback in the comment box if you find it beneficial or in case of any doubts.