How To Manage SELinux in RHEL
Upgrades and Updates to Red Hat® Enterprise Linux®
SETTING UP SECURITY-ENHANCED LINUX (SELinux)
irstly, let's just agree that there is likely going to be some disagreement here. Lots of technology topics will "top-off" people over the craziest things... this doesn't qualify as one of the bigger ones I can think of, but there does exist some strong opinion over the use, management and effectiveness of Security-Enhanced Linux (SELinux). RHEL has shipped with SELinux "Enforced" by default since 2.6 of the Linux kernel, but what if we needed to temporarily disable SELinux for some programs to function properly? Looking into this while installing ESET NOD32 Business Desktop Antivirus, I fell into these questions to ask and answer, some of which remain open-ended, but found my path not entirely dissimilar from others that have either looked into, or had to, address issues with managing SELinux. To test this out, we are running hardware off an Alienware X51 booting up 64bit RHEL 6.5.
# yum update selinux
MANAGING SELINUX IN RHEL
Security-Enhanced Linux (SELinux) is a project (initially developed by the NSA, fwiw) to implement mandatory access control (MAC) under Linux, executed in the kernel. A security context, or security "label", is the mechanism used by SELinux to classify resources (e.g., processes and files) on a SELinux-enabled system. This context allows SELinux to enforce rules for how and by whom a given resource should be accessed.
On occassion, we may have need (I will leave out desire) to directly manage these security contexts. Red Hat Global Support Services recommends disabling SELinux permanently only if you are certain you will never want to run SELinux in the future. Per the Red Hat KB "How Do I Turn SELinux Off In Red Hat Enterprise Linux?, "files created with SELinux disabled will not have the information necessary to function when SELinux is enabled; changing this requires a "relabel" of the filesystems, which can be a very time consuming operation."
That's good enough reasoning for me; if you start with SELinux enabled (as is by default in RHEL6), do not toggle it on and off again unecessarily! Our raison d'être here, however, is that there may be occassion where SELinux issues need to be looked into, and potentially addressed. This a rather broad and fairly elusive topic, so this attempt is mainly in providing you with some SELinux Management Tools to get you started.
NOTE: It is highly advisable that you conduct your own study in this area as much as possible prior to making any changes in SELinux. Please reference the provided industry articles at the end of this post for a more complete reference of SELinux!
What if we attempt to install or execute a program and receive a SELinux Unsupported error that looks like this? If you want this addressed, you will need to manage SELinux!
Let's take a look at how to Modify and Manage SELinux in a Real World Example:
Ye Olde Terminal
While attempting to install linux antivirus software, I ran into a "SELinux not supported" error that kept me from executing the installer. To complete, we first have to temporarily disable SELinux. How to do that, and why? Initially, I went about dealing with this via command-line by temporarily changing SELinux mode to "Permissive". I will get into why you will want to do that a little bit later; for now we just want to make the appropriate changes so that I can finish the antivirus install.
Run the following command to check if SELinux is running (returns Enforcing, Permissive or Disabled):
You can then effectively disable into Permissive mode by running:
# setenforce 0
When you have completed whatever tasks necessitated putting SELinux into "Permissive" in the first place, be certain to re-enable:
# setenforce 1
SELinux Management Tools
From just the initial foray into understanding what SELinux actually is and how best to use and manage, it was clear I would be spending time with SELinux and its policies often enough to need to be efficient and effective in those dealings. My personal preference with all of this is to employ some handy tools already found in our available repos: selinux-config and system-config-selinux; these are part of the policycoreutils-gui package providing GUI utilities for managing the SELinux environment. Install all of these through PackageKit:
This also gives us access to the SELinux Management and SELinux Policy Generation Tools:
Now we can use our SELinux Management GUI to change SELinux mode to Permissive via System »Administration »SELinux Management:
SELinux is now temporarily disabled, while still logging access errors. While in Permissive mode, I can complete the install my antivirus application. We also now have available our SELinux Policy Generation Tool via Applications »System Tools »SELinux Policy Generation Tool:
In my case, I needed to make SELinux changes to install software, but it wasn't without some trepidation. Fiddling with SELinux settings requires some dedication and persistence in understanding what SELinux is and does, and how best to manage it. Unless you are already experienced and knowlegeable here, my recommendation is to make use of the security ehnancements SELinux provides (by staying in the default of "Enforce"), and always utilize "Permissive" mode should you really need to disable it. Review your access/error logs as habit.
Permission to be Permissive
Instead of disabling SELinux, it is more advisable to put SELinux in "Permissive" mode. In this mode:
The SELinux policies will remain loaded,
Access attempts that violate the configured SELinux policy will still be logged, but
Access attempts that violate the configured SELinux policy will not be denied, thus disabling the protections offered by SELinux.
Here's how to review your Access Logs to see what policies were logging while in Permissive -
Search for auditd (the Linux Auditing System) and install if necessary - the audit RPM should be installed by default on most Red Hat Enterprise systems:
Next, check for the setools-gui pkg, and install - this will provide a collection of graphical and command-line tools to efficiently address SELinux policy analysis:
Once installed, run your seaudit gui to access and review your logs (Applications »System Tools »SELinux Audit Log Analysis):
We also now have several other SELinux tools available for use - SELinux Policy Analysis (examine, search and relate policy components and rules) and SELinux Policy Difference (allows you to compare two policy files):
Lend Me Your Thoughts & Advice... How are You Handling SELinux in RHEL?
My own approach and advice is to employ the default "Enforce" of SELinux and its policies, entering "Permissive" mode temporarily and only when entirely necessary, and habitually reviewing access logs for errors while doing so. That being said, there certainly exists strong opinion that it takes more in managing SELinux than rewarded ultimately in security concerns. I have yet to encounter any issues, and consider SELinux as a welcome, albeit additional, security layer versus online content and application bugs - my fear in looking into SELinux, is that if and when I do ever encounter any SELinux related issues? I could have more trouble than it's worth on my hands. Let's hope I didn't just jinx myself... opinions differ on SELinux, some of it strongly:
SELinux Fails Again - excerpts from a frustrated SELinux user
RHEL FOR REAL
Having generically delved into SELinux making minor adjustments, it was clear from colleagues and my own hands-on experience I really need to learn a lot more about it. Even for Desktop services, I would recommend employing SELinux as Red Hat provides, but haven't found any harm thus far in the occassional disabling in Permissive mode. Frankly, I really wouldn't want to have to tackle SELinux Policies/Policy Management but, should situations dicatate otherwise I feel pretty good I have the tools now to help drill down on resolving those changes fairly quickly.
There does seem to be differences in opinion about using SELinux and/or its inherent complexity. Stay tuned; there's quite a bit more I need to understand here before being more comfortable with applying policy changes and mods within SELinux. For now, in RHEL I am managing SELinux policies with the above SELinux Management and Policy Generation Tools, while expecting SELinux to be of greater value being Enforced and only occassionally Permissive, over ever being entirely Disabled. #yumyumyellowdog
Would You Like Additional Information Related To This Topic? Then You May Also Find Helpful:
SYSCONFIG: the as-is testing enviro system configuration at the time of this article =
HARDWARE: Alienware X51 [Memory: 16GB RAM; Processer: 4th Gen Intel® Core™ i7 4770 Quadcore 8MB Cache @ 4.00GHz; Graphics: NVIDIA® GeForce® GTX 760 Ti with 2GB GDDR5; SSD: Samsung 850 Pro 512GB; HDD: Western Digital Black 1TB]
SOFTWARE: Operating System [RHEL Workstation 6.5-x86_64 (Santiago)]