SELinux

SELinux

SELinux tries to protect systems, but the policies are so complex, that nobody really knows what they are doing.

For example, a common approach is something like this:

# grep nginx /var/log/audit/audit.log | grep denied | audit2allow -M mynginx
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i mynginx.pp

The problem is that you have no idea what it is doing. When you look, you get something like:

# cat mynginx.te

module mynginx 1.0;

require {
        type httpd_t;
                type gatekeeper_port_t;
                        class tcp_socket name_connect;
                        }

#============= httpd_t ==============

#!!!! This avc is allowed in the current policy
allow httpd_t gatekeeper_port_t:tcp_socket name_connect;

What is gatekeeper_port_t?

# semanage port -l | grep gatekee
gatekeeper_port_t              tcp      1721, 7000
gatekeeper_port_t              udp      1718, 1719

It turns on several things. What does tcp_socket do?

What is tcp_socket? It's a tclass, which is a label for a set of permissions. In this case, the permissions to open up a tcp_socket connection from the source to the target.

What's the source? It's a domain, actually.

ps -eZ|grep httpd_t
# ps -eZ|grep httpd_t
system_u:system_r:httpd_t:s0    27797 ?        00:00:00 nginx
system_u:system_r:httpd_t:s0    27799 ?        00:00:00 nginx

Never mind how the nginx program gets into the httpd_t domain. Also never mind that a normal user can connect to the socket:

$ echo hello > /dev/tcp/127.0.0.1/7000

This is the confusing part, of course. Login sessions are generally unconstrained.

For HPC systems, you generally have to turn off SELINUX.

SELINUX also doesn't protect external intrusions. It's just prevents privilege escalation.