SELinux
=======

SELinux is a Linux Security Module that implements fine-grained Mandatory Access
Control (MAC) on top of UNIX permisisons.

The RedHat wiki has good documentation for SELinux, here is a summary edited by
me.

SELinux state
-------------

SELinux can be enabled or disabled; when enabled, it can either be in enforcing
or permissive mode. When in permissive mode, the system acts as if SELinux is
enforcing the loaded security policty, but does not actually deny any
operations.

Use `getenforce` or `sestatus` to check if SELinux is being enforced.

.. code-block:: bash

    sestatus

Disable / Enable SELinux:

.. code-block:: bash

    sudo setenforce 0
    sudo setenforce 1

You can also set this on boot with the kernel parameter `enforcing=0` or
`enforcing=1`.

On docker volumes, you may have to add :z or :Z after each module to make them
accessible from inside the container when SELinux is enforcing.

The configuration file is located in `/etc/selinux/config`

When enabling SELinux on systems that previously had it disabled, SELinux
automatically relables file systems when changing to enforcing mode. To ensure
this, run:

.. code-block:: bash

    fixfiles -F onboot

Users, roles and types
----------------------

SELinux contexts have several fields: user, role, type and security level.

Types end with `_t`, for example the type name for the web server is `httpd_t`,
the type context for file and directories normally found in `/var/www/html` is
`httpd_sys_content_t` and the type contexts for files and directories normally
found in `/tmp` and `/var/tmp` is `tmp_t`. The tye context for web server ports
is `http_port_t`.

To list the available SELinux users:

.. code-block:: bash

    sudo seinfo -u

To list the available SELinux roles

.. code-block:: bash

    sudo seinfo -r

For example:

- `guest_r`: has very limited permissions. Users assigned to this role
  cannot access the network, but can execute files in the `/tmp` and
  `/home` directories.
- `xguest_r`: has limited permissions. Users assigned to this role can
  log into X Window, access web pages by using network browsers, and
  access media. They can also execute files in the `/tmp` and `/home`
  directories.
- `user_r`: Had non-root privileged access with full user permissions.
- `staff_r`: Similar to `user_r` ad additional privileges. In particular,
  users assigned to this role are allowed to run `sudo`.

The following are "confined administrator" roles:

- `auditadm_r`: Allows managing processes related to the Audit sybsystem.
- `dbadm_r`: Allows managing MariaDB and PostgreSQL databases.
- `logadm_r`: allows managing logs (Rsyslog and Audit)
- `webadm_r`: allows managing the Apache HTTP server
- `secadm_r`: security administrator, allows managing the SELinux database
- `sysadmin_r`: do basically everything of the above and more.

Creatign a new user
-------------------

To add a role to a new user, create it like this:

.. code-block:: bash

    useradd -Z staff_u <example_user>
    passwd <example_user>
    sudo <example_user>

To see the SELinux user mapping on your system, use:

.. code-block:: bash

    $ sudo semanage login -l
    Login Name           SELinux User         MLS/MCS Range        Service
    
    __default__          unconfined_u         s0-s0:c0.c1023       *
    root                 unconfined_u         s0-s0:c0.c1023       *

In general, you can use the `semanage` tool to interact with the policies. Check
the man pages for usage.

Policies
--------

You can change parts of SELinux policy at runtime using booleans.

To list all the boolean options, run:

.. code-block:: bash

    semanage boolean -l

To list the current state of the boolean:

.. code-block:: bash

    getsebool -a

After making changes, you need to relable a directory (optionally recursively).

.. code-block:: bash

    restorecon -Rv <dir>

Writing a policy
----------------

An SELinux security policy is a collection of SELinux rules. For example:

.. code-block:: bash

    ALLOW apache_process apache_log:FILE READ;

Meaning: The Apache process can read its logging file.

The Gentoo wiki has nice documentation for writing a policy, you can also see
the `example-*` directories under this one, which use various types of
generators to help with boilerplate.

Broadly, policies are written in `.te` files, with optional `.fc` and `.if`
files. They are built using a makefile provided by some distribution and can be
loaded with the `seamodule` utility, generating a loadable `.pp` file. While
developing a policy, you usually use interefaces provided by other modules.

Debug
-----

Read SELinux logs:

.. code-block:: bash

    sudo ausearch -m AVC -ts today

For more detauled information:

.. code-block:: bash

    sealert -l "*"

If auditd is running:

.. code-block:: bash

    journalctl -t setroubleshoot