Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
documentation.suse.com / SUSE Linux Enterprise Micro Documentation / Quick Start Guides / Security Guide
SUSE Linux Enterprise Micro 5.2

Security Guide

This guide gives a brief overview of SELinux implementation on SLE Micro.

Publication Date: September 29, 2022

1 Introduction to SELinux

SELinux was developed as an additional Linux security solution that uses the security framework in the Linux kernel. The purpose was to allow for a more granular security policy that goes beyond the standard Discretionary Access Controls (DAC), the traditional file permissions of owner/group/world, and read/write/execute.

SELinux uses labels attached to objects (for example, files and network sockets) and uses them for access decisions.

The default action of SELinux is to deny any access. SELinux allows only actions that were specifically allowed in the SELinux policy. Another feature of SELinux that increases security is that SELinux allows strict confinement of processes up to the point where the processes cannot access files of other processes on the same system.

SELinux was designed to enhance existing security solutions, not to replace them. For example, discretionary access control (DAC) is still applied even if the system is using SELinux. If DAC denies access first, SELinux is then not used as the access was already blocked by another mechanism.

2 Getting SELinux

SELinux is installed by default when installing SLE Micro by YaST or is part of the pre-built images. In systems installed manually by YaST, SELinux is in the disabled mode by default, and the file system is not labeled. If you deployed your system using the pre-built images, the SELinux mode is permissive, and the file system is labeled.

To set the SELinux mode to enforcing and configure your system properly for using SELinux, run the following command:

# transactional-update setup-selinux

Reboot your system after the command completes. The command installs the SELinux policy if it is not installed, sets the enforcing SELinux mode and rebuilds initrd.

3 SELinux modes

SELinux can run in one of three modes: disabled, permissive, or enforcing.

Using the disabled mode means that no rules from the SELinux policy are applied and your system is not protected. Therefore, the disabled mode is not recommended.

In the permissive mode, SELinux is active, the security policy is loaded, the file system is labeled and access denial entries are logged. However, the policy is not enforced and thus no access is actually denied.

In the enforced mode, the security policy is applied. Each access that is not explicitly allowed by the policy is denied.

You can switch between the enforcing and permissive modes by using the setenforce command. Alternatively, you can switch between all SELinux modes by editing the /etc/selinux/config configuration file. Changes performed by the setenforce command are valid only until the next reboot. For persistent changes of the SELinux mode, edit the /etc/selinux/config configuration file.

The setenforce command has the following syntax:

# setenforce MODE_ID

where MODE_ID is 0 for the permissive mode or 1 for the enforced mode.

To verify the mode, run the following command:

# getenforce

The command should return permissive or enforced, depending on the provided MODE_ID.

To change the SELinux mode permanently, in the file /etc/selinux/config change the value of SELINUX to disabled, or permissive, or enforced as follows:

SELINUX=disabled

The changes in the file are applied after next reboot.

Note
Note: Relabeling your system after switching from the disabled mode

If you disable SELinux on your system and then enable it later, make sure that you relabel your system. When SELinux is disabled and you perform changes to your file system, the changes are not reflected in the context anymore (for example, new files do not have any context). Therefore, you need to relabel your system by using the restorecon command, using the autorelabel boot parameter, or by creating a file that will trigger relabeling on the next boot. To create the file, run the following command:

# touch /etc/selinux/.autorelabel

After reboot, the file /etc/selinux/.autorelabel is replaced with another flag file: /etc/selinux/.relabelled to prevent relabeling on subsequent reboots.

4 SELinux policy overview

The policy is the key component in SELinux. Your SELinux policy defines rules that specify which objects can access which files, directories, ports, and processes on a system. To do this, a security context is defined for all of these.

An SELinux policy contains a huge number of rules. To make it more manageable, policies are often split into modules. This allows the administrator to switch protection on or off for different parts of the system.

When compiling the policy for your system, you will have a choice to either work with a modular policy, or a monolithic policy, where one huge policy is used to protect everything on your system. It is strongly recommended to use a modular policy and not a monolithic policy. Modular policies are much easier to manage.

SLE Micro is shipped with the targeted SELinux policy.

5 SELinux security context

The security context is a set of information assigned to a file or a process. It consists of SELinux user, role, type, level and category. This information is used to make access control decisions.

SELinux context fields
SELinux user

is an identity defined in the policy that is authorized for a specific set of roles and for a specific level range. Each Linux user is mapped to an SELinux user. SELinux does not use the list of user accounts maintained by Linux in /etc/passwd, but uses its own database and mapping. By convention, the identity name is suffixed with _u, for example: user_u.

role

defines a set of permissions that a user can be granted. A role defines which types a user assigned to this role can access. By convention, the role name is suffixed with _r, for example: system_r.

type

conveys information on how particular files and processes can interact. A process consists of files with a concrete SELinux type, and it cannot access files outside of this type. By convention, the type name is suffixed with _t, for example: var_t.

level

is an optional attribute that specifies the range of levels of clearance in the multilevel security.

category

is an optional attribute that allows you to add categories to processes, files and users. A user can then access files that have the same category.

6 Tools for managing SELinux

In the default deployment of SLE Micro, regardless of the deployment method, some of the commands for managing SELinux are not installed. To install the commands described bellow, run the following command:

# transactional-update pkg install policycoreutils-python-utils

After successful installation and rebooting your system, you will be able to use the commands to manage your system.

SELinux commands
chcon

changes the security context of provided files to the context provided to the command

getenforce

displays the current SELinux mode

fixfiles

enables you to check for issues with a mismatched security context and then fix them

ls -Z PATH

shows security context of all files/directories in the specified PATH, for example:

# ls -Z /
system_u:object_r:bin_t:s0 bin
system_u:object_r:boot_t:s0 boot
system_u:object_r:device_t:s0 dev
system_u:object_r:etc_t:s0  etc
system_u:object_r:home_root_t:s0 home
system_u:object_r:lib_t:s0 lib
system_u:object_r:lib_t:s0 lib64
system_u:object_r:mnt_t:s0 mnt
system_u:object_r:usr_t:s0 opt
system_u:object_r:proc_t:s0 proc
system_u:object_r:default_t:s0 root
system_u:object_r:var_run_t:s0 run
system_u:object_r:bin_t:s0 sbin
system_u:object_r:var_t:s0 srv
system_u:object_r:sysfs_t:s0 sys
system_u:object_r:tmp_t:s0 tmp
system_u:object_r:usr_t:s0 usr
system_u:object_r:var_t:s0 var
restorecon

restores a file context to the default value (as stored in the SELinux policy)

semanage

enables you to adjust context and configure certain elements of SELinux policy. The command provides several subcommands; for details, use:

# semanage --help
setenforce

enables you to temporarily set a SELinux mode to permissive or enforcing

sestatus

displays the current status of SELinux, for example:

# sestatus

SELinux status:               enabled
SElinuxfs mount:              /sys/fs/selinux
SELinux root directory:       /etc/selinux
Loaded policy name:           targeted
Current mode:                 enforcing
Mode from config file:        enforcing
Policy MLS status:            enabled
Policy deny_unknown status:   allowed
Memory protection checking:   requested (insecure)
Max kernel policy version:    31
Note
Note: The Z option available to other commands

You can also use the Z option with other commands, for example: cp, ps, and id.