SELinux and RHEL: A technical exploration of security hardening

Security in the enterprise world is paramount, and Red Hat Enterprise Linux (RHEL) has long been a leader in integrating robust security mechanisms. Security-Enhanced Linux (SELinux) is a cornerstone technology enabling this security. In this blog, we explore SELinux's workings, its role in RHEL, and its relationship with Red Hat’s approach to vulnerability assessment, as detailed in our four-point impact scale for common vulnerabilities and exposures (CVEs).

What is SELinux?

SELinux is a Mandatory Access Control (MAC) system integrated into the Linux kernel. Unlike Discretionary Access Control (DAC), where a user or process determines permissions, SELinux enforces security policies defined by security administrators, regardless of user preferences or actions. This provides precision control over system interactions, reducing attack surfaces.

Core concepts of SELinux

SELinux consists of the following four core concepts:

1. Policy enforcement: SELinux policies define the rules for how processes (known as "subjects") interact with files, devices (known as "objects"), and other processes. These rules operate on the principle of least privilege
2. Contexts: SELinux assigns security contexts (in the form of "labels") to files, processes, network ports, and all objects on the system. These contexts dictate access permissions
3. Modes: SELinux can be in one of two states
   • Enforcing: Policies are actively enforced, and unauthorized actions are blocked
   • Permissive: Policies are logged but not enforced, which is useful for troubleshooting
4. Types of policies: Broadly speaking, there are two different kinds of policies
   • Targeted policy: Focuses on securing systemd started services by default. Other additional features can be enabled, such as confined users
   • MLS policy: Implements multi-level security, which is used in highly classified environments

SELinux in RHEL

Red Hat’s integration of SELinux in RHEL underscores its commitment to security. SELinux is enabled by default on RHEL systems, and the targeted policy is pre-configured to help secure essential services like web servers, databases and network daemons. By using SELinux, RHEL enables a proactive security posture that mitigates vulnerabilities and limits the impact of exploitation.

• Policy customization: RHEL allows admins to create or modify SELinux policies to suit specific workloads
• SELinux troubleshooter: A tool in RHEL to help identify and resolve SELinux-related issues, making policy tuning accessible
• Integration with containers/VMs: SELinux extends its capabilities to containerized and virtualization environments in RHEL, enabling isolation and security for container and virtualization workloads

Common SELinux commands with examples

Although SELinux mostly runs in the background, you can interact with it through the command-line.

1. Check SELinux status

Use sestatus to display information including the current SELinux status (enabled or disabled) and mode (enforcing or permissive). For example:

$ sestatus
SELinux status: enabled
Current mode: enforcing
[...]

2. Change SELinux mode

Use setenforce to toggle between enforcing and permissive modes without rebooting.

$ sudo setenforce 0   # Switch to permissive mode
$ sudo setenforce 1   # Switch back to enforcing mode

3. View SELinux contexts

When using the ls command, use the -Z option to list the SELinux context of files and directories. For example:

$ ls -Z /path/to/directory
unconfined_u:object_r:user_home_t:s0 example.txt

4. Change SELinux context

Standard system locations have default SELinux contexts, so you don't usually have to change them manually. You can set the SELinux context when you need to, though, by using the chcon command. For example, to change the SELinux context of a file's extended attributes to a type appropriate for serving web content:

$ sudo chcon -t httpd_sys_content_t \
  /var/www/html/index.html

To see a full list of context definitions, install the setools-console package, and then run the seinfo command:

$ sudo setools --expand --type

5. Restore default SELinux contexts

Use the restorecon command to restore the default SELinux contexts for files and directories. In this example, I use the -R option to process all subdirectories, and the -v option to show what changes are being made:

$ sudo restorecon -Rv /var/www/html

6. Troubleshoot SELinux denials

When you are denied access to a file or process by SELinux, an Access Vector Cache (AVC) denial occurs. To search through SELinux's audit logs for a recent AVC denial, use ausearch:

$ sudo ausearch -m AVC -ts recent

The sealert command can analyze the audit log, and provide suggestions on how to resolve an SELinux denial:

$ sudo sealert --analyze /var/log/audit/audit.log

7. Manage SELinux policy module

An SELinux policy module is a collection of rules that extends or modifies an existing SELinux policy without changing the basic policy. It defines access controls for applications, specifying what resources they can interact with.

The semodule command lists all loaded SELinux policy modules:

$ sudo semodule --list

You can install a custom SELinux policy module, too:

sudo semodule -i custom_policy.pp

8. Generate policy allowances

Using the auditd command, you can generate and install a policy module to allow an action that was previously denied by default:

$ auditd | audit2allow -M mymodule
$ sudo semodule -i mymodule.pp

The role of SELinux in mitigating CVEs

Red Hat’s vulnerability assessment process is outlined in a four-point impact scale: Critical, important, moderate and low. We consider mitigation measures like SELinux when assigning severity ratings to CVEs.

Critical impact and SELinux

A critical vulnerability, such as CVE-2021-44228 (Log4Shell), often allows remote unauthenticated attackers to execute arbitrary code. SELinux can mitigate the impact by confining vulnerable services within restrictive policies, limiting the attack’s reach. For instance, if the exploited process is running under a confined SELinux domain, it may not have the privileges to access sensitive files or execute further payloads.

Important impact and SELinux

For important CVEs, such as CVE-2023-4911 (Looney Tunables), SELinux plays a vital role in restricting the scope of privilege escalation. Even if an attacker successfully exploits a buffer overflow to gain elevated privileges, SELinux policies can confine their activities, protecting critical system components.

Moderate impact and SELinux

Moderate CVEs, like CVE-2023-3128 (Grafana issue), often rely on unlikely configurations or are difficult to exploit. SELinux policies act as an additional layer of defense, preventing such vulnerabilities from escalating into significant threats.

Low impact and SELinux

Low-severity issues, such as CVE-2023-48232 (vim crash), usually result in minimal consequences. While SELinux may not directly prevent such issues, its consistent policy enforcement helps contain even theoretical attacks.

A real-world example of mitigating a remote exploit

To understand SELinux’s impact on RHEL security, consider the following scenario. A web server running on RHEL is configured with SELinux in enforcing mode. The server is affected by a vulnerability that allows remote code execution (RCE). Without SELinux, the attacker could execute arbitrary commands and potentially take control of the system. However, with SELinux:

1. The web server is confined to its domain, for example, httpd_t
2. SELinux policies restrict access to sensitive files, such as /etc/shadow or /var/lib/mysql
3. Network access is limited to the server’s expected behavior, preventing lateral movement

SELinux reduces the vulnerability’s impact from a potential system compromise to a contained exploit.

Best practices for managing SELinux in RHEL

SELinux is set up by default on both RHEL and Fedora. Here are 5 things that help you get the most of SELinux on your systems:

1. Keep SELinux enabled:
   • Use permissive mode temporarily for troubleshooting
   • Disabling SELinux removes a critical layer of security
2. Understand SELinux alerts:
   • Use audit.log or tools like ausearch and sealert to analyze denied actions
   • Apply only necessary policy changes to maintain a secure configuration
3. Leverage SELinux in containers:
   • Use container runtimes like Podman, which integrate with SELinux to enforce isolation
   • Ensure SELinux labels are correctly applied to container volumes
   • Install and use the udica package, a tool for generating SELinux security policies for containers, as needed
4. Regular policy updates: Update SELinux policies as part of routine system maintenance to address new threats
5. Train teams: Educate administrators on SELinux basics, troubleshooting and policy management

Make SELinux work for you

SELinux is an indispensable tool for hardening RHEL systems. Its ability to enforce granular security policies aligns seamlessly with Red Hat’s holistic approach to vulnerability management. By incorporating SELinux’s mitigation capabilities into CVE assessments, Red Hat provides customers with realistic and actionable severity ratings. Organizations running RHEL can maximize their security posture by embracing SELinux and understanding its role in protecting against modern threats.

Whether it’s a critical flaw like Log4Shell or a low-severity issue in a text editor, SELinux helps contain vulnerabilities, minimizing the risk to enterprise systems. In a world of ever-evolving threats, SELinux remains a cornerstone of Linux security, empowering organizations to confidently protect their data and operations.