333.2 Mandatory Access Control (weight: 5)

Tech Tutorial: 333.2 Mandatory Access Control (weight: 5) #

Introduction #

Mandatory Access Control (MAC) is a security model in which access rights are regulated by a central authority based on different levels of security. This tutorial will focus on understanding and implementing MAC on Linux systems, particularly through the use of Security-Enhanced Linux (SELinux) and AppArmor, which are the most common MAC frameworks used in Linux environments.

Key Knowledge Areas: #

  • Understand the concepts of SELinux and AppArmor
  • Manage and implement SELinux and AppArmor policies
  • Troubleshoot SELinux and AppArmor issues

Utilities: #

  • SELinux: sestatus, getenforce, setenforce, semanage, restorecon, chcon, audit2allow, audit2why
  • AppArmor: aa-status, aa-enforce, aa-complain, aa-disable, aa-genprof, aa-logprof

Step-by-Step Guide #

SELinux #

1. Checking SELinux Status #

The sestatus command provides the current status of SELinux on your system.

sestatus

2. Get Current Enforcing Mode #

To check if SELinux is enforcing, permissive, or disabled, use:

getenforce

3. Set Enforcing Mode #

To toggle SELinux between enforcing and permissive mode (without reboot), use:

sudo setenforce Enforcing
sudo setenforce Permissive

4. Manage SELinux Policies #

The semanage command is a powerful tool for managing SELinux policies.

  • List SELinux user mappings:
semanage login -l
  • Add a new mapping:
sudo semanage login -a -s sysadm_u -r s0-s0:c0.c1023 new_user

5. Restore Default File Contexts #

If file contexts get corrupted or changed, they can be restored using:

restorecon -v /path/to/file

6. Change File Context #

To manually change the SELinux context of a file, use:

chcon -t httpd_sys_content_t /var/www/html/index.html

7. Analyzing AVC Messages #

Convert AVC messages from logs into SELinux policy allow rules using:

audit2allow -w -a
audit2allow -a -M mypol

8. Understanding Denials #

To understand why certain operations were denied by SELinux:

audit2why -a

AppArmor #

1. Checking AppArmor Status #

To see the status of AppArmor and profiles:

sudo aa-status

2. Switching Modes #

To toggle a profile between enforcing and complain mode:

sudo aa-enforce /path/to/profile
sudo aa-complain /path/to/profile

3. Disable a Profile #

To disable an AppArmor profile:

sudo aa-disable /path/to/profile

4. Generate and Update Profiles #

  • Generate a new profile interactively:
sudo aa-genprof /path/to/application
  • Update a profile from log data interactively:
sudo aa-logprof

Detailed Code Examples #

Each command listed above is critical for managing and troubleshooting SELinux and AppArmor on your system. These examples provide a real-world context to help you understand their usage thoroughly. For instance:

# Enforcing SELinux and then checking status
sudo setenforce 1
sestatus

This sequence sets SELinux to enforcing mode and then checks to confirm the change was applied.

Conclusion #

Understanding and implementing Mandatory Access Control with SELinux and AppArmor adds an essential layer of security to your Linux systems. By mastering these commands and concepts, you can effectively manage security policies and ensure your systems are protected against unauthorized access. Remember, regular practice and continued learning are key to mastering Linux security administration.