Upgrading Red Hat Enterprise Linux / CentOS / Oracle Linux
RHEL/CentOS/Oracle Linux Migration:
Security-Enhanced Linux
Security-Enhanced Linux (or NSA SELinux) itself hasn't changed much in ways that the typical administrator will notice, but Red Hat is making much better use of it. SELinux has gone from "Just turn it off to avoid trouble," to "It may work if you don't do very much, try it in permissive mode as an experiment," to working much better with the release of RHEL/CentOS/Oracle Linux 7. The improvements come through much more complete (and complex) policies.
Some other security improvements have also appeared. Read on for details.
Previous: Kernel, ClustersThe previous page described the changes in kernel configuration and clusters.
12 — Security-Enhanced Linux
Red Hat has become more ambitious in their use of the NSA Security-Enhanced Linux mechanisms as they progress from one distribution to the next. If you install their product and use it as they direct, it works fine.
Remember that the design philosophy of SELinux is that the policy is always correct. So it is always appropriate to relabel your entire file system:
# restorecon -r -v -e /cgroup /dev /proc /selinux /srv /sys /
--- or ---
# find / -fstype ext3 -o -fstype ext4 -o -fstype xfs -exec restorecon -v {} \;
On RHEL 6 the policy caused problems when you moved Apache
configuration files around, you needed to relabel everything
under /etc/httpd and possibly
/var/www/html.
That got better with RHEL 7.
Below are the results of running seinfo
on some CentOS and RHEL examples.
From CentOS 5.6:
Statistics for policy file: /etc/selinux/targeted/policy/policy.21 Policy Version & Type: v.21 (binary, MLS) Classes: 61 Permissions: 220 Types: 1868 Attributes: 217 Users: 3 Roles: 6 Booleans: 271 Cond. Expr.: 254 Sensitivities: 1 Categories: 1024 Allow: 130713 Neverallow: 0 Auditallow: 42 Dontaudit: 7348 Role allow: 5 Role trans: 0 Type_trans: 2309 Type_change: 0 Type_member: 0 Range_trans: 578 Constraints: 47 Validatetrans: 0 Fs_use: 19 Genfscon: 74 Portcon: 337 Netifcon: 0 Nodecon: 8 Initial SIDs: 27
From RHEL 6:
Statistics for policy file: /etc/selinux/targeted/policy/policy.24 Policy Version & Type: v.24 (binary, mls) Classes: 77 Permissions: 229 Sensitivities: 1 Categories: 1024 Types: 3073 Attributes: 250 Users: 9 Roles: 13 Booleans: 168 Cond. Expr.: 203 Allow: 269649 Neverallow: 0 Auditallow: 44 Dontaudit: 162489 Type_trans: 10914 Type_change: 38 Type_member: 44 Role allow: 20 Role_trans: 241 Range_trans: 2590 Constraints: 64 Validatetrans: 0 Initial SIDs: 27 Fs_use: 22 Genfscon: 82 Portcon: 378 Netifcon: 0 Nodecon: 0 Permissives: 21 Polcap: 2
From RHEL 7:
Statistics for policy file: /sys/fs/selinux/policy Policy Version & Type: v.28 (binary, mls) Classes: 83 Permissions: 255 Sensitivities: 1 Categories: 1024 Types: 4263 Attributes: 349 Users: 8 Roles: 14 Booleans: 261 Cond. Expr.: 306 Allow: 92722 Neverallow: 0 Auditallow: 120 Dontaudit: 7645 Type_trans: 14717 Type_change: 74 Type_member: 27 Role allow: 29 Role_trans: 734 Range_trans: 5006 Constraints: 98 Validatetrans: 0 Initial SIDs: 27 Fs_use: 26 Genfscon: 91 Portcon: 528 Netifcon: 0 Nodecon: 0 Permissives: 0 Polcap: 2
From RHEL 8:
Statistics for policy file: /sys/fs/selinux/policy Policy Version: 31 (MLS enabled) Target Policy: selinux Handle unknown classes: allow Classes: 129 Permissions: 452 Sensitivities: 1 Categories: 1024 Types: 4934 Attributes: 251 Users: 8 Roles: 14 Booleans: 326 Cond. Expr.: 375 Allow: 112714 Neverallow: 0 Auditallow: 162 Dontaudit: 10288 Type_trans: 244546 Type_change: 74 Type_member: 35 Range_trans: 6015 Role allow: 39 Role_trans: 425 Constraints: 71 Validatetrans: 0 MLS Constrain: 72 MLS Val. Tran: 0 Permissives: 0 Polcap: 5 Defaults: 7 Typebounds: 0 Allowxperm: 0 Neverallowxperm: 0 Auditallowxperm: 0 Dontauditxperm: 0 Initial SIDs: 27 Fs_use: 33 Genfscon: 105 Portcon: 627 Netifcon: 0 Nodecon: 0
RHEL 8 includes the new
update-crypto-policies
command, which lets you switch between default, legacy,
more cautious, and FIPS-140-2 compliant modes.
Read the crypto-policies manual page
for descriptions of the available policies.
RHEL 7 and later include OpenSCAP and other compliance tools. However, the tools are great but they are useless without the needed SCAP content. Red Hat did only a partial job on RHEL 7, and so far has done much less on RHEL 8 and later.
Finally, you will find that the output of ls -l
began to look a little different with the version included
with RHEL 6.
There is now a "." after the permission mask, indicating
that an SELinux security context exists for the object:
# ls -l /etc/rsyslog.conf /sbin/rsyslogd -rw-r--r--.1 root root 2741 May 20 2009 /etc/rsyslog.conf -rwxr-xr-x.1 root root 344528 Jun 8 2010 /sbin/rsyslogd
Meanwhile, a "+" in that position indicates
that getfacl would show you an ACL with more
than the three required entries.