search close

SE Linux Support

access_time Updated Jun 20, 2021

Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including United States Department of Defense–style mandatory access controls (MAC).

All official CentOS Linux builds come pre-configured with SE Linux enabled and set to enforcement mode. There are two approaches to running the agent on a system with SE Linux enabled:

  1. Set SELinux to Permissive mode or disable SELinux completely

  2. Configure SELinux to allow the module and agent to communicate

Symptoms of SELinux enabled in enforcement mode

Often times system administrators may not be aware that SE Linux is installed until they hit an error similar to the following when trying to connect the module to the agent:

2016/05/11 22:16:29 [crit] 3193#3193: *10 connect() 
to unix:/var/run/sigsci.sock failed 
(13: Permission denied), client: 10.95.20.86, 
server: localhost, request: "GET /ping HTTP/1.1", 
host: "10.95.21.104"

To check the status of SE Linux, run the command sestatus which should produce output similar to the following:

[centos@ip-10-95-21-104 nginx]$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28

Set SE Linux to Permissive mode or disable SE Linux completely

The main configuration file for SELinux is /etc/selinux/config. We can run the following command to view its contents:

cat /etc/selinux/config

The output will look something like this:

# This file controls the state of SELinux on the system. 
# SELINUX= can take one of these three values: 
# enforcing - SELinux security policy is enforced. 
# permissive - SELinux prints warnings instead of enforcing. 
# disabled - No SELinux policy is loaded. 
SELINUX=enforcing 
# SELINUXTYPE= can take one of these two values: 
# targeted - Targeted processes are protected, 
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection. 
SELINUXTYPE=targeted

You want to either disable or switch to permissive (logging) mode. A conservative first step may be changing the configuration line to SELINUX=permissive if you want to preserve the logging. You will then need to reboot the system entirely for this change to be applied. Verify the new status for SELinux with another sestatus command.

Configure SE Linux to allow the module and agent to communicate

Assuming the system has SELinux in permissive or enforced mode. And assuming the SELinux writes to the /var/log/audit/audit.log file (other Unix flavors potentially write it elsewhere).

  • Log in as root to install the SigSci agent and module.

  • Restart the web server and start the agent. Also browse the web site to cause the module to invoke communications with the agent. If in permissive mode, things should work but the audit log will get populated with messages of what would be blocked. If in enforced mode, the same log messages will be appended to the audit log.

  • Now from your home directory run the following command to create a .te file and a .pp (policy package) file: cat /var/log/audit/audit.log | audit2allow -M sigsci > sigsci.te

  • Now install the policy package file with semodule -i sigscilua.pp

  • Verify policy was installed and loaded with semodule -l

At this point you should restart the web server and Signal Sciences agent and it should be working properly.