Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including United States Department of Defense–style mandatory access controls (MAC).
All official CentOS Linux builds come pre-configured with SE Linux enabled and set to enforcement mode. There are two approaches to running the agent on a system with SE Linux enabled:
Set SELinux to Permissive mode or disable SELinux completely
Configure SELinux to allow the module and agent to communicate
Symptoms of SELinux enabled in enforcement mode
Often times system administrators may not be aware that SE Linux is installed until they hit an error similar to the following when trying to connect the module to the agent:
2016/05/11 22:16:29 [crit] 3193#3193: *10 connect() to unix:/var/run/sigsci.sock failed (13: Permission denied), client: 192.0.2.209, server: localhost, request: "GET /ping HTTP/1.1", host: "192.0.2.209"
To check the status of SE Linux, run the command
sestatus which should produce output similar to the following:
[centos@ip-10-95-21-104 nginx]$ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28
Set SE Linux to Permissive mode or disable SE Linux completely
The main configuration file for SELinux is
/etc/selinux/config. We can run the following command to view its contents:
The output will look something like this:
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
You want to either disable or switch to permissive (logging) mode. A conservative first step may be changing the configuration line to
SELINUX=permissive if you want to preserve the logging. You will then need to reboot the system entirely for this change to be applied. Verify the new status for SELinux with another
Configure SE Linux to allow the module and agent to communicate
Assuming the system has SELinux in permissive or enforced mode. And assuming the SELinux writes to the
/var/log/audit/audit.log file (other Unix flavors potentially write it elsewhere).
Log in as root to install the SigSci agent and module.
Restart the web server and start the agent. Also browse the web site to cause the module to invoke communications with the agent. If in permissive mode, things should work but the audit log will get populated with messages of what would be blocked. If in enforced mode, the same log messages will be appended to the audit log.
Now from your home directory run the following command to create a
.tefile and a
.pp(policy package) file:
cat /var/log/audit/audit.log | audit2allow -M sigsci > sigsci.te
Now install the policy package file with
semodule -i sigscilua.pp
Verify policy was installed and loaded with
At this point you should restart the web server and Signal Sciences agent and it should be working properly.