Security Hardening (SELinux)

Below is a draft for a WIKI article on hardening, please use with caution until it’s fully approved. This worked for me, YMMV.

Security Hardening

This guide is designed to harden the security on Rockstor. The changes suggested here may impact your system and cause services or features to become unavailable without proper testing. By following this guide and understanding what you are doing, you should be able to prevent this. This guide will show you how to apply SELinux to the Rockstor system and be alerted for anything that is blocked.

Minimum requirements

  • Rockstor 3 base system (3.8-14 was used by this author) - ideally a VM or testing installation
  • SSH or terminal access to your system
  • Familiarity with vim or your favorite editor
  • Ability to use 2 terminals at once or screen

Installation

We first want to set selinux to permissive. Before we do this, it’s best to have your disks imported and pools created. Permissive allows us to log all SELinux violations without preventing their actions. This is good because we can see what will be blocked. In addition, we will install some tools that almost tell us exactly how to unblock anything that does get blocked.

Let’s go ahead and install the tools, set permissive and reboot for it to take effect (you can do this without reboot but you’ll miss any issues that present themselves on reboot).

Install the extra tools

# yum -y install setroubleshoot-server setools mcstrans

Now let’s enable selinux in permissive mode. We need to reboot after to catch the logs. You can use vi on /etc/selinux/config or copy/paste the line below

# sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/selinux/config && cat /etc/selinux/config
# systemctl reboot

Now once the system reboots, you will get some log entries that we can find out if SELinux is blocking anything. We want to find entries that indicate something it being blocked. Let’s search the messages log.

# cat /var/log/messages | grep "SELinux is preventing"

If no errors, let’s search for just “SELinux”

# cat /var/log/messages | grep "SELinux"

We should get something back like this if everything is ok.

Aug 10 15:43:09 Rocky3 kernel: SELinux: Initializing.
Aug 10 15:43:13 Rocky3 kernel: SELinux: Disabled at runtime.
Aug 10 15:51:15 rocky3 kernel: SELinux: Initializing.
Aug 10 15:51:17 rocky3 kernel: SELinux: Disabled at runtime.
Aug 10 15:52:39 rocky3 kernel: SELinux: Initializing.
Aug 10 15:52:41 rocky3 kernel: SELinux: Permission validate_trans in class security not defined in policy.
Aug 10 15:52:41 rocky3 kernel: SELinux: Class netlink_iscsi_socket not defined in policy.
Aug 10 15:52:41 rocky3 kernel: SELinux: Class netlink_fib_lookup_socket not defined in policy.
Aug 10 15:52:41 rocky3 kernel: SELinux: Class netlink_connector_socket not defined in policy.
Aug 10 15:52:41 rocky3 kernel: SELinux: Class netlink_netfilter_socket not defined in policy.
Aug 10 15:52:41 rocky3 kernel: SELinux: Class netlink_generic_socket not defined in policy.
Aug 10 15:52:41 rocky3 kernel: SELinux: Class netlink_scsitransport_socket not defined in policy.
Aug 10 15:52:41 rocky3 kernel: SELinux: Class netlink_rdma_socket not defined in policy.
Aug 10 15:52:41 rocky3 kernel: SELinux: Class netlink_crypto_socket not defined in policy.
Aug 10 15:52:41 rocky3 kernel: SELinux: Permission audit_read in class capability2 not defined in policy.
Aug 10 15:52:41 rocky3 kernel: SELinux: Class binder not defined in policy.
Aug 10 15:52:41 rocky3 kernel: SELinux: the above unknown classes and permissions will be allowed
Aug 10 15:52:41 rocky3 systemd[1]: Successfully loaded SELinux policy in 69.596ms.

If something is being blocked we would see something like:

Aug 10 16:10:18 rocky3 setroubleshoot: SELinux is preventing /usr/sbin/nmbd from getattr access on the file /etc/samba/smb.conf

If you have any errors, please see the troubleshooting part of this document before enabling the enforcing mode. For clean installs without any additional services, you should not see any errors.

Let’s enable enforcing now that we have no errors.

# sed -i 's/^SELINUX=.*/SELINUX=enforcing/g' /etc/selinux/config && cat /etc/selinux/config
# systemctl reboot

It is a good idea to now check for errors again but you should not be using selinux. We can run the sestatus command to check selinux status.

# sestatus

Should show the following:

SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 30

Troubleshooting

Resolving log messages

Some other places to look for errors include utilizing the sealert tool, this tool not only shows the error but shows how to fix the error with confidence scores indicating how sure it thinks it is.

When we search in /var/log/messages, we may have a message similar to the one below. Note the last sentence, which says what command to run.

Aug 10 16:11:05 rocky3 setroubleshoot: SELinux is preventing /usr/sbin/nmbd from read access on the file smb.conf. For complete SELinux messages. run sealert -l 109d0656-c57b-4fdd-9ef3-09c6cee6351a

When you run that command, you’ll get an output similar to the one below. Note the confidence scores and resolutions. Look up what they do (don’t blindly trust everything please). The following output indicates that SELinux is preventing the smbd service from modifying the smb.conf file.

SELinux is preventing /usr/sbin/smbd from open access on the file /etc/samba/smb.conf.

                                            *****  Plugin restorecon (60.0 confidence) suggests   ************************
                                            
                                            If you want to fix the label. 
                                            /etc/samba/smb.conf default label should be samba_etc_t.
                                            Then you can run restorecon.
                                            Do
                                            # /sbin/restorecon -v /etc/samba/smb.conf
                                            
                                            *****  Plugin samba_share (30.8 confidence) suggests   ***********************
                                            
                                            If you want to allow smbd to have open access on the smb.conf file
                                            Then you need to change the label on '/etc/samba/smb.conf'
                                            Do
                                            # semanage fcontext -a -t samba_share_t '/etc/samba/smb.conf'
                                            # restorecon  -v '/etc/samba/smb.conf'
                                            
                                            *****  Plugin catchall_boolean (5.26 confidence) suggests   ******************
                                            
                                            If you want to allow samba to export all ro
                                            Then you must tell SELinux about this by enabling the 'samba_export_all_ro' boolean.
                                            
                                            Do
                                            setsebool -P samba_export_all_ro 1
                                            
                                            *****  Plugin catchall_boolean (5.26 confidence) suggests   ******************
                                            
                                            If you want to allow samba to export all rw
                                            Then you must tell SELinux about this by enabling the 'samba_export_all_rw' boolean.
                                            
                                            Do
                                            setsebool -P samba_export_all_rw 1
                                            
                                            *****  Plugin catchall (1.09 confidence) suggests   **************************
                                            
                                            If you believe that smbd should be allowed open access on the smb.conf file by default.
                                            Then you should report this as a bug.
                                            You can generate a local policy module to allow this access.
                                            Do
                                            allow this access for now by executing:
                                            # grep smbd /var/log/audit/audit.log | audit2allow -M mypol
                                            # semodule -i mypol.pp

To resolve this, we want to have smbd access to the smb.conf file. We are saying that service can now access it. SELinux was protecting us from some service just using that file or modifying it, which is a good thing! In the samba section we will run the commands to enable smb.conf access and also read/write if desired.

sealert usually targets a log file with the -a option. These usually will give you the messages you need.

# sealert -a /var/log/audit/audit.log

Samba

When you enable Samba, you’ll start getting audit messages. If you try to map a share to samba in the GUI, it’ll give you an error. This is because it doesn’t allow modifying smb.conf which is what you are doing (you’re adding lines to the bottom of the file indicating what shares you want to export). To allow this we need to allow access and also allow read only or read/write.

semanage fcontext -a -t samba_etc_t /etc/samba/smb.conf

restorecon -Rv /etc/samba/

restorecon reset /etc/samba/smb.conf context system_u:object_r:tmp_t:s0->system_u:object_r:samba_etc_t:s0

We just set the security context on smb.conf so it is able to be used. Restorecon is necessary because it sets the contexts correctly on the files and directories.

Below is a blanket boolean to allow samba rw/ro access. It would be better to set this for the directories you share rather than all over but for now, we will just set it. Use ro for read only or rw for read/write

 # setsebool -P samba_export_all_ro 1

OR

 # setsebool -P samba_export_all_rw 1

NFS

I haven’t found anything blocking NFS yet.

Rockons (Docker)

These will vary by container so anytime you add a rockon you should check sealert or grep in /var/log/messages for an error. The other area to keep an eye on is sharing volumes between containers. This worked for me but I would always check after enabling.

Importing new pools or adding disks or btrfs

This is going to be the scariest area here. SELinux adds contexts to files and directories and if this gets messed up, you won’t be able to access much. BEFORE you do this, I would likely just go into /etc/selinux/config and set everything to permissive just in case. Do the import, double check the logs then set it back to enforcing.

5 Likes

I think selinux should be configured by default in the image.

I agree, you can always disable if something weird happens but so far, things seem to run smooth. Have you tried enabling and running?

I have not tried it yet, but will be doing so before I decide to use Rockstor as the replacement for my current (other NAS OS) solution.

I’m about to on my prod box, been testing this so far. Any issues you can easily switch to permissive (as opposed to OFF)