DevOps / Sys Admin Q & A: Linux - SELinux

Security-Enhanced Linux (SELinux) allows administrators to have more control over who can access the system.

In this post, we're going to taste a bit of it: what happened we try to set a port different from the default port for ssh service.

let's set ssh port to 2222 in /etc/ssh/sshd_config:

#       $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22 =>
Port 2222

Because of the configuration has changed, we need to restart the service:

$ sudo systemctl status sshd
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2020-08-10 04:43:57 UTC; 13s ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 1171 (sshd)
   CGroup: /system.slice/sshd.service
           └─1171 /usr/sbin/sshd -D

Aug 10 04:43:57 ip-172-31-5-36.ec2.internal systemd[1]: Stopped OpenSSH server daemon.
Aug 10 04:43:57 ip-172-31-5-36.ec2.internal systemd[1]: Starting OpenSSH server daemon...
Aug 10 04:43:57 ip-172-31-5-36.ec2.internal sshd[1171]: Server listening on 0.0.0.0 port 22.
Aug 10 04:43:57 ip-172-31-5-36.ec2.internal sshd[1171]: Server listening on :: port 22.
Aug 10 04:43:57 ip-172-31-5-36.ec2.internal systemd[1]: Started OpenSSH server daemon.

$ sudo systemctl restart sshd
Job for sshd.service failed because the control process exited with error code. 
See "systemctl status sshd.service" and "journalctl -xe" for details.


$ sudo systemctl status sshd
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: activating (auto-restart) (Result: exit-code) since Mon 2020-08-10 04:46:42 UTC; 13s ago
     Docs: man:sshd(8)
           man:sshd_config(5)
  Process: 1190 ExecStart=/usr/sbin/sshd -D $OPTIONS (code=exited, status=255)
 Main PID: 1190 (code=exited, status=255)

Aug 10 04:46:42 ip-172-31-5-36.ec2.internal systemd[1]: sshd.service: main process exited, code=exited, status=255/n/a
Aug 10 04:46:42 ip-172-31-5-36.ec2.internal systemd[1]: Failed to start OpenSSH server daemon.
Aug 10 04:46:42 ip-172-31-5-36.ec2.internal systemd[1]: Unit sshd.service entered failed state.
Aug 10 04:46:42 ip-172-31-5-36.ec2.internal systemd[1]: sshd.service failed.

$ journalctl -xe
...
-- Unit sshd.service has begun starting up.
Aug 10 04:47:24 ip-172-31-5-36.ec2.internal sshd[1195]: error: Bind to port 2222 on 0.0.0.0 failed: Permission denied.
Aug 10 04:47:24 ip-172-31-5-36.ec2.internal sshd[1195]: error: Bind to port 2222 on :: failed: Permission denied.
Aug 10 04:47:24 ip-172-31-5-36.ec2.internal sshd[1195]: fatal: Cannot bind any address.
Aug 10 04:47:24 ip-172-31-5-36.ec2.internal systemd[1]: sshd.service: main process exited, code=exited, status=255/n/a
Aug 10 04:47:24 ip-172-31-5-36.ec2.internal systemd[1]: Failed to start OpenSSH server daemon.
-- Subject: Unit sshd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit sshd.service has failed.
-- 
-- The result is failed.
Aug 10 04:47:24 ip-172-31-5-36.ec2.internal systemd[1]: Unit sshd.service entered failed state.
Aug 10 04:47:24 ip-172-31-5-36.ec2.internal systemd[1]: sshd.service failed.

We can get additional info from /var/log/audit/audit.log:

...
type=AVC msg=audit(1597035394.067:258): 
avc:  denied  { name_bind } for  pid=1228 
comm="sshd" 
src=2222 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0 
...

An SELinux-hardened system will run with SELinux in enforcing mode, meaning that the SELinux policy is in effect and things that it doesn't want to allow won't be allowed. But when trying to debug permission problems, it might make sense to temporarily disable SELinux. In this case, we can opt to have SELinux run in permissive mode, either for the entire system, or for a specific (set of) types.

To get information about the current state, we can use getenforce or sestatus:

$ getenforce
Enforcing

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31    

Let's switch from enforcing and permissive using setenforce command:

$ sudo setenforce permissive
[centos@ip-172-31-5-36 log]$ 
[centos@ip-172-31-5-36 log]$ 
[centos@ip-172-31-5-36 log]$ 
[centos@ip-172-31-5-36 log]$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31

The purpose of supporting permissive policies is to allow a system to run with SELinux enabled, while still allowing all accesses that the applications are trying to do. An SELinux-enabled system that runs in permissive mode is not protected by SELinux.

Now, let's restart the sshd service and check the status:

$ sudo systemctl restart sshd

$ sudo systemctl status sshd
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2020-08-10 05:14:58 UTC; 13s ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 1351 (sshd)
   CGroup: /system.slice/sshd.service
           └─1351 /usr/sbin/sshd -D

Aug 10 05:14:58 ip-172-31-5-36.ec2.internal systemd[1]: Stopped OpenSSH server daemon.
Aug 10 05:14:58 ip-172-31-5-36.ec2.internal systemd[1]: Starting OpenSSH server daemon...
Aug 10 05:14:58 ip-172-31-5-36.ec2.internal sshd[1351]: Server listening on 0.0.0.0 port 2222.
Aug 10 05:14:58 ip-172-31-5-36.ec2.internal sshd[1351]: Server listening on :: port 2222.
Aug 10 05:14:58 ip-172-31-5-36.ec2.internal systemd[1]: Started OpenSSH server daemon. 

$ sudo netstat -tulpan | grep -i listen
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1026/master         
tcp        0      0 0.0.0.0:2222            0.0.0.0:*               LISTEN      1351/sshd           
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      1/systemd           
tcp6       0      0 ::1:25                  :::*                    LISTEN      1026/master         
tcp6       0      0 :::2222                 :::*                    LISTEN      1351/sshd           
tcp6       0      0 :::111                  :::*                    LISTEN      1/systemd 

The default value (enforcing or permissive) when the system boots is defined in the /etc/selinux/config file, through the SELINUX parameter.

Note that we haven't modified the default value, therefore, when the machine reboot, our system will run with SELinux in enforcing mode.