====== SELinux ======

=== Procfs ===

In order to protect the system against memory dumps, it is needed limit access to minimum as possible to /proc. This folder contains a pseudo-filesystem which provides which provides an interface to kernel data structures[[https://man7.org/linux/man-pages/man5/proc.5.html|<sup>[1]</sup>]].

Doing some basic test, SELinux define a protection against non-owned processes. An user, even if escalated to root, cannot access to root processes, because of SELinux labels. **Further invetigations should be done during SELinux implementation in BoxOS in order to check if default policy is already set up or it should be hardened to protect the desired use case.**

Another easy-to-implement protection that can be enabled for protecting procfs from non privileged user is the mount of proc with [[https://linux-audit.com/linux-system-hardening-adding-hidepid-to-proc/|**hidepid flag**]] set to 1 or 2. In this way, a non privileged user can only list and view its own pids.

=== Intro to SELinux ===

SELinux can work in two modes: permissive or enforcing.

In permissive mode, it just logs all error that in enforcing mode will be blocking.

Permissive mode is good for debuggging, but a SELinux system must run in enforcing mode.

\\


== CHEATSHEET ==

<code>

--- INFO DISCOVERY
sestatus - Get selinux status

setenforce={0|1} - Set selinux enforcing status

semanage login/ user -l - List all users mapped on a selinux user

id -Z - Get current user selinux

semanage boolean -l - List all booleans in SELinux

--- EDITING

semanage login -a -s user_u confined_user - Modify an existing user to a specific SELinux user


--- PERMISSION ERROR COMMANDS
ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent -i | Asks auditd for permission errors

journalctl -t setroubleshootd | only if you have troubleshootd installed

audit2why -la

audit2allow -a

audit2allow -R -- genera la policy usando le interfacce già esistenti (se il pacchetto selinux-policy-dev è installato)

--- VARIOUS

touch /.autorelabel - Request an autorelabel on next reboot
</code>

=== Useful resources ===

  * /etc/selinux/config: Configuration SELinux mode
  * [[https://github.com/SELinuxProject/selinux-notebook/blob/main/src/reference_policy.md|SELinux Notebook]]
  * [[https://www.redhat.com/sysadmin/selinux-denial2|How to read and correct SELinux denial messages]]
  * [[https://projectatomic.io/docs/docker-and-selinux/|Docker and SELinux]] - MLS + MCS
  * [[https://access.redhat.com/documentation/it-it/red_hat_enterprise_linux/8/html/using_selinux/creating-selinux-policies-for-containers_using-selinux|Udica SELinux Container policy generator ]]- [[https://github.com/containers/udica|Github Repo]]
  * [[https://cs.unibg.it/seclab-papers/2015/CNS/Docker.pdf|Docker.pdf (unibg.it)]]
  * https:%%//%%www.usenix.org/legacy/publications/library/proceedings/sec03/tech/full_papers/jaeger/jaeger_html/node3.html#:~:text=In%20SELinux%2C%20the%20distinction%20between,are%20labeled%20with%20a%20type

Notes

[1] [[https://man7.org/linux/man-pages/man5/proc.5.html|proc(5) - man]]