CIS Level 2 Hardening
Setting SELinux to “Enforcing” mode

Introduction

As part of the CIS Level 2 Hardening security recommendations, the Mindbreeze InSpire 24.4 release puts the SELinux security architecture into the “Enforcing” mode. For appliances with version 24.4 or later, SELinux is in enforcing mode by default. For older appliances, enforcing mode must be activated manually. The manual activation is explained in this documentation.

Attention: This only applies explicitly to Mindbreeze InSpire.

Introduction to SELinux

SELinux is a security enhancement to Linux which allows users and administrators more control over access control. Access can be constrained on such variables as which users and applications can access which resources. These resources may take the form of files. Standard Linux access controls, such as file modes (-rwxr-xr-x) are modifiable by the user and the applications which the user runs. Conversely, SELinux access controls are determined by a policy loaded on the system which may not be changed by careless users or misbehaving applications.

SELinux also adds finer granularity to access controls. Instead of only being able to specify who can read, write or execute a file, for example, SELinux lets you specify who can unlink, append only, move a file and so on. SELinux allows you to specify access to many resources other than files as well, such as network resources and interprocess communication (IPC).

For more information, please see SELinux Wiki (selinuxproject.org).

Switching SELinux into the mode “Enforcing”

New appliances delivered with 23.5 (or later) already have SELinux enabled and set to the mode “Permissive”. Before setting the SELinux mode to “Enforcing”, it is essential to complete all the following preparation steps to prevent a non-bootable system:

1. Make sure that SELinux is in the mode “Permissive” (sestatus | grep "Current mode:") and auditd is running (systemctl is-active auditd).
2. Apply or re-apply the 24.4 Update (make sure that the appliance is rebooted).
3. Run the following code:
   1. rpm-ostree cleanup -rpmb
   2. ostree checkout -H $(rpm-ostree status -v | sed -En 's|^[[:space:]]*Commit: (.*)|\1|p') /ostree/repo/tmp/selinux-fix
   3. ostree fsck --delete
   4. ostree commit --consume --link-checkout-speedup --orphan --selinux-policy=/ /ostree/repo/tmp/selinux-fix
   5. ostree admin deploy local_coreos:fedora/x86_64/coreos/stable
   6. restorecon -R -v /etc/ /var/data/scripts /var/data/log
   7. restorecon -v /var/data
   8. restorecon -R -v -e /var/data -e /var/lib/docker /var
4. Finally, reboot with the command reboot.

Now check /var/data/log/audit.log (starting with the time of the reboot: ausearch -i | grep avc | grep denied). If there are no denies you can proceed with setting SELinux to the mode “Enforcing” in /etc/selinux/config and reboot one last time.

Attention: Do not switch SELinux into the mode “Disabled” after enabling the “Enforcing” mode. If you do this, the steps mentioned above need to be repeated.

If there are issues with SELinux, it can be set to “Permissive” temporarily by running setenforce 0. This is reset upon reboot. To make the change permanent you can set the mode to “Permissive” in /etc/selinux/config.