Selinux Security
This document gives an insight into VoipNow's integration with SELinux.
What Is Selinux?
Background
Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including United States Department of Defense-style mandatory access controls (MAC). Basically, it's a module built into the Linux kernel which provides access control policies, with fine grained restrictions and better access control (much better than classic Unix permissions). Policies are enforced by binary SELinux policy modules which "tell" who can do what (restrict a binary's access to specific network ports, allow it to access just some files out of those having group permissions access and so on).
VoipNow and Selinux
VoipNow comes with built-in SELinux modules. The modules are designed to be installed along the selinux-policy RPM package provided by your Linux distribution packagers (the included policy store previously mentioned). Having these modules enabled will apply kernel-level restrictions to VoipNow components, ensuring access is granted only to the required resources.
Installing Selinux
Check Selinux Status
As SELinux might be disabled on the host, it is best to check for its status. When SELinux is disabled, the kernel module is not loaded and no restrictions apply. To check the module status, the getenforce command can be used:
[root@voipnownode ~]# getenforce
DisabledSELinux can have two other states:
- permissive - security policies are loaded, but not applied (only warnings are printed to the system log)
- enforcing - security policies are applied and enforced
Enable VoipNow Selinux Support
In order to enable the VoipNow SELinux modules, the system must be in enforcing mode. Edit /etc/selinux/config and change the SELINUX configuration value to enforcing. The file should look like this:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targetedThe system needs to be rebooted - this might take longer than usual, as the entire file system needs to be relabeled.
Once booted, reconnect and check SELinux status with getenforce - it should say:
[root@voipnownode ~]# getenforce
EnforcingExecute the VoipNow SELinux installer:
[root@voipnownode selinux]# /usr/local/voipnow/selinux/install_selinux.shExample output:
Attempting to install module 'voipnow_asterisk.pp':
Ok: return value of 0.
Committing changes:
Ok: transaction number 0.
Attempting to install module 'voipnow_httpd.pp':
Ok: return value of 0.
Committing changes:
Ok: transaction number 0.
...That's everything you must do. VoipNow SELinux modules are enabled and your system is in enforcing mode. Assuming a critical security issue appears in a VoipNow component, damage will be restricted only to the area that can be accessed by that specific component.
Auditing Selinux Logs
SELinux events are logged under /var/log/audit/audit.log. Take a look inside that file and you should see SELinux events being logged as shown below:
type=USER_ACCT msg=audit(1424868721.650:279): user pid=20337 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_ACCT msg=audit(1424868721.650:278): user pid=20336 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'Describing the audit logs is beyond the scope of this document, but for further information we recommend the following resources: