Prevent from disabling SElinux

There might be a situation when you want to make sure that SElinux is always enabled on your system.

Imagine a situation where you have SElinux policy in place and someone hacks your OS and get root straight away. What he can do then to take a full control of you system is:

setenforce 1

vi /etc/selinux/config  

With just few steps your entire effort and "security" becomes disabled even without a reboot.

How to prevent from this action?

I written a SElinux policy module which allows your system components to only read and open /etc/config/selinux and prevent from execute'ing /usr/sbin/setenforce.

When you install this module even root won't be able to do any actions to disable SElinux on your system.

The module and compilations steps are below.

[root@nfsec selinux-devel]# cat secpol.te
module secpol 1.0;

type secpol_t;

require {  
type selinux_config_t;  
type unconfined_t;  
type fs_t;  
type kernel_t;  
type kdumpctl_t;  
type lvm_t;  
type setfiles_t;  
type sshd_t;  
type systemd_hostnamed_t;  
type udev_t;  
type crond_t;  
type init_t;  
class file { ioctl read getattr lock append open relabelto setattr execute write rename unlink };  
class dir { search getattr read relabelto };  
class filesystem associate;  

#============= selinux_config_t ==============
allow selinux_config_t secpol_t:dir { read getattr search };  
allow selinux_config_t secpol_t:file { read open getattr };

#============= unconfined_t ==============
allow unconfined_t secpol_t:dir { relabelto read getattr search };  
allow unconfined_t secpol_t:file { read open getattr relabelto };

#============= secpol_t ==============
allow secpol_t fs_t:filesystem associate;

#============= init_t ==============
allow init_t secpol_t:file read;

#============= crond_t ==============
allow crond_t secpol_t:file read;

#============= kernel_t ==============
allow kernel_t secpol_t:dir getattr;  
allow kernel_t secpol_t:file { getattr read open };

#============= kdumpctl_t ==============
allow kdumpctl_t secpol_t:file { read open };

#============= lvm_t ==============
allow lvm_t secpol_t:file { read open };

#============= setfiles_t ==============
allow setfiles_t secpol_t:file { read open };

#============= sshd_t ==============
allow sshd_t secpol_t:file { read open };

#============= systemd_hostnamed_t ==============
allow systemd_hostnamed_t secpol_t:file { read open };

#============= udev_t ==============
allow udev_t secpol_t:file { read open };

cd /usr/src/selinux-devel/  
ln -s /usr/share/selinux/devel/Makefile .

checkmodule -M -m -o secpol.mod secpol.te  
semodule_package -m secpol.mod -o secpol.pp  
semodule -i secpol.pp

chcon -t secpol_t /etc/selinux/config  
chcon -t secpol_t /usr/sbin/setenforce  

That's it hope you enjoyed it.

[root@nfsec selinux-devel]# echo "">/etc/selinux/config
-bash: /etc/selinux/config: Permission denied
[root@nfsec selinux-devel]# echo "">>/etc/selinux/config
-bash: /etc/selinux/config: Permission denied
[root@nfsec selinux-devel]# setenforce
-bash: /usr/sbin/setenforce: Permission denied

However there is still last option available to change Enforcing to Permissive via:

echo 0 > /sys/fs/selinux/enforce  

To disable changing policy completely entirely and after all do the following:

[root@nfsec selinux-devel]# getsebool -a |grep secure
secure_mode --> off  
secure_mode_insmod --> off  
secure_mode_policyload --> off

[root@nfsec selinux-devel]# setsebool secure_mode_policyload 1

[root@nfsec selinux-devel]# echo 1 > /sys/fs/selinux/enforce
[root@nfsec selinux-devel]# echo 0 > /sys/fs/selinux/enforce
-bash: echo: write error: Permission denied
[root@localhost selinux-devel]# getenforce

You cannot now change SElinux mode to Permissive.
You would need to reboot OS with selinux=0 in grub.

Share this post:

by lo3k