New Features for Release 17.3.1
The following features are included in the Cisco IOS-XE release 17.3.1:
Support for Security-Enhanced Linux (SELinux)
Security-Enhanced Linux is a set of patches to the Linux kernel and some utilities to incorporate a strong, flexible mandatory access control (MAC) architecture into the major subsystems of the kernel. SELinux provides an enhanced mechanism to enforce the separation of information based on confidentiality and integrity requirements, which allows threats of tampering and bypassing of application security mechanisms to be addressed and enables the confinement of damage that can be caused by malicious or flawed applications.
SELinux enforces mandatory access control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs. This reduces or eliminates the ability of these programs and daemons to cause harm when compromised (for example, via buffer overflows or mis-configurations). This confinement mechanism operates independently of the traditional Linux access control mechanisms.
The are no additional requirements or configuration steps required to enable or operate the SELinux feature. The solution is enabled/operational by default as part of the base IOS-XE software on supported platforms.
The following are enhanced show commands that have been defined for viewing SELinux related audit logs.
show platform software audit all
show platform software audit summary
show platform software audit switch <<1-8> | active | standby> <FRU identifier from a drop-down list>
Command Examples
The following is a sample output of the show software platform software audit summary command:
Device# show platform software audit summary
===================================
AUDIT LOG ON switch 1
-----------------------------------
AVC Denial count: 58
===================================
The following is a sample output of the show software platform software audit all command:
Device# show platform software audit all
===================================
AUDIT LOG ON switch 1
-----------------------------------
========== START ============
type=AVC msg=audit(1539222292.584:100): avc: denied { read } for pid=14017 comm="mcp_trace_filte" name="crashinfo" dev="rootfs" ino=13667 scontext=system_u:system_r:polaris_trace_filter_t:s0 tcontext=system_u:object_r:polaris_disk_crashinfo_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1539222292.584:100): avc: denied { getattr } for pid=14017 comm="mcp_trace_filte" path="/mnt/sd1" dev="sda1" ino=2 scontext=system_u:system_r:polaris_trace_filter_t:s0 tcontext=system_u:object_r:polaris_disk_crashinfo_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1539222292.586:101): avc: denied { getattr } for pid=14028 comm="ls" path="/tmp/ufs/crashinfo" dev="tmpfs" ino=58407 scontext=system_u:system_r:polaris_trace_filter_t:s0 tcontext=system_u:object_r:polaris_ncd_tmp_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1539222292.586:102): avc: denied { read } for pid=14028 comm="ls" name="crashinfo" dev="tmpfs" ino=58407 scontext=system_u:system_r:polaris_trace_filter_t:s0 tcontext=system_u:object_r:polaris_ncd_tmp_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1539438600.896:119): avc: denied { execute } for pid=8300 comm="sh" name="id" dev="loop0" ino=6982 scontext=system_u:system_r:polaris_auto_upgrade_server_rp_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
========== END ============
(output omitted for brevity)
The following is a sample output of the show software platform software audit switch command:
Device# show platform software audit switch active R0
========== START ============
type=AVC msg=audit(1539222292.584:100): avc: denied { read } for pid=14017 comm="mcp_trace_filte" name="crashinfo" dev="rootfs" ino=13667 scontext=system_u:system_r:polaris_trace_filter_t:s0 tcontext=system_u:object_r:polaris_disk_crashinfo_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1539222292.584:100): avc: denied { getattr } for pid=14017 comm="mcp_trace_filte" path="/mnt/sd1" dev="sda1" ino=2 scontext=system_u:system_r:polaris_trace_filter_t:s0 tcontext=system_u:object_r:polaris_disk_crashinfo_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1539222292.586:101): avc: denied { getattr } for pid=14028 comm="ls" path="/tmp/ufs/crashinfo" dev="tmpfs" ino=58407 scontext=system_u:system_r:polaris_trace_filter_t:s0 tcontext=system_u:object_r:polaris_ncd_tmp_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1539222292.586:102): avc: denied { read } for pid=14028 comm="ls" name="crashinfo" dev="tmpfs" ino=58407 scontext=system_u:system_r:polaris_trace_filter_t:s0 tcontext=system_u:object_r:polaris_ncd_tmp_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1539438624.916:122): avc: denied { execute_no_trans } for pid=8600 comm="auto_upgrade_se" path="/bin/bash" dev="rootfs" ino=7276 scontext=system_u:system_r:polaris_auto_upgrade_server_rp_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1539438648.936:123): avc: denied { execute_no_trans } for pid=9307 comm="auto_upgrade_se" path="/bin/bash" dev="rootfs" ino=7276 scontext=system_u:system_r:polaris_auto_upgrade_server_rp_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1539438678.649:124): avc: denied { name_connect } for pid=26421 comm="nginx" dest=8098 scontext=system_u:system_r:polaris_nginx_t:s0 tcontext=system_u:object_r:polaris_caf_api_port_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1539438696.969:125): avc: denied { execute_no_trans } for pid=10057 comm="auto_upgrade_se" path="/bin/bash" dev="rootfs" ino=7276 scontext=system_u:system_r:polaris_auto_upgrade_server_rp_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1539438732.973:126): avc: denied { execute_no_trans } for pid=10858 comm="auto_upgrade_se" path="/bin/bash" dev="rootfs" ino=7276 scontext=system_u:system_r:polaris_auto_upgrade_server_rp_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1539438778.008:127): avc: denied { execute_no_trans } for pid=11579 comm="auto_upgrade_se" path="/bin/bash" dev="rootfs" ino=7276 scontext=system_u:system_r:polaris_auto_upgrade_server_rp_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1539438800.156:128): avc: denied { name_connect } for pid=26421 comm="nginx" dest=8098 scontext=system_u:system_r:polaris_nginx_t:s0 tcontext=system_u:object_r:polaris_caf_api_port_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1539438834.099:129): avc: denied { execute_no_trans } for pid=12451 comm="auto_upgrade_se" path="/bin/bash" dev="rootfs" ino=7276 scontext=system_u:system_r:polaris_auto_upgrade_server_rp_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1539438860.907:130): avc: denied { name_connect } for pid=26421 comm="nginx" dest=8098 scontext=system_u:system_r:polaris_nginx_t:s0 tcontext=system_u:object_r:polaris_caf_api_port_t:s0 tclass=tcp_socket permissive=1
========== END ============
===================================
Syslog Message Reference
Facility-Severity-Mnemonic
-
%SELINUX-3-MISMATCH
Severity-Meaning
-
ERROR LEVEL Log
Message Explanation
-
A resource access was made by the process for which a resource access policy is not defined. The operation was flagged but not denied.
-
The operation continued successfully and was not disrupted. A system log has been generated about the missing policy for resource access by the process as denied operation.
Recommended Action
-
Please contact CISCO TAC with the following relevant information as attachments:
-
The message exactly as it appears on the console or in the system log.
-
Output of "show tech-support" (text file)
-
Archive of Btrace files from the box using the following command ("request platform software trace archive target <URL>") For Example: Device#request platform software trace archive target flash:selinux_btrace_logs
-
SD-WAN on the ESR6300
The ESR6300 supports SDWAN with release 17.3.1 or later. This release brings the ESR6300 into feature parity with the IR1101. The ESR6300 will require controller version 20.2 or later.
All of the available SDWAN documentation can be found here:
https://www.cisco.com/c/en/us/support/routers/sd-wan/series.html