word document

advertisement
Page |1
Introduction to SELinux
Date Assigned: mm/dd/yyyy
Time Due: mm/dd/yyyy by hh:mm
Educational Objectives
This lab is designed to give an introduction to SELinux. After completion of this lab, you will
learn how to



Discover the current SELinux status
Use basic SELinux command
Understand targeted policy
Lab Environment
One Fedora 18 VM is needed for this lab.
All of the tasks for this lab will be performed on this Fedora 18 machine. If you conduct this lab
on a different version or different distribution of Linux system, some files may be located in
different folders.
References
Here are the references that are used to construct this lab:
SELinux documentation (NSA)
http://www.nsa.gov/research/selinux/docs.shtml
SELinux Wiki
http://www.selinuxproject.org/page/Main_Page
SELinux (Fedora Project)
http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/
Section 1 Environment Preparation
Please run the following command as a root to install current SELinux packages on Fedora 18:
yum install *selinux* --skip-broken
All SELinux policies are located in the following folder:
/etc/selinux/<policy_name>
Page |2
Where, <policy_name> is the name of the policy. Now, the policies minimum, targeted and mls
should be installed.
Section 2 SELinux modes and global configuration files
2.1 SELinux modes
SELinux has three major operation modes:



Enforcing - SELinux is enforcing the loaded policy.
Permissive - SELinux has loaded the policy, however it is not enforcing the policy. This
is generally used for testing as the audit log will contain the AVC (access vector cache)
denied messages.
Disabled - The SELinux infrastructure (in the kernel) is not loaded.
Run the following command to learn the current SELinux operation mode on your system:
sestatus
SELinux operation mode and policy are defined in the following file:
/etc/selinux/config
The value for SELINUX determines the SELinux operation mode. It can be set to three values as
follows:
SELINUX=enforcing | permissive | disabled
In order to change the SELinux operation mode in a system, you need perform the following:


Assign the right value to SELINUX in the /etc/selinux/config file.
Reboot the system
Please perform the following:


Check the current SELinux operation mode.
If it is disabled, change it to enforcing mode. Please use targeted policy.
2.2 The sestatus.conf file
The /etc/sestatus.conf file is used by sestatus command to list files and processes
whose security context should be displayed (sestatus -v). This file has the following
parameters:
[files]
Page |3
List of files to display context
[process]
List of processes to display context
Please perform the following tasks:





View the /etc/sestatus.conf file.
Run sestatus –v.
Compare the output of sestatus -v command with the contents of the sestatus.conf file.
Comment out some of the entries of your choice in the /etc/sestatus.conf file and repeat
steps 2 and 3.
Add more entries of your choice to the /etc/sestatus.conf file and repeat steps 2 and 3.
Question 1: How would the use of sestatus -v command benefit your everyday administration
work on SELinux? Please explain your answer.
2.3 Changing current running mode
The setenforce command allows you to modify the mode SELinux is currently running in
without confirmation and rebooting. It has the following format:
setenforce [ Enforcing | Permissive | 1 | 0 ]
Use Enforcing or 1 to put SELinux in enforcing mode. Use Permissive or 0 to put SELinux in
permissive mode. However, you cannot use this command to put SELinux in disabled mode.
Please run the following commands as a root:
setenforce 0
getenforce
setenforce 1
getenforce
Question 2: How would the setenforce command be useful? Please explain your answer.
When you use the setenforce command to change the SELinux operation mode, will this
change stay when the system is rebooted? Test it to confirm your conclusion.
Section 3 SELinux security contexts and modified Linux commands
Page |4
SELinux requires a security context, also known as a “security label” or just “label”, to be
associated with every process (or subject) and object that are used by the security server to
decide whether access is allowed or not as defined in the policy. Many standard Linux
commands must be modified for being used in a SELinux system. Some commonly used Linux
commands with SELinux modification are introduced in this section.
3.1 Displaying security contexts
Please use the man page for ls command to study SELinux options. (Scroll down and look for
SELinux options)
Question 3: What option would you use with the ls command if you want to display only
security context and file name?
Please use the command options you just learned to study security contexts under your current
directory and some other directories, such as /bin, /etc/selinux, /var/log, etc.
3.2 Modified Linux commands
GNU standard Linux commands need to be modified in order to work with SELinux. These
commands include cp, mv, id, ls, ps and others.
The ps command accepts a -Z flag to display the security context of each running process along
with standard Linux information.

Run ps -Z or ps -aux -Z to learn the process’s domains.
The cp command accepts a -Z flag to set a security context of a newly created file. If not
specified, the security context of the new file will default to that of the destination directory.



Create a file in your home directory, such as /root/test.txt.
Execute cp /root/test.txt /tmp/test.txt
Study the security contexts associated with /root/test.txt and /tmp/test.txt to understand
the difference.
Please use the man page for cp to learn how to copy a file from one place to another with the
same security context as the source file. Test what you learned on your computer.
The id command displays current user’s security context information along with the user and
group information. It will also accept a -Z flag to display only security context of current user.
Please perform the following to learn the effects.
id
Page |5
id -Z
An important note when using the mv command is that the new file will retain its security
context when it is moved by using the mv command. For example, moving a file from a user
home directory to an http served directory will result in a file retaining its user_home_t type,
which, under normal policy, is not readable by httpd daemon. Please perform the following to
learn the effects.




Create a file in your home director, such as /root/test.html
Execute ls -Z /root/test.html
Execute mv /root/test.html /tmp/test.html
Execute ls -Z /tmp/test.html
Did you see any difference between the security context of the /root/test.html file and that of the
/tmp/test.html file? Now you have learned how cp and mv works in the SELinux environment.
Scenario 1
Assume that you have a directory /var/www/html that is used to hold html and related files for a
web page. The system runs SELinux enforcing mode with targeted policy. Apache HTTP service
(httpd) has read permission to those files. You have been writing a web page and testing it in
another directory, which is not accessible by httpd. This is usually how it works since you don’t
want anybody to access the page until your writing and editing are finished and the page is in a
good shape. Now the contents of the page and its appearance have been approved by your
manager and you want to move those files to the /var/www/html directory.
Question 4: Would you use the command cp or mv to achieve the goal specified in Scenario 1?
Please explain your solution.
Please test your solution on your computer to ensure that it works correctly.
There are some other commands that must be modified in order to work with SELinux. You need
to be aware of this while using them.
Section 4 Introduction to Targeted Policy and Type Enforcement
Targeted policy is the default SELinux policy used in Fedora 18. Under this policy, processes
that are targeted run in a confined domain. Processes that are not targeted run in an unconfined
domain. For example, by default, login users run in the unconfined_t domain, and system
processes started by init run in the initrc_t domain. Both of them are unconfined. In this section,
you will gain experience with confined processes and unconfined processes.
4.1 Relabeling a file system
Page |6
In SELinux systems, files are labeled with security contexts corresponding to the policy. These
security contexts can be changed at run time using various commands such as chcon for testing
and debugging purposes. Then, you want to set those contexts back to what are defined in the
policy. Relabeling a file system is to set the security contexts of the files in the system back to
what are defined in the policy.
4.1.1 Relabeling a file system using init
Relabeling a file system is the process to reset the security contexts of the files in the file system.
The recommended method for relabeling a file system is to reboot the machine. This allows init
process to perform the relabeling. The following procedure will re-label a file system using init
process:
touch /.autorelabel
reboot
This command is rarely used because you rarely need to re-label a whole file system.
4.1.2 Relabeling a file system using fixfiles
It is possible to re-label a file system using the fixfiles command.
fixfiles –F –f relabel
However, using this command to re-label a file system is not recommended.
4.2 Changing the type associated with a file
One way to test the effects of or modify the SELinux policy is to change the type associated with
a file. This file can represent either a subject (a process) or an object (a data file). The type can
be changed permanently or temporarily in the current running mode.
4.2.1 The chcon command
The chcon command can be used to change the SELinux security context of a file, but the
changes will not stay when the file system is relabeled, such as after reboot. Please use man page
to learn how to use this command. The format for changing type of a file is as follows:
chcon -t type_t file_name
This command will change the type of the file_name file to the type type_t. A full path for
file_name may be needed on some systems. Otherwise, the command won’t work as specified.
Please perform the following as a root user.
Page |7




Create a file in your home directory, such as /root/test.txt.
Execute ls -Z /root/test.txt, watch the type associated with this file.
Execute chcon -t httpd_sys_content_t /root/test.txt
Execute ls -Z /root/test.txt. Study the type associated with test.txt file.
Can you learn the effects of the chcon operation? However, this change will not stay when the
file system is relabeled.
Please remove the test.txt file when you have done the above practice.
4.2.2 The semanage command
In order to change the type permanently, you need to use the semanage command. Please use
the man page to study the semanage command. The semanage fcontext command is used for
manipulating file security contexts.
Please perform the following practices as a root user:




Create a file in /etc/ directory, such as /etc/test1
Execute ls -Z /etc/test1, watch the type of this file.
Execute /usr/sbin/semanage fcontext -a -t httpd_sys_content_t /etc/test1 (Note that
the full path must be used. It may not work correctly if the full path is not used.)
Execute ls -Z /etc/test1, watch the type of this file.
Did you notice the type change? No, the displayed type is still the same. The effect of
/usr/sbin/semanage fcontext -a -t httpd_sys_content_t /etc/test1 operation is simply to
“add an OBJECT record NAME”. What does it mean? An entry about the /etc/test1 file is
recorded in the following file:
/etc/selinux/targeted/contexts/files/file_contexts.local
View the above file and see what you can find. There should be an entry similar to the following:
The first part identifies the file with a full path name. The second part specifies the security
context associated with the file.
Please perform the following to actually see the effects:
/sbin/restorecon -v /etc/test1
ls -Z /etc/test1, watch the type associated with this file.
Page |8
Did you notice the type change? You should be able to see the type change if the policy is not
changed. In addition, this type change will survive system reboot or file system relabeling.
Question 5: Why would you want to use the chcon command to make type changes? Why
would you want to use the semanage/restorecon commands to make type changes? Please try
to explain the real world situations where chcon and semanage/restorecon can fit in.
Please delete the /etc/test1 file when you finished the practice.
4.3 Confined processes
Almost every service that listens on a network is confined in Fedora 18 that enforces a SELinux
targeted policy. Most processes that run as the root user and perform tasks for users, such as the
passwd application, are confined under targeted policy. When a process is confined, it runs in
its own domain, such as the httpd process running in the httpd_t domain. If a confined process is
compromised by an attacker, depending on SELinux policy configuration, an attacker's access to
resources and the possible damage they can make are limited.
The following example demonstrates how SELinux prevents the Apache HTTP Server (httpd)
from reading files that are not allowed by the SELinux policy.
Please perform the following as a root user on the Fedora 18 computer:


Create a file in the /var/www/html directory, such as /var/www/html/index.html. Put the
message “This is just a test” in the file.
Execute ls -Z /var/www/html/index.html, study and understand the security context of
this file. Especially, the SELinux type of the file.
The index.html file is labeled with the SELinux unconfined_u user because a Linux user that is
mapped to the unconfined_u SELinux user created the file. Role-Based Access Control
(RBAC) is used for processes, not files. Roles do not have a meaning for data files - the object_r
role is a generic role used for data files (on persistent storage and network file systems). Under
the /proc/ directory, files related to processes may use the system_r role. The
httpd_sys_content_t type allows the httpd process to access this file.
Please continue your practice by performing the following:




Stop HTTP server (httpd) if it is on (systemctl stop httpd.service)
Open file /etc/httpd/conf/httpd.conf and comment out the following line at
the bottom of the file:
o Include Optional conf.d/*.conf
Start the Apache HTTP server (httpd) (systemctl start httpd.service)
Go to a directory where your Linux user has write access to.
Page |9

Run wget http://localhost/index.html command
Question 6: Were you able to get the index.html file? Why or Why not?
Then, continue to conduct the following tasks:

Use chcon command to change the type of index.html to samba_share_t by running
the following command: (Note: Under the targeted policy, httpd does not have
permission to access files of samba_share_t type)
chcon -t samba_share_t /var/www/html/index.html


Run the ls -Z /var/www/html/index.html command to confirm the type change.
Run the wget http://localhost/index.html command again.
Were you able to get the file index.htmle? The access should be denied (403 Forbidden). This is
because httpd does not have permission to access files of samba_share_t type.
Please stop the Apache HTTP service:
systemctl stop httpd.service
The error of running the wget http://localhost/index.html command is logged in the log file
/var/log/messages. View this file using a text viewer of your choice. Scroll down to the bottom
of the file. You will see an entry similar to the following:
In addition, an error similar to the following is logged to /var/log/httpd/error_log:
4.4 Unconfined processes
Unconfined processes run in unconfined domains. For example, init programs run in the
unconfined initrc_t domain, unconfined kernel processes run in the kernel_t domain, and
unconfined Linux users run in the unconfined_t domain. For unconfined processes, SELinux
P a g e | 10
policy rules are applied, but policy rules allow unconfined processes access to almost everything.
Processes running in unconfined domains fall back to using DAC rules exclusively. If an
unconfined process is compromised, SELinux does not prevent an attacker from gaining access
to system resources and data, but, of course, the DAC rules are still applied. SELinux is a
security enhancement on top of DAC rules - it does not replace them.
Can we change the domain of a process to allow it access more resources or run in unconfined
domain? The answer is yes. Man-made rules can always be changed.
The following example demonstrates how the Apache HTTP Server (httpd) can access data
intended for use by Samba, while running in an unconfined domain.









Create a file in the /var/www/html directory, such as /var/www/html/index2.html.
Run the ls -Z /var/www/html/index2.html command to view and study the SELinux
security context of this file. The httpd_sys_context_t type should be associated with the
file. The type allows the Apache HTTP service (httpd) to read this file.
Use chcon command to change the type of the index2.html file to the samba_share_t
type.
Run ls -Z /var/www/html/index2.html command to confirm the type change.
From what you have learned from the previous section, you know that httpd has no
access to the index2.html file after the type change. This can be changed by changing the
domain of httpd.
Stop Apache HTTP service (httpd) if it is on. (systemctl start httpd.service).
Run chcon -t unconfined_exec_t /usr/sbin/httpd to change the type of httpd to the
unconfined_exec_t type.
Run systemctl start httpd.service to start the Apache HTTP service.
Run ps -eZ | grep httpd to confirm that the httpd is in the unconfined_t domain.
Change into a directory where your Linux user has write access to, and run the following
command:
wget http://localhost/index2.html
Question 7: Were you able to get the index2.html file? Why or Why not?
How to change the httpd back into a confined process? Well you have learned how to do it.
Change its type back to a confined domain or restore the original domain for the process.
Please perform the following:


Stop httpd
Run the restorecon -v /usr/sbin/httpd command
P a g e | 11



Run the ls -Z /usr/sbin/httpd command to confirm the restoration. It is now associated
with httpd_exec_t type.
Start httpd
Run the wget http://localhost/index2.html command
Now the access to index2.html by httpd is forbidden. Please stop httpd and delete the
index2.html file from the system.
Section 5 Confined and unconfined SELinux users
Each standard Linux user is mapped to a SELinux user via SELinux policy. This mapping allows
Linux users to inherit the restrictions on SELinux users. This Linux and SELinux user mapping
can be viewed by running the following command:
semanage login -l
5.1 Unconfined SELinux users
In a Fedora 18 system, Linux users are mapped to the SELinux __default__ login by default,
which is mapped to the SELinux unconfined_u user. In other words, when you create a standard
Linux user, this user is mapped to __default__ login, which is mapped to an unconfined
SELinux user (unconfined_u).
Please perform the following to verify this:




Create a Linux user, such as joe. (useradd joe)
Set password for this user. (passwd joe)
Log in as the newly created user.
Run id -Z
You will see that joe is an unconfined user (unconfined_u); plays the unconfined role
(unconfined_r); and runs in the unconfined domain (unconfined_t).
You can remove this user from your system by running the command userdel -r joe if you don’t
want to keep the data in your system
5.2 Confined SELinux users
Depending on the SELinux policy, different confined SELinux users may be defined. Table 1
gives some of them along with restrictions and permissions for each of them.
Table 1 Common confined SELinux users and their capabilities
User
Domain
X Window
su and sudo
Execute in home
networking
P a g e | 12
System
directory and /tmp/
guest_u
guest_t
no
no
optional
no
xguest_u
xguest_t
yes
no
optional
Firefox only
user_u
user_t
yes
no
optional
yes
staff_u
staff_t
yes
sudo only
optional
yes
SELinux users defined in a policy can be viewed by running the following command:
semanage user -l
How can you confine a user? Well, you are getting there.
5.3 Confining users
It could be useful to confine a user and restrict its access to the system resources. This can be
done when a Linux user is created. This can also be done on existing users.
5.3.1 Confining new Linux users.
When creating Linux users with useradd, the -Z option can be used to specify which SELinux
user they are mapped to. For example, the following command will create the user tom and maps
it to the SELinux staff_u user:
useradd -Z staff_u tom
Please perform the following to understand the effects of confined users.




Create a user, such as tom and map this Linux user to the SELinux user_u user.
(useradd –Z user_u tom)
Set password for user tom.
Log on the computer as user tom.
Run the su root command.
Question 8: What happened when you tried to run the su command as user tom? Take a
screenshot of the results and attach it here. Explain the result.
P a g e | 13
5.3.2 Confining existing Linux users
In order to confine an existing Linux user, the semanage login command can be used to map
the user to a SELinux confined user. For example, the following command will map user
currentUser, which is a standard Linux user, to a SELinux user_u user, which is a SELinux
confined user.
semanage login -a -s user_u currentUser
The -a option adds a new record, and the -s option specifies the SELinux user. The last
argument, currentUser, is the normal Linux user.
Please perform the following tasks as a Linux root user to understand the effects:








Create a Linux user, such as current.
Set password for this user.
Run the su current command to be as user current.
Run id -Z, check the security context of user current.
Run the su command to switch back to root.
Map user current to a SELinux staff_u user
Log out and log back in as user current.
Try to run the commands su and sudo as user current. Record what you see.
Question 9: What did you see when you tried the commands su and sudo root as user current
(which is an SELinux staff_u user). Explain the results. Please pay attention to the reasons why
user current cannot run the command.
Question 10: Why would you confine Linux users in practice? Explain your answer.
You are encouraged to practice the effects of confining users with more examples. Technically,
every Linux users can be remapped. However, please be careful and understand what you are
doing and its effects before you actually do it. You don’t want to lock yourself out. It could
happen.
Section 6 Bonus (4%)
What you need to do for the bonus is not restricted, but has to be related to SELinux.
P a g e | 14
Please do the following to earn the bonus of this lab. More extra points may be given if you can
convince your instructor that you have done a significant amount of work on SELinux.



Work out a mini project of your choice based on what you have learned on SELinux
Describe your mini project: motivation, design and technical contents.
Implement your mini project.
Question B1: What is your mini project about? Give a description of your project, including
motivation, design and technical details.
Question B2: Implement your mini project. Please use screenshots, descriptions and answers to
questions to show your implementation.
Survey Questions
Questions in this section will not be graded, but will make your suggestions and voice heard by
your instructor.
GQ 1. What changes would you like to make to this lab?
GQ 2. How much time did you spend to finish this lab?
GQ 3. Do you learn anything new or gain a better understanding of class lecture by finishing this
lab?
Well, you have completed another lab for this class. Hope you enjoyed doing this lab. Please let
your instructor know if you have any comments.
P a g e | 15
Answer Sheet
============================ Required Questions =========================
Question 1: How would the use of sestatus -v command benefit your everyday administration
work on SELinux? Please explain your answer.
Question 2: How would the setenforce command be useful? Please explain your answer.
Question 3: What option would you use with the ls command if you want to display only
security context and file name?
Question 4: Would you use the command cp or mv to achieve the goal specified in Scenario 1?
Please explain your solution.
Question 5: Why would you want to use the chcon command to make type changes? Why
would you want to use the semanage/restorecon commands to make type changes? Please try
to explain the real world situations where chcon and semanage/restorecon can fit in.
Question 6: Were you able to get the index.html file? Why or Why not?
Question 7: Were you able to get the index2.html file? Why or Why not?
Question 8: What happened when you tried to run the su command as user tom? Take a
screenshot of the results and attach it here. Explain the result.
Question 9: What did you see when you tried the commands su and sudo root as user current
(which is an SELinux staff_u user). Explain the results. Please pay attention to the reasons why
user current cannot run the command.
P a g e | 16
Question 10: Why would you confine Linux users in practice? Explain your answer.
========================== Bonus Part (4%) =============================
Question B1: What is your mini project about? Give a description of your project, including
motivation, design and technical details.
Question B2: Implement your mini project. Please use screenshots, descriptions and answers to
questions to show your implementation.
=========================== Survey Questions ============================
GQ1. Would you like to make any changes to this lab?
GQ2. How long did it take you to complete this lab?
GQ3. Do you learn anything new or gain a better understanding of class lecture by finishing this
lab?
Download