ALL ABOUT SELINUX
ALL ABOUT SELINUX:
it stands for security enhanced linux
it is neither a fw nor antivirus
it is implementation of manadatory access control mechanism in the linux kernal
this is 2 nd ry check of access controls in addition to the DIC(discreasnory access control)
DIC ex:
ls -l
d--------- --->file permissions
-rwxr--r-- --->
(authorised users can do) --root use may not have all the permissions in some cases
these DIC permissions are checked 1 st
later anything selinux dictates are checked(selinux polices are applied)
selinux can enforce rules on files and process's in linux sys.
and it can also enforce rules on their actions based on certain defined polices
selinux wil treat all files in linux as object's and
process's wheter user or system generated as subjiects
most os's are lay on DIC for access management
selinux in linux os provide fine grain contorl(with DIC it is not possible)
(bcz individual users can chage permission if they own menas by changing permissions using chmod +x) which leads to comprimise of the system
no one can chage permis except specific set of users which are authorised
selinux it takes away ability of reguler user to chage permissions on particular file or process's etc results in greater contorl to admins therfore enabling them to protect the system much better.
it adds context or mac(manadatory access contorl to linix kernal and it is enabled by default in centos) it helps or enforcing security policy over all the process's and files in the system
it makes decisions on who can do what and which process access which file and do what.
ex: if someone hacked webserver(comprimised) then he can only hack files or what he can do from web server etc related to web server but not other user files and servers(ftp etc managed on same server)
to see it by using
ls -lZ
[root@localhost ~]# ls -lZ
-rw-------. root neelima system_u:object_r:admin_home_t:s0 anaconda-ks.cfg
++++DIC+++ user role type role
++++++++++++selinux++++++++++++++++++++++++++++++
this information (which) is used to make acces control decisions
system 1 st checks DIC and later selinux
if something is not allowed in any of this then it is rejected
there are linux and selinux users
linux users are mapped to selinux users and selinux users are part of selinux polices and these are enforced or tranferred in such a way
linux users are inherted thuse selinux polices when they are mapped to selinux users
advantages:
all process's and files labeled with a type
type can be defined as a domin in context of proces's and domin in context of files
these process's are separated from each other by running in their own domin's and selinux policy wil define how process can interact files as well as how one process can interact onther
it creates log files if someone did some unauthorized actions which are not allowed by selinux polices
enable selinux - it has 3 modes
selinux - it has a security module built in its kernal and using policy defined rules that will created by admin of the sys. as soon as some sort of access is made (ex:proceess attempts to open up a file) that particular operation is intercepted in the kernal by selinux and then depending on the rules defined for that particulat operation it either allowed or blocked, however if it is blocked errors will be logged and in the log files u wil be able to read it ur self
the way selinux is making decessions inorder to expediate processs in orde to create lot of overhead to have fast functioning a sys(bcz it has to check the polices and decide wheter allowed it or not) - those things are cached is known as acess vector cache(AVC)
bcz of this it checks less so faster performanance and sys overhead decr
3 modes of selinux
vi /etc/selinux/config
enforcing - security policy being enforced
permissive - regardless of something is allowed or not allowed it is still possible to happen and it is not enforced at all. but it creates log files
disable - selinux is nonfunctional
if u change selinux mode then u hv to reboot the sys
for troubleshooting u can change the mode b/w permissive to enforcing and vice versa
setenforce - utility to change selinux mode. these are not persistent through reboot. using this u can change the mode b/w permissive to enforcing and vice versa
setenforce 0 or setenforce permissive
setenforce 1 or setenforce enforcing
getenforce - to verify status of selinux
selinuxusers:
semanage login -l
u can see selinux users
Login Name
_default_
root
system_u
SELinux User
it lists which linux users are mapped to which selinx users
MLS/MCS Range
multi level security/multi catigory security
this service , which correct the selinux context in which the linux user is supposed to login in to the sys
Service
* means any - do whatever you want
ex
+++++++++++++++++++++++++++++++++++++
[root@localhost ~]# semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
root unconfined_u s0-s0:c0.c1023 *
system_u system_u s0-s0:c0.c1023 *
++++++++++++++++++++++++++++++++++++++++++++++++++++
ls -lZ
ex +++++++++++++++++++++++++++++
[root@localhost ~]# ls -lZ
user role type level
-rw-------. root neelima system_u:object_r:admin_home_t:s0 anaconda-ks.cfg
-rw-------. root neelima unconfined_u:object_r:admin_home_t:s0 core.2466
drwxr-xr-x. root neelima unconfined_u:object_r:admin_home_t:s0 Desktop
drwxr-xr-x. root neelima unconfined_u:object_r:admin_home_t:s0 Documents
drwxr-xr-x. root neelima unconfined_u:object_r:admin_home_t:s0 Downloads
-rw-r--r--. root neelima unconfined_u:object_r:admin_home_t:s0 luks
-rw-r--r--. root neelima unconfined_u:object_r:admin_home_t:s0 lvm
drwxr-xr-x. root neelima unconfined_u:object_r:admin_home_t:s0 Music
drwxr-xr-x. root neelima unconfined_u:object_r:admin_home_t:s0 Pictures
drwxr-xr-x. root neelima unconfined_u:object_r:admin_home_t:s0 Public
drwxr-xr-x. root neelima unconfined_u:object_r:admin_home_t:s0 Templates
drwxr-xr-x. root neelima unconfined_u:object_r:admin_home_t:s0 Videos
++++++++++++++++++++++++++++++++++++++++++++
role based access control(rbac) - security module
selinux users are assigned to certain roles means selinux users are authorized for certain roles and roles themselves authorized for domains
roles serve some sort of intermediate b/w domain and selinux users.
which determine which domains can be entered by selinux users which are maped to linux users
apache domain can not do anything in ftp or other domains unless it has certain defined roles
so domain transisations should be allowed by selinux polices.
type defines domain for process and domain for a file
selinux policy rules define how types can access each other wheter domain access another domain or (a file in other domain), in any case access is only allowed specific selinux rule exist and that allowes it.
Ex:
[root@localhost ~]# ls -lZ /etc/passwd
-rw-r--r--. root root system_u:object_r:passwd_file_t:s0 /etc/passwd
[root@localhost ~]# ls -lZ /etc/shadow
----------. root root system_u:object_r:shadow_t:s0 /etc/shadow
[root@localhost ~]# ls -lZ /usr/bin/passwd
-rwsr-xr-x. root root system_u:object_r:passwd_exec_t:s0 /usr/bin/passwd
passwd_exec_t is the type by which cmd is labelled. this needs to access shadow file which is of type shadow_t or (/etc/shadow is labelled with shadow_t).
how is this is (/usr/bin/passwd) is allowed to interact with shadow_t
however these transactions not allowed in selinux
but it has developed a set of polices make selinux fn'l to make system functional
process running in passwd_t domain are allowed to read and write files labelled with shadow_t
man selinux
man -k selinux will list selinux manual pages
yum install selinux-policy-devel
selinux policy development and man page package
man passwd_selinux
security enhanced linux policy for the passwd processes
paawd_t is labelled with or can be entered via passwd_exec_t and it interact with other domains like shadow_t,security_t or files in that domain
ps -efZ | grep passwd_t
to check the process's running on passwd_t domain
semanage permissive -a passwd_t
can put permissive mode for specific process. it allowes to do whatever it can but generate AVC(selinux denials) msgs.
useful for troubleshoot (u may not make entire sys permissive rather that u can apply permissive mode on certain process)
in this manual page it shows all managed files and domian passwd_t can interact with
ex:
[root@localhost ~]# passwd neelima
Changing password for user neelima.
New password:
[root@localhost ~]# ps -eZ | grep "passwd_t"
unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 4440 pts/0 00:00:00 passwd
[root@localhost ~]# ls -lZ /usr/bin/passwd
-rwsr-xr-x. root root system_u:object_r:passwd_exec_t:s0 /usr/bin/passwd
[root@localhost ~]# ls -lZ /etc/shadow
----------. root root system_u:object_r:shadow_t:s0 /etc/shadow
/usr/bin/passwd is executable (prgrm) which is labelled with passwd_exec_t which has an entry point passwd_t(process) which inturn interact with shadow_t or edit shadow file labelled shadow_t(policy by default and u can see it in man passwd_selinux for this to check u ned to install selinux-policy-devel)
+++++++++++++SELINUX APACHE PART1+++++++++++++++++
cd /var/www/html
touch test_selinux
check httpd running or not , if not start the service
put selinux mode to enforcing
setenforce 1
to check -- getenforce
these 2 are prerequisites
yum install wget
[root@localhost html]# ls -Z
-rw-r--r--. root neelima unconfined_u:object_r:Httpd_Sys_Content_T:s0 test_selinux
(man httpd_selinux
ps -eZ | grep httpd_t)
download the file which we have created
cd ~/Downloads
wget http://loaclhost/test_selinux
ex:
--------------------------------
[root@localhost html]# cd ~/Downloads
[root@localhost Downloads]# ls
[root@localhost Downloads]# http://localhost/test_selinux
bash: http://localhost/test_selinux: No such file or directory
[root@localhost Downloads]# wget http://localhost/test_selinux
--2018-11-22 18:43:52-- http://localhost/test_selinux
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 0 [text/plain]
Saving to: ‘test_selinux’
[ <=> ] 0 --.-K/s in 0s
2018-11-22 18:43:52 (0.00 B/s) - ‘test_selinux’ saved [0/0]
[root@localhost Downloads]# ls
test_selinux
--------------------------------------------------------
chcon used to relabed the file(means change domain or type and rename file)
which are not persisten under reboot(means temporary)
for perminant changes u can use semange
now change the type or label or domain for test_selinux
ex:
----------------------------------------
cd /var/www/html
[root@localhost html]# ls -Z
-rw-r--r--. root neelima unconfined_u:object_r:httpd_sys_content_T:s0 test_selinux
[root@localhost html]# chcon -t samba_share_t /var/www/html/test_selinux
[root@localhost html]# ls -Z test_selinux
-rw-r--r--. root neelima unconfined_u:object_r:samba_share_t:s0 test_selinux
---------------------------------------------
now it type has changed then download the file as done previously
--------------------------------------
[root@localhost html]# cd ~/Downloads/
[root@localhost Downloads]# ls
[root@localhost Downloads]# wget http://localhost/test_selinux
--2018-11-22 18:57:54-- http://localhost/test_selinux
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2018-11-22 18:57:54 ERROR 403: Forbidden.
--------------------------------------------
problem !!!!
bcz of that changed domain or type and for it, ni policy exist for it download publically. u can check in generated log files
now u can remove file if u wish
rm -rf /var/www/html/test_selinux
tail /var/log/audit/audit.log
or
tail /var/log/audit/audit.log | grep AVC
ex---------------------------
[root@localhost ~]# tail /var/log/audit/audit.log | grep AVC
type=AVC msg=audit(1542900717.498:414): avc: denied { getattr } for pid=4811 comm="httpd" path="/var/www/html/test_selinux" dev="dm-0" ino=67346841 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
type=AVC msg=audit(1542900717.582:415): avc: denied { getattr } for pid=4811 comm="httpd" path="/var/www/html/test_selinux" dev="dm-0" ino=67346841 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
-------------------------------------------------------
tail /var/log/audit/audit.log | grep denied
tail -f /var/log/audit/audit.log | grep denied for live monitoring
for relabbeling the type
cd /var/www/html
chcon samba_share_t look_at_me_t
u can see (audit) all the events of the system in this
tail -f /var/log/audit/audit.log
we know that every process is confined to a domain
what if process is not confined to a domain(unconfig_t)
for those process's(unconfig_t,unconfig_service_t) selinux can do nothing(if the process comprimised) and only DAC is checked by the kernal if someone access it
+++++++++++++++++++++++++++++++++++++
apache to acces data related to some othe process in other domains
+++++++++++++++++++++++++++++++++++++++
ex
[root@localhost html]# touch look_at_me
[root@localhost html]# ls
look_at_me
[root@localhost html]# ls -lZ
-rw-r--r--. root neelima unconfined_u:object_r:httpd_sys_content_t:s0 look_at_me
[root@localhost html]# chcon -t samba_share_t look_at_me
[root@localhost html]# ls -lZ
-rw-r--r--. root neelima unconfined_u:object_r:samba_share_t:s0 look_at_me
(can restore it defalut domain) by restorecon
in terms of selinux, give apache a very huge or broad authority accross the sys
so that it will be able to run exec (executables) on the sys(means which are sys can run).
check httpd running or not. if not make sure it to run
lots of confined domains are allowed to excute bin_t files and most executables on the sys are labelled with bin_t domain.
don't do it production envi
----------------------------------
ex
[root@localhost www]# chcon -t bin_t /usr/sbin/httpd
[root@localhost www]# ls -Z /usr/sbin/httpd
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/sbin/httpd
[root@localhost www]# restorecon /usr/sbin/httpd
[root@localhost www]# ls -Z /usr/sbin/httpd
-rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd
-----------------------------------------------------
ex:
create file in /var/www/html
ex: touch look_at_me
by default it is in http_sys_content_t domain
cd ~/Downloads
download the file using wget http://localhost/look_at_me in downloads
now changed it to samba_share_t
by cmd
chcon -t samba_share_t /var/www/html/look_at_me
make sure selinux is enabled(enforcing) and httpd process is running
now try to download the file and it gives forbidden error now
then how to acess the file
to do so change the /usr/bin/httpd domain to bin_t menas process's which are related to httpd labbelled with unconfined_service_t domain
(by default httpd is in httpd_exec_t domain and process's which are related to httpd labbelled with httpd_t domain)
chcon -t bin_t /usr/sbin/httpd
now try to download it
u can now
to restore it default
restorecon /usr/sbin/httpd
----------------------------------------------
before changes
[root@localhost html]# ls -Z /usr/sbin/httpd
-rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd
[root@localhost html]# ls -Z /var/www/html/look_at_me
-rw-r--r--. root neelima unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/look_at_me
[root@localhost Downloads]# ps -efZ | grep httpd
system_u:system_r:httpd_t:s0 root 7973 1 0 14:19 ? 00:00:01 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0 apache 7974 7973 0 14:19 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0 apache 7975 7973 0 14:19 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0 apache 7979 7973 0 14:19 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0 apache 7980 7973 0 14:19 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0 apache 7981 7973 0 14:19 ? 00:00:00
changes:
chcon -t samba_share_t /var/www/html/look_at_me
[root@localhost html]# ls -Z
-rw-r--r--. root neelima unconfined_u:object_r:samba_share_t:s0 look_at_me
[root@localhost Downloads]# wget http://localhost/look_at_me
--2018-11-23 14:20:41-- http://localhost/look_at_me
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2018-11-23 14:20:41 ERROR 403: Forbidden.
[root@localhost html]# chcon -t bin_t /usr/sbin/httpd
[root@localhost html]# ls -Z /usr/sbin/httpd
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/sbin/httpd
[root@localhost html]# systemctl restart httpd
[root@localhost Downloads]# ps -efZ | grep httpd
system_u:system_r:unconfined_service_t:s0 root 8166 1 5 14:23 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:unconfined_service_t:s0 apache 8167 8166 0 14:23 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:unconfined_service_t:s0 apache 8168 8166 0 14:23 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:unconfined_service_t:s0 apache 8169 8166 0 14:23 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:unconfined_service_t:s0 apache 8171 8166 0 14:23 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:unconfined_service_t:s0 apache 8172 8166 0 14:23 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 8199 7760 0 14:23 pts/1 00:00:00 grep --color=auto httpd
[root@localhost Downloads]# wget http://localhost/look_at_me
--2018-11-23 14:23:27-- http://localhost/look_at_me
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 0 [text/plain]
Saving to: ‘look_at_me’
[ <=> ] 0 --.-K/s in 0s
2018-11-23 14:23:27 (0.00 B/s) - ‘look_at_me’ saved [0/0]
now we succesfully downloadede the file
restote it to default
[root@localhost html]# restorecon /usr/sbin/httpd
[root@localhost html]# ls -Z /usr/sbin/httpd
-rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd
[root@localhost html]# restorecon /var/www/html/look_at_me
[root@localhost html]# ls -Z /var/www/html/look_at_me
-rw-r--r--. root neelima unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/look_at_me
++++++++++++++++++++++++++++++++++++++++++++++++
SELINUX BOOLEANS
++++++++++++++++++++++++++++++++++
they allow you to alter selinux policy at runtime and u don't need extensive knowledge interms selinux ploicy creations, to do this and rather it(boolean) is simple
these are the 2 key features of selinux booleans
to check
semanage boolean -l
[root@localhost ~]# semanage boolean -l
SELinux boolean State Default Description
mount_anyfile (on , on) Allow the mount commands to mount any directory or file.
cron_userdomain_transition (on , on) Determine whether crond can execute jobs in the user domain as opposed to the the generic cronjob domain.
tftp_home_dir (off , off) Allow tftp to read and write files in the user home directories
many wil cme
another way to check this
getsebool -a
this is not user friendly it just gives whether boolenas are on or off
but above semanage boolean -l cmd gvs booleans,state,default value,description
[root@localhost ~]# getsebool -a
abrt_anon_write --> off
abrt_handle_event --> off
abrt_upload_watch_anon_write --> on
antivirus_can_scan_system --> off
antivirus_use_jit --> off
to get particular boolean value
getsebool <boolean_name>
[root@localhost ~]# getsebool ssh_sysadm_login
ssh_sysadm_login --> off
to set booleans sebool utility is there
ex: to enable http boolean establish the connection to database
[root@localhost ~]# getsebool httpd_can_network_connect_db
httpd_can_network_connect_db --> off
[root@localhost ~]# semanage boolean -l | grep httpd_can_network_connect_db
httpd_can_network_connect_db (off , off) Allow HTTPD scripts and modules to connect to databases over the network.
[root@localhost ~]# setsebool httpd_can_network_connect_db on
[root@localhost ~]# getsebool httpd_can_network_connect_db
httpd_can_network_connect_db --> on
[root@localhost ~]# semanage boolean -l | grep httpd_can_network_connect_db
httpd_can_network_connect_db (on , off) Allow HTTPD scripts and modules to connect to databases over the network.
these are not persistent through reboots(menas temporary)
if we want perminant
pass -P argument
setsebool -P <boolean> on - for perminant change
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
SELINUX AND SSH
++++++++++++++++++++++++++++
[root@localhost ~]# systemctl status sshd
change the ssh port
[root@localhost ~]# vim /etc/ssh/sshd_config
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
Port 2833
so we have to notify selinux about this change
[root@localhost ~]# semanage port -a -t ssh_port_t -p tcp 2833
now restart ssh
systemctl restart sshd
[root@localhost ~]# firewall-cmd --permanant --add-port=2833/tcp
[root@localhost ~]# iptables -I INPUT 1 -p tcp --dport 2833 -j ACCEPT
allow input conections via ssh means allow ssh port in server
to see port change
semanage port --help
it is neither a fw nor antivirus
it is implementation of manadatory access control mechanism in the linux kernal
this is 2 nd ry check of access controls in addition to the DIC(discreasnory access control)
DIC ex:
ls -l
d--------- --->file permissions
-rwxr--r-- --->
(authorised users can do) --root use may not have all the permissions in some cases
these DIC permissions are checked 1 st
later anything selinux dictates are checked(selinux polices are applied)
selinux can enforce rules on files and process's in linux sys.
and it can also enforce rules on their actions based on certain defined polices
selinux wil treat all files in linux as object's and
process's wheter user or system generated as subjiects
most os's are lay on DIC for access management
selinux in linux os provide fine grain contorl(with DIC it is not possible)
(bcz individual users can chage permission if they own menas by changing permissions using chmod +x) which leads to comprimise of the system
no one can chage permis except specific set of users which are authorised
selinux it takes away ability of reguler user to chage permissions on particular file or process's etc results in greater contorl to admins therfore enabling them to protect the system much better.
it adds context or mac(manadatory access contorl to linix kernal and it is enabled by default in centos) it helps or enforcing security policy over all the process's and files in the system
it makes decisions on who can do what and which process access which file and do what.
ex: if someone hacked webserver(comprimised) then he can only hack files or what he can do from web server etc related to web server but not other user files and servers(ftp etc managed on same server)
to see it by using
ls -lZ
[root@localhost ~]# ls -lZ
-rw-------. root neelima system_u:object_r:admin_home_t:s0 anaconda-ks.cfg
++++DIC+++ user role type role
++++++++++++selinux++++++++++++++++++++++++++++++
this information (which) is used to make acces control decisions
system 1 st checks DIC and later selinux
if something is not allowed in any of this then it is rejected
there are linux and selinux users
linux users are mapped to selinux users and selinux users are part of selinux polices and these are enforced or tranferred in such a way
linux users are inherted thuse selinux polices when they are mapped to selinux users
advantages:
all process's and files labeled with a type
type can be defined as a domin in context of proces's and domin in context of files
these process's are separated from each other by running in their own domin's and selinux policy wil define how process can interact files as well as how one process can interact onther
it creates log files if someone did some unauthorized actions which are not allowed by selinux polices
enable selinux - it has 3 modes
selinux - it has a security module built in its kernal and using policy defined rules that will created by admin of the sys. as soon as some sort of access is made (ex:proceess attempts to open up a file) that particular operation is intercepted in the kernal by selinux and then depending on the rules defined for that particulat operation it either allowed or blocked, however if it is blocked errors will be logged and in the log files u wil be able to read it ur self
the way selinux is making decessions inorder to expediate processs in orde to create lot of overhead to have fast functioning a sys(bcz it has to check the polices and decide wheter allowed it or not) - those things are cached is known as acess vector cache(AVC)
bcz of this it checks less so faster performanance and sys overhead decr
3 modes of selinux
vi /etc/selinux/config
enforcing - security policy being enforced
permissive - regardless of something is allowed or not allowed it is still possible to happen and it is not enforced at all. but it creates log files
disable - selinux is nonfunctional
if u change selinux mode then u hv to reboot the sys
for troubleshooting u can change the mode b/w permissive to enforcing and vice versa
setenforce - utility to change selinux mode. these are not persistent through reboot. using this u can change the mode b/w permissive to enforcing and vice versa
setenforce 0 or setenforce permissive
setenforce 1 or setenforce enforcing
getenforce - to verify status of selinux
selinuxusers:
semanage login -l
u can see selinux users
Login Name
_default_
root
system_u
SELinux User
it lists which linux users are mapped to which selinx users
MLS/MCS Range
multi level security/multi catigory security
this service , which correct the selinux context in which the linux user is supposed to login in to the sys
Service
* means any - do whatever you want
ex
+++++++++++++++++++++++++++++++++++++
[root@localhost ~]# semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
root unconfined_u s0-s0:c0.c1023 *
system_u system_u s0-s0:c0.c1023 *
++++++++++++++++++++++++++++++++++++++++++++++++++++
ls -lZ
ex +++++++++++++++++++++++++++++
[root@localhost ~]# ls -lZ
user role type level
-rw-------. root neelima system_u:object_r:admin_home_t:s0 anaconda-ks.cfg
-rw-------. root neelima unconfined_u:object_r:admin_home_t:s0 core.2466
drwxr-xr-x. root neelima unconfined_u:object_r:admin_home_t:s0 Desktop
drwxr-xr-x. root neelima unconfined_u:object_r:admin_home_t:s0 Documents
drwxr-xr-x. root neelima unconfined_u:object_r:admin_home_t:s0 Downloads
-rw-r--r--. root neelima unconfined_u:object_r:admin_home_t:s0 luks
-rw-r--r--. root neelima unconfined_u:object_r:admin_home_t:s0 lvm
drwxr-xr-x. root neelima unconfined_u:object_r:admin_home_t:s0 Music
drwxr-xr-x. root neelima unconfined_u:object_r:admin_home_t:s0 Pictures
drwxr-xr-x. root neelima unconfined_u:object_r:admin_home_t:s0 Public
drwxr-xr-x. root neelima unconfined_u:object_r:admin_home_t:s0 Templates
drwxr-xr-x. root neelima unconfined_u:object_r:admin_home_t:s0 Videos
++++++++++++++++++++++++++++++++++++++++++++
role based access control(rbac) - security module
selinux users are assigned to certain roles means selinux users are authorized for certain roles and roles themselves authorized for domains
roles serve some sort of intermediate b/w domain and selinux users.
which determine which domains can be entered by selinux users which are maped to linux users
apache domain can not do anything in ftp or other domains unless it has certain defined roles
so domain transisations should be allowed by selinux polices.
type defines domain for process and domain for a file
selinux policy rules define how types can access each other wheter domain access another domain or (a file in other domain), in any case access is only allowed specific selinux rule exist and that allowes it.
Ex:
[root@localhost ~]# ls -lZ /etc/passwd
-rw-r--r--. root root system_u:object_r:passwd_file_t:s0 /etc/passwd
[root@localhost ~]# ls -lZ /etc/shadow
----------. root root system_u:object_r:shadow_t:s0 /etc/shadow
[root@localhost ~]# ls -lZ /usr/bin/passwd
-rwsr-xr-x. root root system_u:object_r:passwd_exec_t:s0 /usr/bin/passwd
passwd_exec_t is the type by which cmd is labelled. this needs to access shadow file which is of type shadow_t or (/etc/shadow is labelled with shadow_t).
how is this is (/usr/bin/passwd) is allowed to interact with shadow_t
however these transactions not allowed in selinux
but it has developed a set of polices make selinux fn'l to make system functional
process running in passwd_t domain are allowed to read and write files labelled with shadow_t
man selinux
man -k selinux will list selinux manual pages
yum install selinux-policy-devel
selinux policy development and man page package
man passwd_selinux
security enhanced linux policy for the passwd processes
paawd_t is labelled with or can be entered via passwd_exec_t and it interact with other domains like shadow_t,security_t or files in that domain
ps -efZ | grep passwd_t
to check the process's running on passwd_t domain
semanage permissive -a passwd_t
can put permissive mode for specific process. it allowes to do whatever it can but generate AVC(selinux denials) msgs.
useful for troubleshoot (u may not make entire sys permissive rather that u can apply permissive mode on certain process)
in this manual page it shows all managed files and domian passwd_t can interact with
ex:
[root@localhost ~]# passwd neelima
Changing password for user neelima.
New password:
[root@localhost ~]# ps -eZ | grep "passwd_t"
unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 4440 pts/0 00:00:00 passwd
[root@localhost ~]# ls -lZ /usr/bin/passwd
-rwsr-xr-x. root root system_u:object_r:passwd_exec_t:s0 /usr/bin/passwd
[root@localhost ~]# ls -lZ /etc/shadow
----------. root root system_u:object_r:shadow_t:s0 /etc/shadow
/usr/bin/passwd is executable (prgrm) which is labelled with passwd_exec_t which has an entry point passwd_t(process) which inturn interact with shadow_t or edit shadow file labelled shadow_t(policy by default and u can see it in man passwd_selinux for this to check u ned to install selinux-policy-devel)
+++++++++++++SELINUX APACHE PART1+++++++++++++++++
cd /var/www/html
touch test_selinux
check httpd running or not , if not start the service
put selinux mode to enforcing
setenforce 1
to check -- getenforce
these 2 are prerequisites
yum install wget
[root@localhost html]# ls -Z
-rw-r--r--. root neelima unconfined_u:object_r:Httpd_Sys_Content_T:s0 test_selinux
(man httpd_selinux
ps -eZ | grep httpd_t)
download the file which we have created
cd ~/Downloads
wget http://loaclhost/test_selinux
ex:
--------------------------------
[root@localhost html]# cd ~/Downloads
[root@localhost Downloads]# ls
[root@localhost Downloads]# http://localhost/test_selinux
bash: http://localhost/test_selinux: No such file or directory
[root@localhost Downloads]# wget http://localhost/test_selinux
--2018-11-22 18:43:52-- http://localhost/test_selinux
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 0 [text/plain]
Saving to: ‘test_selinux’
[ <=> ] 0 --.-K/s in 0s
2018-11-22 18:43:52 (0.00 B/s) - ‘test_selinux’ saved [0/0]
[root@localhost Downloads]# ls
test_selinux
--------------------------------------------------------
chcon used to relabed the file(means change domain or type and rename file)
which are not persisten under reboot(means temporary)
for perminant changes u can use semange
now change the type or label or domain for test_selinux
ex:
----------------------------------------
cd /var/www/html
[root@localhost html]# ls -Z
-rw-r--r--. root neelima unconfined_u:object_r:httpd_sys_content_T:s0 test_selinux
[root@localhost html]# chcon -t samba_share_t /var/www/html/test_selinux
[root@localhost html]# ls -Z test_selinux
-rw-r--r--. root neelima unconfined_u:object_r:samba_share_t:s0 test_selinux
---------------------------------------------
now it type has changed then download the file as done previously
--------------------------------------
[root@localhost html]# cd ~/Downloads/
[root@localhost Downloads]# ls
[root@localhost Downloads]# wget http://localhost/test_selinux
--2018-11-22 18:57:54-- http://localhost/test_selinux
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2018-11-22 18:57:54 ERROR 403: Forbidden.
--------------------------------------------
problem !!!!
bcz of that changed domain or type and for it, ni policy exist for it download publically. u can check in generated log files
now u can remove file if u wish
rm -rf /var/www/html/test_selinux
tail /var/log/audit/audit.log
or
tail /var/log/audit/audit.log | grep AVC
ex---------------------------
[root@localhost ~]# tail /var/log/audit/audit.log | grep AVC
type=AVC msg=audit(1542900717.498:414): avc: denied { getattr } for pid=4811 comm="httpd" path="/var/www/html/test_selinux" dev="dm-0" ino=67346841 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
type=AVC msg=audit(1542900717.582:415): avc: denied { getattr } for pid=4811 comm="httpd" path="/var/www/html/test_selinux" dev="dm-0" ino=67346841 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
-------------------------------------------------------
tail /var/log/audit/audit.log | grep denied
tail -f /var/log/audit/audit.log | grep denied for live monitoring
for relabbeling the type
cd /var/www/html
chcon samba_share_t look_at_me_t
u can see (audit) all the events of the system in this
tail -f /var/log/audit/audit.log
we know that every process is confined to a domain
what if process is not confined to a domain(unconfig_t)
for those process's(unconfig_t,unconfig_service_t) selinux can do nothing(if the process comprimised) and only DAC is checked by the kernal if someone access it
+++++++++++++++++++++++++++++++++++++
apache to acces data related to some othe process in other domains
+++++++++++++++++++++++++++++++++++++++
ex
[root@localhost html]# touch look_at_me
[root@localhost html]# ls
look_at_me
[root@localhost html]# ls -lZ
-rw-r--r--. root neelima unconfined_u:object_r:httpd_sys_content_t:s0 look_at_me
[root@localhost html]# chcon -t samba_share_t look_at_me
[root@localhost html]# ls -lZ
-rw-r--r--. root neelima unconfined_u:object_r:samba_share_t:s0 look_at_me
(can restore it defalut domain) by restorecon
in terms of selinux, give apache a very huge or broad authority accross the sys
so that it will be able to run exec (executables) on the sys(means which are sys can run).
check httpd running or not. if not make sure it to run
lots of confined domains are allowed to excute bin_t files and most executables on the sys are labelled with bin_t domain.
don't do it production envi
----------------------------------
ex
[root@localhost www]# chcon -t bin_t /usr/sbin/httpd
[root@localhost www]# ls -Z /usr/sbin/httpd
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/sbin/httpd
[root@localhost www]# restorecon /usr/sbin/httpd
[root@localhost www]# ls -Z /usr/sbin/httpd
-rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd
-----------------------------------------------------
ex:
create file in /var/www/html
ex: touch look_at_me
by default it is in http_sys_content_t domain
cd ~/Downloads
download the file using wget http://localhost/look_at_me in downloads
now changed it to samba_share_t
by cmd
chcon -t samba_share_t /var/www/html/look_at_me
make sure selinux is enabled(enforcing) and httpd process is running
now try to download the file and it gives forbidden error now
then how to acess the file
to do so change the /usr/bin/httpd domain to bin_t menas process's which are related to httpd labbelled with unconfined_service_t domain
(by default httpd is in httpd_exec_t domain and process's which are related to httpd labbelled with httpd_t domain)
chcon -t bin_t /usr/sbin/httpd
now try to download it
u can now
to restore it default
restorecon /usr/sbin/httpd
----------------------------------------------
before changes
[root@localhost html]# ls -Z /usr/sbin/httpd
-rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd
[root@localhost html]# ls -Z /var/www/html/look_at_me
-rw-r--r--. root neelima unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/look_at_me
[root@localhost Downloads]# ps -efZ | grep httpd
system_u:system_r:httpd_t:s0 root 7973 1 0 14:19 ? 00:00:01 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0 apache 7974 7973 0 14:19 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0 apache 7975 7973 0 14:19 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0 apache 7979 7973 0 14:19 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0 apache 7980 7973 0 14:19 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0 apache 7981 7973 0 14:19 ? 00:00:00
changes:
chcon -t samba_share_t /var/www/html/look_at_me
[root@localhost html]# ls -Z
-rw-r--r--. root neelima unconfined_u:object_r:samba_share_t:s0 look_at_me
[root@localhost Downloads]# wget http://localhost/look_at_me
--2018-11-23 14:20:41-- http://localhost/look_at_me
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2018-11-23 14:20:41 ERROR 403: Forbidden.
[root@localhost html]# chcon -t bin_t /usr/sbin/httpd
[root@localhost html]# ls -Z /usr/sbin/httpd
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/sbin/httpd
[root@localhost html]# systemctl restart httpd
[root@localhost Downloads]# ps -efZ | grep httpd
system_u:system_r:unconfined_service_t:s0 root 8166 1 5 14:23 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:unconfined_service_t:s0 apache 8167 8166 0 14:23 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:unconfined_service_t:s0 apache 8168 8166 0 14:23 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:unconfined_service_t:s0 apache 8169 8166 0 14:23 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:unconfined_service_t:s0 apache 8171 8166 0 14:23 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:unconfined_service_t:s0 apache 8172 8166 0 14:23 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 8199 7760 0 14:23 pts/1 00:00:00 grep --color=auto httpd
[root@localhost Downloads]# wget http://localhost/look_at_me
--2018-11-23 14:23:27-- http://localhost/look_at_me
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 0 [text/plain]
Saving to: ‘look_at_me’
[ <=> ] 0 --.-K/s in 0s
2018-11-23 14:23:27 (0.00 B/s) - ‘look_at_me’ saved [0/0]
now we succesfully downloadede the file
restote it to default
[root@localhost html]# restorecon /usr/sbin/httpd
[root@localhost html]# ls -Z /usr/sbin/httpd
-rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd
[root@localhost html]# restorecon /var/www/html/look_at_me
[root@localhost html]# ls -Z /var/www/html/look_at_me
-rw-r--r--. root neelima unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/look_at_me
++++++++++++++++++++++++++++++++++++++++++++++++
SELINUX BOOLEANS
++++++++++++++++++++++++++++++++++
they allow you to alter selinux policy at runtime and u don't need extensive knowledge interms selinux ploicy creations, to do this and rather it(boolean) is simple
these are the 2 key features of selinux booleans
to check
semanage boolean -l
[root@localhost ~]# semanage boolean -l
SELinux boolean State Default Description
mount_anyfile (on , on) Allow the mount commands to mount any directory or file.
cron_userdomain_transition (on , on) Determine whether crond can execute jobs in the user domain as opposed to the the generic cronjob domain.
tftp_home_dir (off , off) Allow tftp to read and write files in the user home directories
many wil cme
another way to check this
getsebool -a
this is not user friendly it just gives whether boolenas are on or off
but above semanage boolean -l cmd gvs booleans,state,default value,description
[root@localhost ~]# getsebool -a
abrt_anon_write --> off
abrt_handle_event --> off
abrt_upload_watch_anon_write --> on
antivirus_can_scan_system --> off
antivirus_use_jit --> off
to get particular boolean value
getsebool <boolean_name>
[root@localhost ~]# getsebool ssh_sysadm_login
ssh_sysadm_login --> off
to set booleans sebool utility is there
ex: to enable http boolean establish the connection to database
[root@localhost ~]# getsebool httpd_can_network_connect_db
httpd_can_network_connect_db --> off
[root@localhost ~]# semanage boolean -l | grep httpd_can_network_connect_db
httpd_can_network_connect_db (off , off) Allow HTTPD scripts and modules to connect to databases over the network.
[root@localhost ~]# setsebool httpd_can_network_connect_db on
[root@localhost ~]# getsebool httpd_can_network_connect_db
httpd_can_network_connect_db --> on
[root@localhost ~]# semanage boolean -l | grep httpd_can_network_connect_db
httpd_can_network_connect_db (on , off) Allow HTTPD scripts and modules to connect to databases over the network.
these are not persistent through reboots(menas temporary)
if we want perminant
pass -P argument
setsebool -P <boolean> on - for perminant change
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
SELINUX AND SSH
++++++++++++++++++++++++++++
[root@localhost ~]# systemctl status sshd
change the ssh port
[root@localhost ~]# vim /etc/ssh/sshd_config
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
Port 2833
so we have to notify selinux about this change
[root@localhost ~]# semanage port -a -t ssh_port_t -p tcp 2833
now restart ssh
systemctl restart sshd
[root@localhost ~]# firewall-cmd --permanant --add-port=2833/tcp
[root@localhost ~]# iptables -I INPUT 1 -p tcp --dport 2833 -j ACCEPT
allow input conections via ssh means allow ssh port in server
to see port change
semanage port --help
Comments
Post a Comment