Dec 31

Experiment with Selinux

Target Audience:  Technical People (who already knew or did similar stuff, at least worked well with Linux )

If you find these impossible to understand on your own (however, want to understand), better take help from Technical People

Selinux provides further security in addition to chmod, chown, facl, setuid, setgid or similar.

Firewall controls incoming and outgoing traffic; however, does not provide the security that Selinux provides.

Selinux helps in controlling - how much harm a security breach can do. Selinux tries to limit/restrict a process or a user to do only as much as it is allowed to do. A malfunctioning application or an affected application will not be able to do much harm (or to do a system and/or network wide harm) if Selinux is configured properly and enabled.

check if Selinux is enabled:

sestatus

 

Check Selinux Contexts:

id -Z

ll -Z

ll -dZ

ll -Z /etc/hosts

ps -eZ

 

setools can show you the Selinux users (these are not the Linux users that you create, these users are part of Selinux)

Install setools with

1 yum install setools-console

 

Show Selinux Users

16 seinfo -u

Available Selinux Users
18 seinfo -u

20 semanage - view current mapping
22 semanage login -l

Currently no output for semanage login -l for me

 

Process Contexts
32 ps -eZ

Selinux Context for Files
34 ll -Z /etc/passwd
35 ll -Z
36 ll -Z /etc/shadow

Selinux context for Ports
38 semanage port -l
output
3_callback_port_t tcp 7001
afs3_callback_port_t udp 7001
afs_bos_port_t udp 7007
afs_fs_port_t tcp 2040

 

Domain Transitioning
Allow one domain to work in another domain
processes running in passwd_t domain will be able to read and modify files in shadow_t type and allow the passwd_t domain processes entry point permission into passwd_exec_t domain.
47 useradd user1
48 useradd user2
49 su user1
50 semanage boolean -l

 

passwd

--------------------------------------------------------------

Some commands I executed under user1

We came to another terminal as user1; in our previous terimal, passwd was running

ps -eZ| grep passwd

/usr/bin/passwd is in passwd_exec_t domain. However, if you run passwd process and while this is in execution if you go to another terminal and check the process contexts with ps -eZ| grep passwd, then we can see passwd process has transitioned into passwd_t domain

to copy, move, or to tar files with preserving their Selinux Contexts - you need to provide --preserve=context

Selinux Booleans: On/Offf switches used by Selinux to Allow/Disallow actions

6 ll /sys/fs/selinux/booleans/

output
-rw-r--r--. 1 root root 0 Dec 31 07:57 zarafa_setrlimit
-rw-r--r--. 1 root root 0 Dec 31 07:57 zebra_write_config
-rw-r--r--. 1 root root 0 Dec 31 07:57 zoneminder_anon_writ

Better way of seeing

11 getsebool -a
output
server_execmem --> off
xserver_object_manager --> off
zabbix_can_network --> off
zarafa_setrlimit --> off
zebra_write_config --> off
zoneminder_anon_write --> off
zoneminder_run_sudo --> off
getsebool abrt_anon_write
abrt_anon_write --> off

22 sestatus -b
output
erver_object_manager off
zabbix_can_network off
zarafa_setrlimit off
zebra_write_config off
zoneminder_anon_write off

29 semanage boolean -l

 

------------------

 

 

output of semanage boolean -l
ssh_sysadm_login (off , off) Allow ssh to sysadm login
domain_fd_use (on , on) Allow domain to fd use
samba_enable_home_dirs (off , off) Allow samba to enable home dirs
mcelog_client (off , off) Allow mcelog to client
nfs_export_all_ro (on , on) Allow nfs to export all ro
cron_can_relabel (off , off) Allow cron to can relabel

 

Change/alter the booleans

58 setsebool abrt_anon_write 1
59 setsebool abrt_anon_write off

Use -P to make the change available or after system reboot
61 setsebool -P abrt_anon_write on
62 setsebool -P abrt_anon_write off

semanage can be used for the same purpose
69 semanage boolean -m abrt_anon_write -1
70 semanage boolean -m abrt_anon_write -0

getsebool or sestatus or semanage for validation
72 getsebool -a
73 getsebool -a | grep abrt_anon_write
74 sestatus -b | grep abrt_anon_write
75 semanage boolean -l | grep abrt_anon_write

 

Some related Commands:
to see contexts. ps -eZ, ll -eZ, id -Z
to change contexts: chcon

to compare current file context to original context
79 matchpathcon /etc/hosts

restorecon -> restore default context

semanage : does multiple things. modifies contexts, manages policies, manages labeling

Selinux operation Modes: getenforce
83 getenforce

getenforce : permissivie, enforcing, default

85 sestatus
To check current enforce status: sestatus or getenforce

 

Change:
87 setenforce permissive
88 sestatus

setenforce: set enforcing mode to permissive, or enforcing or disabled

90 setenforce enforcing
91 seinfo

seinfo : provides info on policies and policy components
seinfo : provides info on policies and policy components
94 seinfo
95 sesearch
97 sesearch --all

output of search --all
role_transition dbadm_r postgresql_initrc_exec_t system_r;
role_transition dbadm_r mysqld_initrc_exec_t system_r;
role_transition system_r rpm_exec_t system_r;

102 getsebool
103 getsebool abrt_anon_write

104 setsebool
105 setsebool abrt_anon_write on
106 setsebool abrt_anon_write off

 

Selinux has a GUI - Admin Interface

111 system-config-selinux : GUI based management tools

140 yum install policycoreutils-gui
141 system-config-selinux (run the GUI)

 

142 config file: /etc/selinux/config

You can change the enforce mode in the file
144 cat /etc/sestatus.conf

cat /etc/sestatus.conf some security contexts are provided
sestatus -v can show security contexts (files and processes) as set on the file /etc/sestatus.conf

147 sestatus -v
output
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
Process contexts:

Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Init context: system_u:system_r:init_t:s0
/usr/sbin/sshd system_u:system_r:sshd_t:s0-s0:c0.c1023

File contexts:
Controlling terminal: unconfined_u:object_r:user_devpts_t:s0
/etc/passwd system_u:object_r:passwd_file_t:s0
/etc/shadow system_u:object_r:shadow_t:s0
/bin/bash system_u:object_r:shell_exec_t:s0
/bin/login system_u:object_r:login_exec_t:s0

 

Create user with Selinux Context : Assign to Selinux User staff_u
169 useradd -Z staff_u user3

provide password in one line - actually a bad practice
171 echo 1234 | passwd --stdin user3

check
173 id -Z

actually need to switch to user3 and then check with id -Z
175 su user3
178 semanage login -l | grep user3

id -Z is not giving me the right output i.e. staff_u . I might need to login with the user or ....

 

map existing user to Selinux User
182 semanage login -a -s user_u user1

checking with semanage - works
184 output of semanage login -l | grep user3 -- the previous user

185 semanage login -l | grep user3
user3 staff_u s0-s0:c0.c1023

now try user1
188 semanage login -l | grep user1
works as I see in the output
user1 user_u s0

Change default policy to assign users to staff_u at creation
192 semanage login -m -S targeted -s staff_u -r s0 __default__

check the defaults
194 semanage login -l | grep default

the output
196 __default__ staff_u s0

Check context for a file
198 ll -Z /etc/hosts
199 ll -Z /etc/hosts.allow

Output
-rw-r--r--. root root system_u:object_r:net_conf_t:s0 /etc/hosts.allow

change file context
203 touch /tmp/file1
204 chcon -vu user_u -t public_content_t /tmp/file1
205 ll -Z /tmp/file1

output
-rw-r--r--. root root user_u:object_r:public_content_t:s0 /tmp/file1

make this change permanent i.e. change on /tmp/file1
semanage fcontext -a -s user_u -t public_content_t /tmp/file1

210 ll -Z /tmp/file1

output
-rw-r--r--. root root user_u:object_r:public_content_t:s0 /tmp/file1

Another example of chcon
214 chcon -vu staff_u -t var_run_t /root
215 ll -dZ /root
output
217 dr-xr-x---. root root staff_u:object_r:var_run_t:s0 /root

restore /root folder original context
219 restorecon -vF /root

220 ll -dZ /root/

Port and Selinux
list ports with selinux contexts

223 semanage port -l

Output
zookeeper_client_port_t tcp 2181
zookeeper_election_port_t tcp 3888
zookeeper_leader_port_t tcp 2888
zope_port_t tcp 8021
semanage port -l | grep http_port

Output
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988

add a port selinux policy
234 semanage port -a -t http_port_t -p tcp 8090

check that the port got added
236 semanage port -l | grep http_port

you will see 8090 in the output
output
239 http_port_t tcp 8090, 80, 81, 443, 488, 8008, 8009, 8443, 9000
240 pegasus_http_port_t tcp 5988
241 delete the port
242 semanage port -d -t http_port_t -p tcp 8090

Check that the port got deleted
244 semanage port -l | grep http_port
245 copy files with/without selinux context
246 ll -Z /tmp/file1

output
-rw-r--r--. root root user_u:object_r:public_content_t:s0 /tmp/file1

249 cp /tmp/file1 /etc/
250 ll -Z /etc/file1

output
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/file1
the context got changed while copying.

Now copy keeping the context preserved
255 cp --preserve=context /tmp/file1 /etc/
256 ll -Z /etc/file1
output
258 -rw-r--r--. root root user_u:object_r:public_content_t:s0 /etc/file1
this does match with the original (source file) context

260 cat /var/log/messages | grep selinux


 

I used the following commands to help with setting up a local ftp based Yum server. I did just before installing system-config-selinux (core utils packages). I installed setools-console with rpm command

112 ping yahoo.com
113 rpm -ivh vsftpd
114 rpm -ivh vsftpd-3.0.2-21.el7.x86_64.rpm
115 systemctl status vsftpd
116 systemctl start vsftpd
117 systemctl enable vsftpd
118 firewall-cmd
119 firewall-cmd --help
120 firewall-cmd --add-service=ftp --perm
121 ln -s /var/ftp/pub/ /mnt/Packages
122 cp -rf /mnt/Packages /var/ftp/pub/
123 mkdir /etc/yum.repos.d/old
124 mv /etc/yum.repos.d/*.repo old/
125 mv /etc/yum.repos.d/*.repo /etc/yum.repos.d/old/
126 touch /etc/yum.repos.d/local.repo
127 vim /etc/yum.repos.d/local.repo
128 systemctl restart vsftpd
129 yum repolist all
130 yum install tree
131 vim /etc/yum.repos.d/local.repo
132 rpm -ivh createrepo-0.9.9-26.el7.noarch.rpm
133 createrepo /var/ftp/pub/Packages/ /var/ftp/pub/Packages/
134 cd /var/ftp/pub/Packages/
135 ls
136 pwd
137 createrepo .
138 yum repolist all

Skip to toolbar