SELinux Policy. Date Assigned: mm/dd/yyyy Time Due: mm/dd/yyyy by hh:mm. Educational Objectives

Transcription

1 P a g e 1 SELinux Policy Date Assigned: mm/dd/yyyy Time Due: mm/dd/yyyy by hh:mm Educational Objectives This lab is designed to learn how to use and modify current SELinux policy. You will also learn how to create new SELinux policy modules and install them. After completion of this lab, you will learn how to Confine network ports Check and restore default SELinux security contexts under a directory Modify current SELinux policy Create new SELinux policy modules and integrate them into current policy. Lab Environment One Fedora 18 VM is needed for this lab. Assume that you have installed SELinux commands and libraries on this computer to finish the previous lab. If not, please run the following command as a root to install current SELinux packages on Fedora 18: yum install *selinux* --skip-broken Section 1 Confining Network Ports Port numbers a network service listens on are defined in a SELinux policy if this service is confined. The command below will display all of the confined port numbers, part of the list is shown in the screenshot below: semanage port -l

2 P a g e 2 In the list, the first column shows SELinux type, indicating the network service. The second column gives the protocol (TCP/UDP). The last column lists the port numbers. When SELinux is enforced, the Apache HTTP server (httpd) runs in confined mode. The following command shows the port numbers that current SELinux policy allows httpd to listen on: semanage port -l grep -w http_port_t If Apache HTTP server is configured to listen on a network port that is different from those defined in the policy, SELinux will prevent the server from running. Please perform the following practice as a root to test the effects: Stop httpd if it is running. (systemctl stop httpd.service) Configure httpd to listen on a port this is not defined in SELinux policy. o vim /etc/httpd/conf/httpd.conf o Look for the Listen portion. o Change the port number to 90. (Assume that port number 90 is not defined for httpd by the SELinux policy. Otherwise, use another number.)

3 P a g e 3 o Save the file. Run systemctl start httpd.servicet to start the Apache HTTP server. Could you start the service? The answer is no. You should see a result similar to the following: By looking at the data logged in status, we know that the action to start the Apache HTTP service was failed. Data logged in the /var/log/messages file contains detailed information regarding this failed action, as shown in the following screenshot. The fact that caused the failed action is that the system cannot bind httpd to a port defined in the current SELinux policy. A TCP socket cannot be created in this case.

4 P a g e 4 Well, the question is how can you fix the above problem when you are faced to? There are several approaches: a) Disable SELinux, which you most likely don t want to if you want to use SELinux to secure your web server. b) Make httpd listen on a port that is defined in SELinux policy configuration for httpd, which should be recommended in general. c) Tell SELinux policy that you want httpd to listen on a specific port (modify the SELinux policy), which is useful if you want to limit the access to your web server. The command below tells SELinux that you want httpd to listen on TCP port number The option -p is used for specifying the protocol (tcp/udp) for the specified port. Scenario 1 You are setting up a web page and you want the httpd listen on TCP port 999. The web server runs a Fedora 18 with current SELinux targeted policy enforced. You believe that SELinux policy will make the web server more secure and you don t want to disable it.

5 P a g e 5 Question 1: Please summarize what you need to do to achieve the goal specified in Scenario 1? Attach screenshots to demonstrate your results. Now you can switch the httpd.conf file back to its original version (Listen on 80). One question you may ask might be: Can I remove a port from the SELinux policy? I leave this question for you. Please find the solution and test it. Section 2 Checking and Restoring the SELinux Context In SELinux, type enforcement is all about labels. Every process, file, directory and device in a SELinux system has a label (security context). If these labels are wrong due to some reason, SELinux will not function properly. AVC denials will occur. In order to cope with this, SELinux developers have designed several utilities that can be used to check and restore SELinux default contexts. One of them is the command matchpathcon. From matchpathcon(8) man page: "matchpathcon queries the system policy and outputs the default security context associated with the file path." It can be used to check if files and directories have consistent SELinux contexts. Please use man page to learn how to use it. Please perform the following to gain experience with this command. Run touch /var/www/html/file{a,b,c} command. This will create three files that inherit the httpd_sys_content_t type from /var/www/html directory. Please verify it using the tool you have learned. Run chcon t samba_share_t /var/www/html/filea Run chcon t admin_home_t /var/www/html/fileb Run ls Z /var/www/html to view the changes. Run /usr/sbin/matchpathcon V /var/www/html/* and study the results. Now you have identified inconsistent labels associated with files in /var/www/html/ directory. You can verify that only file filec is accessible by httpd. Again, the question is how to resolve the problem of inconsistent labels and allow Apache HTTP server to access those files? You can re-label the files one by one. However, the following command will make this job much easier when you have a great number of files with inconsistent labels. /sbin/restorecon v /var/www/html/* Please run the above command and test its effects.

6 P a g e 6 You may argue. Why would I bother to use matchpathcon command to identify the wrong labels first? The command restorecon will restore the default context anyway. Well, again, I would leave this question for you. (It will be helpful to identify the problems before trying to resolve them.) Please remove the files (filea, fileb, filec) in the /var/www/html/ folder. Scenario 2 A web programmer has created three files (file1, file2, file3) in his home directory (/home/student/lab10/). He wants to link them to the web page. You have done the following: mv /home/student/lab10/file* /var/www/html/ Then you create two files (index.html, secret) in your own directory (/root/lab10). You know that the file index.html is for the web page, but secret contains confidential data and cannot be exposed. When the files have been created, you do the following to move those files: mv /root/lab10/* /var/www/html/ Then you tell the web programmer to test the result. Question 2: Perform the tasks described in Scenario 2 as the web programmer and the root user. What will the web programmer tell when he tests the results. If the web programmer has any problem, please fix it as a system administrator to make the files accessible by httpd. Use screenshots to demonstrate your work and the results. Note, for security purpose, as a system administrator, you don t want to expose any confidential data (secret file) to anybody. We have worked with the existing SELinux policy without modifying it. How can we modify it? There are several ways at different levels. We will look at some of the techniques that can be used to modify the policy in the following sections. Section 3 Booleans Booleans allow parts of SELinux policy to be changed at runtime, without any knowledge of SELinux policy writing. 3.1 Listing Booleans For a list of Booleans, explanations of what each one is, and whether they are on or off, run the following command as the Linux root user. semanage boolean -l

7 P a g e 7 The following screenshot shows part of the Boolean list on my computer. The SELinux boolean column lists Boolean names. The second column gives default value. The Description column tells what they do. The getsebool -a command lists Boolean values. The getsebool boolean-name command gives the status of the boolean-name Boolean: getsebool samba_run_unconfined Use a space-separated list to list multiple Booleans:

8 P a g e Configuring Booleans The setsebool command is used to set SELinux Boolean values. It has the following format: The command setsebool boolean-name x turns Booleans on or off, where boolean-name is a Boolean name, and x is either 1 or true or on to turn the Boolean on, or 0 or false or off to turn it off. Use the -P option to make the change persist across reboots. If the N option is given, the policy on disk is not reloaded into the kernel. Some Boolean configurations are easier. For example, in order to allow Apache HTTP Server to access Samba file systems (files labeled with the cifs_t type), you can simply perform the following configuration: /usr/sbin/setsebool httpd_use_cifs on To allow Apache HTTP Server to access NFS file systems (files labeled with the nfs_t type), do the following: /usr/sbin/setsebool httpd_use_nfs on Some others are not so apparent. Especially, it could be complex when you want to prevent a service from accessing files of certain types. A thorough study is usually needed before you actually know what you need to do. You will gain the experience in the following scenario. Please do the following: setsebool httpd_use_nfs=on httpd_enable_homedirs=on use_nfs_home_dirs=on Scenario 3 You have Apache HTTP Server (httpd) running on a Fedora 18 system with SELinux targeted policy enforced. This system serves files from NFS mount at the same time. To secure your file system, you don t want the server to access files labeled with nfs_t type. In addition, you want to test your configurations to assure that they work as expected.

9 P a g e 9 Question 3: Summarize what you need to do to achieve the goals specified in Scenario 3. Use screenshots to demonstrate your work and results. (Hint: study these three Booleans: httpd_use_nfs, httpd_enable_homedirs and use_nfs_home_dirs) Do you see the complexity of the SELinux Booleans? Some Booleans are not orthogonal. Some of them are related to each other. Different combinations of the Boolean settings could generate or imply unexpected results. Section 4 The audit2allow command SELinux denials will be logged. The utility audit2allow can be used to generate SELinux policy allow rules from logs of denied operations. 4.1 Log files SELinux denial messages are written to the /var/log/audit/audit.log file by default:

10 P a g e 10 In addition, if setroubleshootd is running, denial messages from the /var/log/audit/audit.log file are translated to an easier-to-read form and sent to the /var/log/messages file: Denial messages are sent to different locations depending on which logging daemon is running on your system. Table 1 gives a good estimation on Fedora Linux systems. Table 1 Log locations Daemon Log Location auditd on /var/log/audit/audit.log auditd off; rsyslogd on /var/log/messages auditd and rsyslogd on /var/log/audit/audit.log. Easier-to-read denial messages also sent to /var/log/messages

11 P a g e 11 Please view the log files on your computer and identify SELinux AVC denials. If you cannot see any, generate some. 4.2 Allowing access The audit2allow utility is commonly used to generate SELinux policy allow rules from logs of denied operations. In SELinux, actions are denied by default. If you want an action to be allowed, an allow rule must be in the SELinux policy. The development of the audit2allow tool makes the job less complex. However, this tool should be used with care. It works in two steps: Generate allow rules for logged denied operations. Integrate/install the rules into the SELinux policy. As a system administrator, the most important thing is that you need to Understand why the operations are denied; Decide whether you want to allow the denied operations. Most likely, the denials are what you want. Please do the following to install audit2allow: yum install /usr/bin/audit2allow Please use the man page to learn the audit2allow utility. The following command will tell you the reason why a denial occurred. audit2allow -w -a Please run the above command and study the reasons why the denials occurred on your system. The following command will tell what allow rules are needed to allow the denied accesses that are logged. audit2allow -a Please run the above command to understand what rules are needed to allow logged denied accesses. Please note that one allow rule may fix a great number of denials.

12 P a g e 12 To use the rules displayed by audit2allow -a, run the following command to create a custom module: audit2allow -a -M myrule The -M option creates a Type Enforcement file (.te) with the name specified with -M in your current working directory. The audit2allow command also compiles this.te file into a policy package (.pp) file that is ready to be integrated with the semodule command. The command also tells you what you need to do to install these rules as shown in the following screenshot: Should you simply follow the instruction and install your custom SELinux module? Why not? This is the way it works. Well, things are not so simple. Before you actually install the module, you need to carefully study the allow rules to make sure whether these are what you want. For example, the following screenshot shows some of the allow rules generated on my computer.

13 P a g e 13 Do I need the allow rules under the httpd_t section? These denials were generated while testing the Apache HTTP Server. It does not make any sense to install those rules. This is the homework we need to do before getting the allow rules integrated. You don t want to make your system weaker by integrating your own allow rules. Otherwise, why do you bother to run SELinux on your computer? Please use the audit2allow man page to learn how to generate policy package and install it. Examples are located at the bottom of the man page. Scenario 4 You have set up a web server that runs Fedora 18 Linux with SELinux targeted policy enforced. Some of the users call the help desk reporting that they cannot download some of the files from the web page. Question 4: Please describe the major steps you would like to take to fix the problem specified in Scenario 4. Use screenshots to demonstrate your work and results. Before you leave this section, please refer to Dan Walsh's "Using audit2allow to build policy modules. Revisited." blog entry for further information about using audit2allow to build policy modules. Note: the semodule i command may not work on Fedora 18 Section 5 The system-config-selinux and seinfo utilities You may wonder how to view the types, policy modules, defined network ports and so on in the SELinux policy. To serve this purpose, several tools have been developed. One of the utilities is seinfo, which is located in /usr/bin/ by default. It allows users to query the components of a SELinux policy. The following command installs seinfo utility: yum install /usr/bin/seinfo The use of seinfo has the following general format: seinfo [OPTIONS] [EXPRESSION] [POLICY ] When POLICY is omitted, the default policy will be queried. For example, the following command will display the statistics for the default policy on your system, as shown in the following screenshot: seinfo --stats

14 P a g e 14 Please use man page to learn how to use this tool. Another useful SELinux tool is system-config-selinux. It operates with a GUI. Install the utility: yum install /usr/bin/system-config-selinux The following command will launch the GUI that is similar to the following screenshot. system-config-selinux

15 P a g e 15 It can also be accessed from the menu: Administration => SELinux Management Please check out this tool on your computer and play with it. Scenario 5 You want to spend time and play with the seinfo and system-config-selinux utilities to learn what they do and how to use them. Question 5: Summarize the part that you thought was the most interesting when you conducted the tasks specified in Scenario 5. Use screenshots to demonstrate. The developer of the system-config-selinux tool wrote an article several years ago. Apparently, the materials are old and the current system-config-selinux has a different look. However, it is good to know. Interested in? Check out the article from the following link: The author updated his blog recently regarding the use of system-config-selinux on current release. You may check it out from the following link:

16 P a g e 16 Section 6 Bonus (4%) Again, what you need to do for the bonus is not restricted, but has to be related to SELinux since this is the topic of this lab. I hope the way bonus is given will inspire you more interests on the lab topic and give you more free space at the same time. Please do the following to earn the bonus of this lab. More extra points may be given if you can convince your instructor that you have done a significant amount of work on SELinux. Work out a mini project of your choice based on what you have learned on SELinux so far. Describe your mini project: motivation, design and technical contents. Implement your mini project. Question B1: What is your mini project about? Give a description of your project, including motivation, design and technical details. Question B2: Implement your mini project. Please use screenshots, descriptions and/or answers to questions to show your implementation. Survey Questions Questions in this section will not be graded, but will make your suggestions and voice heard by your instructor. GQ 1. What changes would you like to make to this lab? GQ 2. How much time did you spend to finish this lab? GQ 3. Do you learn anything new or gain a better understanding of class lecture by finishing this lab?

17 P a g e 17 Well, you have completed another lab for this class. Hope you enjoyed doing this lab. Please let your instructor know if you have any comments.

18 P a g e 18 Answer Sheet ============================= Required Part ============================ Question 1: Please summarize what you need to do to achieve the goal specified in Scenario 1? Attach screenshots to demonstrate your results. Question 2: Perform the tasks described in Scenario 2 as the web programmer and the root user. What will the web programmer tell when he tests the results. If the web programmer has any problem, please fix it as a system administrator to make the files accessible by httpd. Use screenshots to demonstrate your work and the results. Note, for security purpose, as a system administrator, you don t want to expose any confidential data (secret file) to anybody. Question 3: Summarize what you need to do to achieve the goals specified in Scenario 3. Use screenshots to demonstrate your work and results. (Hint: study these three Booleans: httpd_use_nfs, httpd_enable_homedirs and use_nfs_home_dirs) Question 4: Please describe the major steps you would like to take to fix the problem specified in Scenario 4. Use screenshots to demonstrate your work and results. Question 5: Summarize the part that you thought was the most interesting when you conducted the tasks specified in Scenario 5. Use screenshots to demonstrate. ============================ Bonus Part (4%) =========================== Question B1: What is your mini project about? Give a description of your project, including motivation, design and technical details. Question B2: Implement your mini project. Please use screenshots, descriptions and/or answers to questions to show your implementation.

19 P a g e 19 ================================ Survey Part =========================== GQ1. Would you like to make any changes to this lab? GQ2. How long did it take you to complete this lab? GQ3. Do you learn anything new or gain a better understanding of class lecture by finishing this lab?