SELinux Policy. Date Assigned: mm/dd/yyyy Time Due: mm/dd/yyyy by hh:mm. Educational Objectives

Similar documents
RHS429 - Red Hat Enterprise SELinux Policy Administration

Linux Security on HP Servers: Security Enhanced Linux. Abstract. Intended Audience. Technical introduction

Configuring Remote HANA System Connection for SAP Cloud for Analytics via Apache HTTP Server as Reverse Proxy

owncloud 8 and DigitalOcean Matthew Davidson Bluegrass Linux User Group 03/09/2015

White Paper. Fabasoft on Linux SELinux Support. Fabasoft Folio 2015 Update Rollup 2

Fedora 13 Managing Confined Services. Scott Radvan

Lab 3.4.2: Managing a Web Server

Trusted RUBIX TM. Version 6. Installation and Quick Start Guide Red Hat Enterprise Linux 6 SELinux Platform. Revision 6

Automatic updates for Websense data endpoints

SENECA COLLEGE OF APPLIED ARTS AND TECHNOLOGY

Setup a Virtual Host/Website

Red Hat JBoss Core Services Apache HTTP Server 2.4 Apache HTTP Server Installation Guide

Host your websites. The process to host a single website is different from having multiple sites.

SQL Tuning and Maintenance for the Altiris Deployment Server express database.

Asterisk SIP Trunk Settings - Vestalink

Intrusion Detection and Prevention: Network and IDS Configuration and Monitoring using Snort

Eucalyptus User Console Guide

Red Hat System Administration 1(RH124) is Designed for IT Professionals who are new to Linux.

Setting Up SSL on IIS6 for MEGA Advisor

GestióIP IPAM v3.0 IP address management software Installation Guide v0.1

User Manual of the Pre-built Ubuntu 9 Virutal Machine

dotdefender v5.12 for Apache Installation Guide Applicure Web Application Firewall Applicure Technologies Ltd. 1 of 11 support@applicure.

Adjusting Prevention Policy Options Based on Prevention Events. Version 1.0 July 2006

Security Enhanced Linux and the Path Forward

Practice Fusion API Client Installation Guide for Windows

Introduction to Operating Systems

QuickBooks Enterprise Solutions. Linux Database Server Manager Installation and Configuration Guide

Installation of the Shibboleth-Apache Authorisation Module. 2. Obtain and compile the Apache server software

HOW TO SETUP AN APACHE WEB SERVER AND INTEGRATE COLDFUSION

Exercises: FreeBSD: Apache and SSL: pre SANOG VI Workshop

Cloud Homework instructions for AWS default instance (Red Hat based)

Web Hosting: Pipeline Program Technical Self Study Guide

Using SNMP with Content Gateway (not V-Series)

Installing the SSL Client for Linux

Apache Usage. Apache is used to serve static and dynamic content

SELinux course. Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant, Nethemba s.r.o.

AliOffice 2.0 Installation Guide

Introduction to Apache and Global Environment Directives. S.B.Lal Indian Agricultural Statistics Research Institute, New Delhi

TSM for Windows Installation Instructions: Download the latest TSM Client Using the following link:

Intuit QuickBooks Enterprise Solutions. Linux Database Server Manager Installation and Configuration Guide

CS312 Solutions #6. March 13, 2015

Configuring Security for FTP Traffic

Registry Tuner. Software Manual

Case Study 2 SPR500 Fall 2009

Lab - Observing DNS Resolution

OnCommand Performance Manager 1.1

TABLE OF CONTENTS OVERVIEW SYSTEM REQUIREMENTS - SAP FOR ORACLE IDATAAGENT GETTING STARTED - DEPLOYING ON WINDOWS

SIOS Protection Suite for Linux v Postfix Recovery Kit Administration Guide

User Manual of the Pre-built Ubuntu Virutal Machine

Configuring Security for SMTP Traffic

Installation of PHP, MariaDB, and Apache

Debug Failed to connect to server!

Centralized Mac Home Directories On Windows Servers: Using Windows To Serve The Mac

Apache Server Implementation Guide

Witango Application Server 6. Installation Guide for Windows

KVM Virtualization in RHEL 7 Made Easy

Livezilla How to Install on Shared Hosting By: Jon Manning

The KSystemLog Handbook. Nicolas Ternisien

Task Scheduler. Morgan N. Sandquist Developer: Gary Meyer Reviewer: Lauri Watts

Installation of IR under Windows Server 2008

How To Set Up A Backupassist For An Raspberry Netbook With A Data Host On A Nsync Server On A Usb 2 (Qnap) On A Netbook (Qnet) On An Usb 2 On A Cdnap (

Running Secure & Reliable Web/Mail/other Services from Home Part-II: Setting Up A SOHO Linux Web and Server

DameWare Server. Administrator Guide

Getting Started with Amazon EC2 Management in Eclipse

IceWarp Server. Log Analyzer. Version 10

CA Spectrum and CA Service Desk

Confining the Apache Web Server with Security-Enhanced Linux

Witango Application Server 6. Installation Guide for OS X

How To Use 1Bay 1Bay From Awn.Net On A Pc Or Mac Or Ipad (For Pc Or Ipa) With A Network Box (For Mac) With An Ipad Or Ipod (For Ipad) With The

Integration Guide. SafeNet Authentication Service. SAS Using RADIUS Protocol with Apache HTTP Server

Lesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment

New Lab Intro to KDE Terminal Konsole

Installing Booked scheduler on CentOS 6.5

Log Analyzer Reference

Team Foundation Server 2012 Installation Guide

Speedlink software will run on Windows NT, Windows 7, and Windows 8; it will run on both 32 byte and 64 byte versions of Windows.

RHCSA 7RHCE Red Haf Linux Certification Practice

PaperCut Payment Gateway Module - RBS WorldPay Quick Start Guide

Upgrading Software Using the Online Installer

Partek Flow Installation Guide

How To Install Amyshelf On Windows 2000 Or Later

Novell Distributed File Services Administration Guide

EVALUATION ONLY. WA2088 WebSphere Application Server 8.5 Administration on Windows. Student Labs. Web Age Solutions Inc.

Red Hat Certifications: Red Hat Certified System Administrator (RHCSA)

Backing up AIR to Microsoft Windows

1 Introduction FrontBase is a high performance, scalable, SQL 92 compliant relational database server created in the for universal deployment.

User Guide. SysMan Utilities. By Sysgem AG

Project Management (PM) Cell

Protect your CollabNet TeamForge site

Cybozu Garoon 3 Server Distributed System Installation Guide Edition 3.1 Cybozu, Inc.

DualShield. for PAM RADIUS. Implementation Guide. (Version 5.4) Copyright 2012 Deepnet Security Limited

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Drupal

Oracle Linux Advanced Administration

Installation Guide for FTMS and Node Manager 1.6.0

WEB2CS INSTALLATION GUIDE

Installing and Configuring a SQL Server 2014 Multi-Subnet Cluster on Windows Server 2012 R2

Semantic based Web Application Firewall (SWAF - V 1.6)

TOSHIBA GA Printing from Windows

Homework #7 Amazon Elastic Compute Cloud Web Services

LICENSE4J FLOATING LICENSE SERVER USER GUIDE

Transcription:

P a g e 1 SELinux Policy Date Assigned: mm/dd/yyyy Time Due: mm/dd/yyyy by hh:mm Educational Objectives This lab is designed to learn how to use and modify current SELinux policy. You will also learn how to create new SELinux policy modules and install them. After completion of this lab, you will learn how to Confine network ports Check and restore default SELinux security contexts under a directory Modify current SELinux policy Create new SELinux policy modules and integrate them into current policy. Lab Environment One Fedora 18 VM is needed for this lab. Assume that you have installed SELinux commands and libraries on this computer to finish the previous lab. If not, please run the following command as a root to install current SELinux packages on Fedora 18: yum install *selinux* --skip-broken Section 1 Confining Network Ports Port numbers a network service listens on are defined in a SELinux policy if this service is confined. The command below will display all of the confined port numbers, part of the list is shown in the screenshot below: semanage port -l

P a g e 2 In the list, the first column shows SELinux type, indicating the network service. The second column gives the protocol (TCP/UDP). The last column lists the port numbers. When SELinux is enforced, the Apache HTTP server (httpd) runs in confined mode. The following command shows the port numbers that current SELinux policy allows httpd to listen on: semanage port -l grep -w http_port_t If Apache HTTP server is configured to listen on a network port that is different from those defined in the policy, SELinux will prevent the server from running. Please perform the following practice as a root to test the effects: Stop httpd if it is running. (systemctl stop httpd.service) Configure httpd to listen on a port this is not defined in SELinux policy. o vim /etc/httpd/conf/httpd.conf o Look for the Listen portion. o Change the port number to 90. (Assume that port number 90 is not defined for httpd by the SELinux policy. Otherwise, use another number.)

P a g e 3 o Save the file. Run systemctl start httpd.servicet to start the Apache HTTP server. Could you start the service? The answer is no. You should see a result similar to the following: By looking at the data logged in status, we know that the action to start the Apache HTTP service was failed. Data logged in the /var/log/messages file contains detailed information regarding this failed action, as shown in the following screenshot. The fact that caused the failed action is that the system cannot bind httpd to a port defined in the current SELinux policy. A TCP socket cannot be created in this case.

P a g e 4 Well, the question is how can you fix the above problem when you are faced to? There are several approaches: a) Disable SELinux, which you most likely don t want to if you want to use SELinux to secure your web server. b) Make httpd listen on a port that is defined in SELinux policy configuration for httpd, which should be recommended in general. c) Tell SELinux policy that you want httpd to listen on a specific port (modify the SELinux policy), which is useful if you want to limit the access to your web server. The command below tells SELinux that you want httpd to listen on TCP port number 12345. The option -p is used for specifying the protocol (tcp/udp) for the specified port. Scenario 1 You are setting up a web page and you want the httpd listen on TCP port 999. The web server runs a Fedora 18 with current SELinux targeted policy enforced. You believe that SELinux policy will make the web server more secure and you don t want to disable it.

P a g e 5 Question 1: Please summarize what you need to do to achieve the goal specified in Scenario 1? Attach screenshots to demonstrate your results. Now you can switch the httpd.conf file back to its original version (Listen on 80). One question you may ask might be: Can I remove a port from the SELinux policy? I leave this question for you. Please find the solution and test it. Section 2 Checking and Restoring the SELinux Context In SELinux, type enforcement is all about labels. Every process, file, directory and device in a SELinux system has a label (security context). If these labels are wrong due to some reason, SELinux will not function properly. AVC denials will occur. In order to cope with this, SELinux developers have designed several utilities that can be used to check and restore SELinux default contexts. One of them is the command matchpathcon. From matchpathcon(8) man page: "matchpathcon queries the system policy and outputs the default security context associated with the file path." It can be used to check if files and directories have consistent SELinux contexts. Please use man page to learn how to use it. Please perform the following to gain experience with this command. Run touch /var/www/html/file{a,b,c} command. This will create three files that inherit the httpd_sys_content_t type from /var/www/html directory. Please verify it using the tool you have learned. Run chcon t samba_share_t /var/www/html/filea Run chcon t admin_home_t /var/www/html/fileb Run ls Z /var/www/html to view the changes. Run /usr/sbin/matchpathcon V /var/www/html/* and study the results. Now you have identified inconsistent labels associated with files in /var/www/html/ directory. You can verify that only file filec is accessible by httpd. Again, the question is how to resolve the problem of inconsistent labels and allow Apache HTTP server to access those files? You can re-label the files one by one. However, the following command will make this job much easier when you have a great number of files with inconsistent labels. /sbin/restorecon v /var/www/html/* Please run the above command and test its effects.

P a g e 6 You may argue. Why would I bother to use matchpathcon command to identify the wrong labels first? The command restorecon will restore the default context anyway. Well, again, I would leave this question for you. (It will be helpful to identify the problems before trying to resolve them.) Please remove the files (filea, fileb, filec) in the /var/www/html/ folder. Scenario 2 A web programmer has created three files (file1, file2, file3) in his home directory (/home/student/lab10/). He wants to link them to the web page. You have done the following: mv /home/student/lab10/file* /var/www/html/ Then you create two files (index.html, secret) in your own directory (/root/lab10). You know that the file index.html is for the web page, but secret contains confidential data and cannot be exposed. When the files have been created, you do the following to move those files: mv /root/lab10/* /var/www/html/ Then you tell the web programmer to test the result. Question 2: Perform the tasks described in Scenario 2 as the web programmer and the root user. What will the web programmer tell when he tests the results. If the web programmer has any problem, please fix it as a system administrator to make the files accessible by httpd. Use screenshots to demonstrate your work and the results. Note, for security purpose, as a system administrator, you don t want to expose any confidential data (secret file) to anybody. We have worked with the existing SELinux policy without modifying it. How can we modify it? There are several ways at different levels. We will look at some of the techniques that can be used to modify the policy in the following sections. Section 3 Booleans Booleans allow parts of SELinux policy to be changed at runtime, without any knowledge of SELinux policy writing. 3.1 Listing Booleans For a list of Booleans, explanations of what each one is, and whether they are on or off, run the following command as the Linux root user. semanage boolean -l

P a g e 7 The following screenshot shows part of the Boolean list on my computer. The SELinux boolean column lists Boolean names. The second column gives default value. The Description column tells what they do. The getsebool -a command lists Boolean values. The getsebool boolean-name command gives the status of the boolean-name Boolean: getsebool samba_run_unconfined Use a space-separated list to list multiple Booleans:

P a g e 8 3.2 Configuring Booleans The setsebool command is used to set SELinux Boolean values. It has the following format: The command setsebool boolean-name x turns Booleans on or off, where boolean-name is a Boolean name, and x is either 1 or true or on to turn the Boolean on, or 0 or false or off to turn it off. Use the -P option to make the change persist across reboots. If the N option is given, the policy on disk is not reloaded into the kernel. Some Boolean configurations are easier. For example, in order to allow Apache HTTP Server to access Samba file systems (files labeled with the cifs_t type), you can simply perform the following configuration: /usr/sbin/setsebool httpd_use_cifs on To allow Apache HTTP Server to access NFS file systems (files labeled with the nfs_t type), do the following: /usr/sbin/setsebool httpd_use_nfs on Some others are not so apparent. Especially, it could be complex when you want to prevent a service from accessing files of certain types. A thorough study is usually needed before you actually know what you need to do. You will gain the experience in the following scenario. Please do the following: setsebool httpd_use_nfs=on httpd_enable_homedirs=on use_nfs_home_dirs=on Scenario 3 You have Apache HTTP Server (httpd) running on a Fedora 18 system with SELinux targeted policy enforced. This system serves files from NFS mount at the same time. To secure your file system, you don t want the server to access files labeled with nfs_t type. In addition, you want to test your configurations to assure that they work as expected.

P a g e 9 Question 3: Summarize what you need to do to achieve the goals specified in Scenario 3. Use screenshots to demonstrate your work and results. (Hint: study these three Booleans: httpd_use_nfs, httpd_enable_homedirs and use_nfs_home_dirs) Do you see the complexity of the SELinux Booleans? Some Booleans are not orthogonal. Some of them are related to each other. Different combinations of the Boolean settings could generate or imply unexpected results. Section 4 The audit2allow command SELinux denials will be logged. The utility audit2allow can be used to generate SELinux policy allow rules from logs of denied operations. 4.1 Log files SELinux denial messages are written to the /var/log/audit/audit.log file by default:

P a g e 10 In addition, if setroubleshootd is running, denial messages from the /var/log/audit/audit.log file are translated to an easier-to-read form and sent to the /var/log/messages file: Denial messages are sent to different locations depending on which logging daemon is running on your system. Table 1 gives a good estimation on Fedora Linux systems. Table 1 Log locations Daemon Log Location auditd on /var/log/audit/audit.log auditd off; rsyslogd on /var/log/messages auditd and rsyslogd on /var/log/audit/audit.log. Easier-to-read denial messages also sent to /var/log/messages

P a g e 11 Please view the log files on your computer and identify SELinux AVC denials. If you cannot see any, generate some. 4.2 Allowing access The audit2allow utility is commonly used to generate SELinux policy allow rules from logs of denied operations. In SELinux, actions are denied by default. If you want an action to be allowed, an allow rule must be in the SELinux policy. The development of the audit2allow tool makes the job less complex. However, this tool should be used with care. It works in two steps: Generate allow rules for logged denied operations. Integrate/install the rules into the SELinux policy. As a system administrator, the most important thing is that you need to Understand why the operations are denied; Decide whether you want to allow the denied operations. Most likely, the denials are what you want. Please do the following to install audit2allow: yum install /usr/bin/audit2allow Please use the man page to learn the audit2allow utility. The following command will tell you the reason why a denial occurred. audit2allow -w -a Please run the above command and study the reasons why the denials occurred on your system. The following command will tell what allow rules are needed to allow the denied accesses that are logged. audit2allow -a Please run the above command to understand what rules are needed to allow logged denied accesses. Please note that one allow rule may fix a great number of denials.

P a g e 12 To use the rules displayed by audit2allow -a, run the following command to create a custom module: audit2allow -a -M myrule The -M option creates a Type Enforcement file (.te) with the name specified with -M in your current working directory. The audit2allow command also compiles this.te file into a policy package (.pp) file that is ready to be integrated with the semodule command. The command also tells you what you need to do to install these rules as shown in the following screenshot: Should you simply follow the instruction and install your custom SELinux module? Why not? This is the way it works. Well, things are not so simple. Before you actually install the module, you need to carefully study the allow rules to make sure whether these are what you want. For example, the following screenshot shows some of the allow rules generated on my computer.

P a g e 13 Do I need the allow rules under the httpd_t section? These denials were generated while testing the Apache HTTP Server. It does not make any sense to install those rules. This is the homework we need to do before getting the allow rules integrated. You don t want to make your system weaker by integrating your own allow rules. Otherwise, why do you bother to run SELinux on your computer? Please use the audit2allow man page to learn how to generate policy package and install it. Examples are located at the bottom of the man page. Scenario 4 You have set up a web server that runs Fedora 18 Linux with SELinux targeted policy enforced. Some of the users call the help desk reporting that they cannot download some of the files from the web page. Question 4: Please describe the major steps you would like to take to fix the problem specified in Scenario 4. Use screenshots to demonstrate your work and results. Before you leave this section, please refer to Dan Walsh's "Using audit2allow to build policy modules. Revisited." blog entry for further information about using audit2allow to build policy modules. Note: the semodule i command may not work on Fedora 18 Section 5 The system-config-selinux and seinfo utilities You may wonder how to view the types, policy modules, defined network ports and so on in the SELinux policy. To serve this purpose, several tools have been developed. One of the utilities is seinfo, which is located in /usr/bin/ by default. It allows users to query the components of a SELinux policy. The following command installs seinfo utility: yum install /usr/bin/seinfo The use of seinfo has the following general format: seinfo [OPTIONS] [EXPRESSION] [POLICY ] When POLICY is omitted, the default policy will be queried. For example, the following command will display the statistics for the default policy on your system, as shown in the following screenshot: seinfo --stats

P a g e 14 Please use man page to learn how to use this tool. Another useful SELinux tool is system-config-selinux. It operates with a GUI. Install the utility: yum install /usr/bin/system-config-selinux The following command will launch the GUI that is similar to the following screenshot. system-config-selinux

P a g e 15 It can also be accessed from the menu: Administration => SELinux Management Please check out this tool on your computer and play with it. Scenario 5 You want to spend time and play with the seinfo and system-config-selinux utilities to learn what they do and how to use them. Question 5: Summarize the part that you thought was the most interesting when you conducted the tasks specified in Scenario 5. Use screenshots to demonstrate. The developer of the system-config-selinux tool wrote an article several years ago. Apparently, the materials are old and the current system-config-selinux has a different look. However, it is good to know. Interested in? Check out the article from the following link: http://magazine.redhat.com/2007/08/21/a-step-by-step-guide-to-building-a-new-selinux-policymodule/ The author updated his blog recently regarding the use of system-config-selinux on current release. You may check it out from the following link:

P a g e 16 http://danwalsh.livejournal.com/40350.html Section 6 Bonus (4%) Again, what you need to do for the bonus is not restricted, but has to be related to SELinux since this is the topic of this lab. I hope the way bonus is given will inspire you more interests on the lab topic and give you more free space at the same time. Please do the following to earn the bonus of this lab. More extra points may be given if you can convince your instructor that you have done a significant amount of work on SELinux. Work out a mini project of your choice based on what you have learned on SELinux so far. Describe your mini project: motivation, design and technical contents. Implement your mini project. Question B1: What is your mini project about? Give a description of your project, including motivation, design and technical details. Question B2: Implement your mini project. Please use screenshots, descriptions and/or answers to questions to show your implementation. Survey Questions Questions in this section will not be graded, but will make your suggestions and voice heard by your instructor. GQ 1. What changes would you like to make to this lab? GQ 2. How much time did you spend to finish this lab? GQ 3. Do you learn anything new or gain a better understanding of class lecture by finishing this lab?

P a g e 17 Well, you have completed another lab for this class. Hope you enjoyed doing this lab. Please let your instructor know if you have any comments.

P a g e 18 Answer Sheet ============================= Required Part ============================ Question 1: Please summarize what you need to do to achieve the goal specified in Scenario 1? Attach screenshots to demonstrate your results. Question 2: Perform the tasks described in Scenario 2 as the web programmer and the root user. What will the web programmer tell when he tests the results. If the web programmer has any problem, please fix it as a system administrator to make the files accessible by httpd. Use screenshots to demonstrate your work and the results. Note, for security purpose, as a system administrator, you don t want to expose any confidential data (secret file) to anybody. Question 3: Summarize what you need to do to achieve the goals specified in Scenario 3. Use screenshots to demonstrate your work and results. (Hint: study these three Booleans: httpd_use_nfs, httpd_enable_homedirs and use_nfs_home_dirs) Question 4: Please describe the major steps you would like to take to fix the problem specified in Scenario 4. Use screenshots to demonstrate your work and results. Question 5: Summarize the part that you thought was the most interesting when you conducted the tasks specified in Scenario 5. Use screenshots to demonstrate. ============================ Bonus Part (4%) =========================== Question B1: What is your mini project about? Give a description of your project, including motivation, design and technical details. Question B2: Implement your mini project. Please use screenshots, descriptions and/or answers to questions to show your implementation.

P a g e 19 ================================ Survey Part =========================== GQ1. Would you like to make any changes to this lab? GQ2. How long did it take you to complete this lab? GQ3. Do you learn anything new or gain a better understanding of class lecture by finishing this lab?

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information