Scribd Logo
Upload

Welcome to Scribd!

  • Manage RHEL5

    Uploaded by

    rajnishmishra2488
    195 views94 pages
    Linux access control involves the kernel controlling processes (running programs) access to resources (files, directories, sockets, etc.) for example: web server processes can read web files but not /etc / shadow How are these decisions made? Standard Linux Security Problems only two privilege levels: user and root Example: apache privilege escalation apache bug allows obtaining root shell entire system is compromised.

    Original Description:

    Original Title

    ManageRHEL5

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Linux access control involves the kernel controlling processes (running programs) access to resources (files, directories, sockets, etc.) for example: web server processes can read web files but not /etc / shadow How are these decisions made? Standard Linux Security Problems only two privilege levels: user and root Example: apache privilege escalation apache bug allows obtaining root shell entire system is compromised.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    195 views94 pages

    Manage RHEL5

    Uploaded by

    rajnishmishra2488
    Linux access control involves the kernel controlling processes (running programs) access to resources (files, directories, sockets, etc.) for example: web server processes can read web files but not /etc / shadow How are these decisions made? Standard Linux Security Problems only two privilege levels: user and root Example: apache privilege escalation apache bug allows obtaining root shell entire system is compromised.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 94

    ManagingRedHatEnterpriseLinux5

    DanielJWalsh
    SELinuxLeadEngineer
    dwalsh@redhat.com

    KarlMacMillan
    kmacmill@redhat.com
    PrincipalSoftwareEngineer


    Agenda
    1)IntroductiontoSELinux 7)CustomizingPolicyWith
    Concepts Booleans

    2)Policiesand 8)ManagingSELinux
    ConfigurationFiles Modules

    3)ModifiedOSCommands 9)ManagingSELinux
    Systems
    4)SELinuxUtilities
    10)ConfiguringAuditing
    5)UnderstandingAudit
    Messages 11)CustomizingApache

    6)ManagingFileLabeling

    2
    IntroductiontoSELinuxConcepts


    LinuxAccessControlIntroduction
    Linuxaccesscontrolinvolvesthe

    kernelcontrolling

    processes(runningprograms)accessto

    resources(files,directories,sockets,etc.)
    Forexample:

    webserverprocessescanreadwebfiles

    butnot/etc/shadow
    Howarethesedecisionsmade?
    4
    StandardLinuxAccessControl
    Processesandfileshavesecurityproperties

    process:userandgroup(realandeffective)

    resources:userandgroup+accessbits

    read,write,andexecuteforuser,group,other
    Kernelhashardcodedpolicy
    Example:

    Canfirefoxreadmysshprivatekey?
    kmacmill 21375 1 35 11:38 ? 00:00:01 firefox-bin
    -rw------- 1 kmacmill kmacmill 1743 2006-07-10 id_rsa
    5
    ImportantConcepts
    Securityproperties:securityrelevantdata

    associatedwithprocessesandresources

    usedtomakeaccesscontroldecisions
    Policy:rulesforaccesscontroldecisions
    Kernelenforcesaccesscontroldecisions

    calledreferencevalidationmechanism

    processesalsoenforceaccesscontrol

    databaseserver,dbus,X,etc.
    6
    StandardLinuxSecurityProblems
    Accessisbasedonusers'access
    Example:Firefoxcanreadsshkeys

    generallyhasnoreasontoreadthem,but

    ifcompromisedcanpotentiallydisastrous
    Fundamentalproblem:

    securitypropertiesnotspecificenough

    kernelcan'tdistinguishapplicationsfromusers

    7
    StandardLinuxSecurityProblems
    Processescanchangesecurityproperties
    Example:mailfilesreadableonlybyme

    evolutioncanmakethemworldreadable
    Fundamentalproblem:

    standardaccesscontrolisdiscretionary

    includesconceptofresourceownership

    processescanescapesecuritypolicy

    8
    StandardLinuxSecurityProblems
    Onlytwoprivilegelevels:userandroot
    Example:apacheprivilegeescalation

    apachebugallowsobtainingrootshell

    entiresystemiscompromised
    Fundamentalproblem:

    simplisticsecuritypolicy

    nowaytoenforceleastprivilege

    9
    SELinuxIntroduction
    SELinuxaddsadditionalaccesscontrol

    newsecuritypropertiesonprocesses/resources

    flexiblesecuritypolicythatcanbechanged
    Kernelandapplicationbasedenforcement
    Designedtoaddresssecurityproblems

    mandatory,leastprivilege,andfinegrained

    noallpowerfulroot
    Transparenttomostapplications
    10
    SELinuxAccessControl
    SELinuxhasthreeformsofaccesscontrol

    TypeEnforcement(TE)primarymechanism

    RoleBasedAccessControl(RBAC)

    MultiLevelSecurity(MLS)
    Configurableviapolicylanguage

    centralconfigurationfilescontrolallaccess

    Severalpoliciesavailable(targeted,strict,mls)
    Allaccessisdeniedbydefault
    11
    SELinuxSecurityProperties
    Processesandfileshaveasecuritycontext
    kmacmill:staff_r:firefox_t:s0
    kmacmill:object_r:user_home_t:s0

    user:role:type:level
    Thekeyfieldistype

    usedtoimplementTypeEnforcement
    OtherfieldsusedforRBACandMLS

    moreontheselater

    12
    Exercise:SecurityContexts
    SeveralutilitiesmodifiedforSELinux
    TheZoptionusuallyusedtoviewcontexts
    Examples:

    psaeZ>viewcontextsofprocesses

    lsZ>viewcontextsoffilesanddirectories
    Exercises:

    Whatisthesecuritycontextof/etc/shadow?

    Whatisthesecuritycontextofudevd?
    13
    SolvingLinuxSecurityChallenges
    Securitypropertiesneedtoidentify

    allrelevantsecurityinformation,e.g.,

    processisawebserver(apache)

    thatwasstartedbyinit

    consistentacrossallprocessandresources
    Securitypolicyneedstobeflexible

    noassumptions(e.g.,noroot)

    capableofenforcingintegrity,confidentiality,etc.

    14
    IntroductiontoTypeEnforcement
    Basedonasinglesecuritypropertytype

    appliedtoprocessesandresources

    representsallsecurityrelevantinformation
    Typesareassignedtoprocessesandresources

    Apacheprocesses>httpd_t

    /var/www/html/index.html>httpd_sys_content_t
    Accessisallowedbetweentypes

    e.g.,httpd_tcanreadhttpd_sys_content_t
    15
    IntroductiontoObjectClasses
    Objectclassesspecifythedetailsofaccess
    Resourcesdividedintoclasses

    e.g.,file,dir,socket,process
    Eachclasshaspermissions

    e.g.,file:read,write,execute,getattr
    FullaccessinTypeEnforcement:

    allowhttpd_thttpd_sys_content_t:fileread;

    16
    TypeEnforcementOverview

    /var/www/html
    Apache
    read (httpd_sys_content_t)
    (httpd_t)

    /etc/shadow
    (shadow_t)
    re
    ad

    ~/public_html
    Apache Policy: (httpd_sys_content_t)

    allow httpd_t httpd_sys_content_t : file read;


    17
    TypeEnforcementConcepts
    Accessisallowedsolelybytype

    manyprocessesandresourceshavesametype

    simplifiespolicybygrouping

    processeswithsametypehavesameaccess

    sameforresources(files)
    Processtypescalleddomains

    sometimesappliedtoresources(e.g.,sockets)
    Differenceresourcescanhavesametype
    18
    AssigningInitialTypes
    Filesanddirectories:

    configurationfilespecifiesdefaultcontext

    calledfilecontexts

    usespathregex:^/usr/bin/>bin_t

    Inheritedfromcontainingdirectoryatruntime
    Applicationscanexplicitlysetcontext

    chcon:utilitytosetcontexts(thinkchown)

    passwd:maintainscontexton/etc/shadow

    19
    AssigningProcessTypes
    Processtypesare:

    (default)inheritedfromparentprocess

    setbypolicy(typetransitionrule)

    setbyapplication(e.g.,login)
    Examples:

    bash(user_t)>ls(user_t)

    init(init_t)>httpdinitscript(initrc_t)>httpd(httpd_t)

    login(login_t)>bash(user_t)

    20
    TypeTransitionRules
    Typetransitionrulessetprocesstypesusing:

    parentprocesstypeandexecutablefiletype

    similartosetuid
    Example:startingnameserver

    Rule:domain_auto_trans(initrc_t, named_exec_t, named_t)


    parentprocess(initrc_t)

    executablefiletype(named_exec_t)

    result>named_t
    21
    TypeTransitionRules

    22
    TypeTransitionNotes
    Primarymeansforsettingprocesstype

    ensuresapplicationsrunincorrectdomain

    doesnotrequireapplicationmodification
    Mustbeallowedbypolicy

    e.g.,apachecannotstartprocessesininit_t

    preventsapplicationsfromgainingprivilege
    Bindsspecificexecutabletodomain

    e.g.,only/usr/bin/passwdcanruninpasswd_t
    23
    UserFieldDetails
    kmacmill:user_r:user_mozilla_t:s0
    NotnecessarilythesameastheLinuxuser
    Oftenendsin_u:system_u,user_u
    Notcurrentlyusedinthetargetedpolicy
    Filesanddirectories:

    userinheritedfromprocess

    systemprocess>filescreatedwithsystem_u

    24
    RoleFieldDetails
    kmacmill:user_r:user_mozilla_t:s0
    UsedforRBAC

    rolefurtherrestrictsavailabletypetransitions

    incooperationwithTE(e.g.,user_r/user_t)
    Usuallyendswith_r
    Resourceshavedefaultobject_rrole
    UsedinstrictandMLSpolicies

    user_r,staff_r,secadm_r
    25
    MLSLevelFieldDetails
    kmacmill:user_r:user_mozilla_t:s0
    UsedforMLS(orMCS)
    Oftenhiddenintargetedandstrict(MCS)
    Identifiesonelevelorrange

    singlelevel:s0

    range:sos15:c0.c1023
    Usuallytranslated

    s15:c0.c1023>SystemHigh
    26
    SELinuxSecurityBenefits
    Typescaptureimportantsecurityinformation

    accessisbasedonuserandapplicationfunction

    transitionscaptureprocesscallchains
    Processesrunwithleastprivilege

    onlywhatisallowedforthetype

    e.g.,httpd_tcanonlyreadwebpages
    Privilegeescalationtightlycontrolled

    acompromiseofApachelimitedbypolicy
    27
    SELinuxConfiguration


    StrictPolicy

    Asystemwhereeverythingisdeniedbydefault

    Youmustspecifyallowrulestograntprivileges

    SELinuxdesignedtobeastrictpolicy.

    Thepolicyrulesonlyhaveallows,nodenies

    Minimalprivilege'sforeverydaemon

    separateuserdomainsforprogramslikeGPG,X,ssh,etc

    Difficulttoenforceingeneralpurposeoperatingsystem
    NotSupportedinRHEL

    29
    MLSPolicy

    StrictpolicywithBellLaPadulaSupport
    SupportedinRHEL5withspeciallicense.
    Serveronlyoperatingsystem

    NoXwindowssupport

    limitedpackageset
    HP/IBMworkingtowardsgettingEAL4+/LSPPcertification

    30
    TargetedPolicy
    Systemwhereprocessesbydefaultareunconfined.

    Onlytargetedprocessesareconfined

    UnconfinedDomains

    Bydefaultuserprocessesruninunconfined_t

    Systemprocessesrunininitrc_t

    Unconfinedprocesseshavethesameaccesstheywouldhave
    withoutSELinuxrunning

    Daemonswithdefinedpolicytransitiontoconfineddomains
    httpdstartedfromunconfined_ttransitionstohttpd_twhich
    haslimitedaccess.

    31
    TargetedDomains
    InRHEL4

    15targetsdefined

    httpd,squid,pegasus,Mailman,Named,dhcpd,mysqld,nscd,ntpd.
    portmap,postgresql,snmpd,syslogd,winbindd

    InRHEL5

    200targetsdefined

    EveryprogramshippedbyRedHatandstartedonbootshould
    haveadomaindefined

    Allsystemspaceisconfined

    Limitedconfinementforuserspace

    20unconfineddomains

    32
    WhereshouldyourunSELinux?

    Internet Corporate
    Intranet
    Network RedHatEnterprise
    RedHatEnterprise LinuxES
    DNS RedHatEnterprise
    LinuxES Web LinuxAS
    Firewall FTP
    VPN NFS
    NIS DatabaseCRMERP

    DNS
    Web
    FTP

    RedHatEnterprise
    LinuxES
    RedHatEnterprise RedHatEnterprise
    LinuxWS LinuxES
    DMZ
    AppServerFarm

    33
    Configfiles
    SELinuxstoresitsconfigfilesin/etc/selinux
    lsl/etc/selinux
    rwrr1rootroot515Jan1811:46config
    drwxrxrx7rootroot4096Jan2314:06strict
    drwxrxrx7rootroot4096Jan2314:06targeted

    /etc/selinux/configidentifiespolicyandenforcingmode
    more/etc/selinux/config

    #ThisfilecontrolsthestateofSELinuxonthesystem.
    #SELINUX=cantakeoneofthesethreevalues:
    #enforcingSELinuxsecuritypolicyisenforced.
    #permissiveSELinuxprintswarningsinsteadofenforcing.
    #disabledNoSELinuxpolicyisloaded.
    SELINUX=enforcing
    #SELINUXTYPE=cantakeoneofthesetwovalues:
    #targetedOnlytargetednetworkdaemonsareprotected.
    #strictFullSELinuxprotection.
    SELINUXTYPE=targeted
    34
    Configfiles
    Directoryunderpolicytypefollowsameformat

    contextsdirectorycontainsdefaultcontextsfilesusedbySELinux
    awareapplications

    policydircontainscompiledpolicyfile

    seuserscontainsLinuxUsertoSELinuxusersmappingfile

    setrans.confcontainsMLS/MCStranslations

    Modulesdirectoryincludescurrentmodulesusedtobuildpolicy

    lsl/etc/selinux/targeted/
    total40
    drwxrxrx4rootroot4096Jan2909:00contexts
    drwxrxrx4rootroot4096Jan2909:00modules
    drwxrxrx2rootroot4096Jan2909:00policy
    rwrr1rootroot598Jan2317:24setrans.conf
    rwrr1rootroot143Jan2909:00seusers

    35
    Configfiles
    /etc/selinux/targeted/contexts/files/

    file_contexts

    file_contexts.local

    file_contexts.homedir

    homedir_template

    36
    KernelBootParameters
    Kernelparametersoverride/etc/selinux/configsettings


    selinux=0

    BootsthekernelwithSELinuxturnedoff

    Allfileswillnolongergetcreatedwithfilecontext.

    Willrequirearelabelifthemachinegetsbootedagainwith
    selinuxturnedon.
    enforcing=0

    Bootsthekernelinpermissivemode

    Filelabelingcontinues

    MayNOTgivethesameerrormessagesasinenforcingmode.

    37
    TargetPolicyManPages
    Targetmanpagesexplaincustomfeaturesof
    thepolicybooleansandfilecontext
    httpd_selinux(8)httpdSELinuxPolicydocumentationhttpd_selinux(8)

    NAME
    httpd_selinuxSecurityEnhancedLinuxPolicyforthehttpddaemon

    DESCRIPTION
    SecurityEnhancedLinuxsecuresthehttpdserverviaflexiblemandatory
    accesscontrol.

    FILE_CONTEXTS
    SELinuxrequiresfilestohaveanextendedattributetodefinethefile
    type.Policygovernstheaccessdaemonshavetothesefiles.SELinux
    httpdpolicyisveryflexibleallowinguserstosetuptheirwebser
    vicesinassecureamethodaspossible.

    Thefollowingfilecontextstypesaredefinedforhttpd:

    httpd_sys_content_t
    Setfileswithhttpd_sys_content_tforcontentwhichisavail
    ablefromallhttpdscriptsandthedaemon.

    httpd_sys_script_exec_t
    Setcgiscriptswithhttpd_sys_script_exec_ttoallowthemto
    38
    Exercises
    ReadthroughacoupleofSELinuxPolicymanpages
    Whichpolicyisthesystemcurrentlyrunning?
    Rebootinpermissivemode

    DoyouseeadditionalAVCmessages?

    39
    ModifiedOperatingSystemCommands


    ModifiedUtilities
    Zisyourfriend

    lsZ

    idZ

    psauxZ

    lsofZ

    netstatZ

    find/context=

    41
    ModifiedUtilities
    cp

    Adoptsdestinationdirectoryorfilessecuritycontext

    aproblems

    mv

    MaintainsSourcesDestinationSecuritycontext

    install

    Setsdefaultsecuritycontextbasedonsystemdefaults

    42
    ModifiedPrograms
    LoginProgramsPAM

    sshd,login,xdm
    Passwordutilities

    passwd,useradd,groupadd
    rpm

    43
    Backupanddiscmanagement
    tar,zip

    Bothnowhaveextendedattributesupport
    rsync

    X,xattrs
    star

    starxattrH=exustarcfoutput.tar[files]
    amanda
    tarxv|restoreconf;stillmightbebestoption

    44
    Exercises:ModifiedLinuxUtilities
    Whatsecuritycontextison/etc/resolv.conf?
    Exploreothersecuritycontextin/etc
    Whatisthecontextistheapacheprocessrunningwith?
    Whatisyoursecuritycontext?
    Createafilein/tmpandmvittoetc

    Whatisthesecuritycontextonthefile?

    Isthisaproblem?
    Createanewaccountonyourmachine

    Whatisthesecuritycontexton/etc/passwd?/etc/shadow?

    Whydoyousupposetheyaredifferent?

    45
    SELinuxUtilities


    SELinuxUtilities
    libselinuxrpm
    libselinuxisthedefaultSELinuxlibraryusedbySELinuxaware
    applications
    libselinuxutilities

    getenforceTellwhethermachineisinenforcing/permissive/disabled

    setenforce1/0Setsthemachineinenforcing/permissive

    selinuxenabledUsedbyscriptstotellwhetherSELinuxenabled.

    matchpathconTellsyouthedefaultcontextoffile/directory

    avcstatDisplaySELinuxAVCstatistics
    libselinuxpython

    Pythonbindingstolibselinux
    47
    SELinuxUtilitiesPolicycoreutils
    genhomedircon,fixfiles,restorecon,restorecond,setfiles,chcon,chcat

    audit2allow,audit2why(SeeUnderstandingSELinuxlogmessages)

    seconSeeanSELinuxcontext,fromafile,programoruserinput.

    semodule,semodule_deps,semodule_expand,semodule_link,
    semodule_package(SeeManaginganSELinuxPolicyModules)

    load_policyloadanewSELinuxpolicyintothekernel

    run_initRunainitscriptintheproperSELinuxcontext(mls,strict)

    semanage,systemconfigselinux(SeeManaginganSELinuxsystem)

    sestatusSELinuxstatustool

    setsebool,getsebool(SeeCustomizingthepolicywithbooleans)

    newroleRunashellwithanewSELinuxrole/level(mls,Strict)

    48
    Exercises:SELinuxUtilities
    Isyourmachineinenforcingmode?

    Turnonpermissivemode

    WhatAVCmessagewasgenerated?

    Returnmachinetoenforcingmode.
    WhatistheSELinuxstatusofyourmachine?
    Usesestatustocheckthefilecontexton/etc/shadow
    Createthefile/etc/apache

    Changeitscontexttypetohttpd_exec_t

    Howwouldyougetthisapplicationtorunashttpd_t?
    Correctthecontextofallthefilesinetc

    49
    UnderstandingAuditMessages


    UnderstandingSELinuxlogmessages
    AVCAccessVectorCache

    messagesin/var/log/messagesor/var/log/audit/audit.log

    type=AVCmsg=audit(1140184056.443:78):avc:denied{use}forpid=2185
    comm="mingetty"name="ptmx"dev=tmpfsino=699scontext=system_u:system_r:getty_t:s0
    tcontext=system_u:system_r:kernel_t:s0tclass=fd

    type=AVCmsg=audit(1166017682.366:876):avc:denied{getattr}forpid=23768
    comm="httpd"name="index.html"dev=dm0ino=7996439
    scontext=user_u:system_r:httpd_t:s0tcontext=user_u:object_r:user_home_t:s0tclass=file

    51
    UnderstandingSELinuxlogmessages
    AVCMessagescangetcreatedforavarietyofreasons.

    Amislabeledfile

    Aprocessrunningunderthewrongcontext

    Abuginpolicy.

    Basicallyanapplicationgoesdownacodepaththat
    wasnevertestedbythepolicywriterandgetsan
    unexpectedAVC.

    Anintruder

    52
    UnderstandingSELinuxlogmessages
    audit2allow

    Toolthatgeneratespolicyallowrulesfromlogsofdeniedoperations

    audit2allowi/var/log/audit/audit.log

    allowhttpd_tuser_home_t:filegettattr;

    audit2why

    TranslatesSELinuxauditmessagesintoadescriptionofwhythe
    accesswasdenied

    Notveryhelpfultonoviceusers,usedbypolicydevelopers

    53
    AnalyzingSELinuxAVCMessages
    AVCMessagesreferingtofileslabeled*:file_t

    MajorLabelingproblem,allfilesprobablyrequirelabels

    SELinuxkernellabelsfileswithnosecuritycontextfile_t

    Filewascreatedwhenrunningwithselinux=0oranewdisk.

    Itissafesttorelabelthesystemtouch/.autorelabel;reboot

    OnanewdiskyoucanrestoreconRv/MOUNTPOINT
    AVCMessagescontainingdefault_t

    Probablyalabelingproblem

    Ifnotin/youprobablyneedtorelabel

    Ifin/andyouwantconfineddomainstohaveaccess.Youneed
    torelabelthefile/directoryusingchcon

    54
    AnalyzingSELinuxAVCMessages
    Manysimilarmessagesaboutthesamefile

    Thisusuallyindicatesalabelingproblem

    Forexample:

    Create/home/dwalsh/resolv.conf

    mv/home/dwalsh/resolv.conf/etc

    lslZ/etc/resolv.conf

    Confineddomainswillreporterrorsaccessinguser_home_t

    restorecon/etc/resolv.conf

    55
    SELinuxTroubleshootTool
    setroubleshoot

    ServicelistenstoauditdaemonforAVCmessages

    Thenprocessesplugindatabaseforknownissues

    /usr/share/setroubleshoot/plugins

    Displaysknowledgebaseofhowtohandleavcmessage

    sealertcommandcanlaunchbrowseroranalyzelogfiles

    Configure/etc/setroubleshoot/setroubleshoot.cfgtosend
    mail

    56
    57
    MissingAVCmessages
    SometimesapplicationsfailwithnoAVCmessages
    Settingsetenforce0andtheapplicationworks???
    dontauditrules

    ExpectedAVCsthatcauseappstotakedifferentcodepaths.

    SometimescoverupRealerrors

    RHEL4

    Installselinuxpolicytargetedsources

    makeC/etc/selinux/targeted/src/policyenableauditload
    RHEL5

    semoduleb/usr/share/selinux/targeted/enableaudit.pp
    58
    semoduleb/usr/share/selinux/targeted/base.pp
    Exercises:SELinuxUtilities
    Letscreatesomeavcmessages?

    touch/var/www/html/index.html

    chcontuser_home_t/var/www/html/index.html

    servicehttpdstart

    firefoxlocalhost

    whathappens?

    CheckthelogfilesforAVCmessages.
    WhatauditrulescouldyouaddtosolvetheseAVC?
    Whydidpolicyrefusethisaccess?

    59
    ManagingFileLabeling


    Managingfilelabeling
    Changingafilescontext
    chcon

    Fundamentalutilityusedtochangeafilescontext

    chconRthttpd_sys_script_rw_t/var/www/myapp/data

    chconthttpd_sys_script_t/var/www/cgibin/myapp

    Modeledafterchmodcommand

    ttypequalifier

    customizable_types

    /etc/selinux/targeted/contexts/customizable_types

    61
    Managingfilelabeling
    restorecon

    Usedtosetafilebacktothesystemdefaults

    setfiles

    Usedtoinitializeasystem.UsedattheFilesystemlevel

    Requiresyoutospecifyfile_contextfile

    fixfiles

    Scriptthatwrapssetfiles/restoreconwithseveralusefulfeatures

    Userpmtolistfileswithinspecifiedpackagestorestorefilecontexts

    restoreconchangesbetweenpreviousfilecontextandnewone
    touch/.autorelabel;reboot

    62
    Managingfilelabeling
    Genhomedircon


    Usedtogeneratefile_contexts.homedir

    Sometimeshasproblemswithhomedirlocations.
    /etc/selinux/targeted/contexts/files/file_context.local
    systemconfigsecuritylevel

    63
    Exercises:Managingfilelabeling
    Modify/etc/resolv.conf

    cp/etc/resolv.confto/tmp

    Makesomechangestothesearchstring

    mvitbackthe/etc

    Fixitssecuritycontext
    Homedirs

    Createananewdirectory/export/homes

    Addauseraccounttothatdirectory

    Addauseraccounttothe/vardirectory

    RungenhomedirconWhathappens?

    Fixthecontextonthesedirectories
    64
    CustomizingPolicyWithBooleans


    Customizingpolicywithbooleans
    Booleansareif/then/elsestatementsinpolicy
    Configurepolicywithouteditingpolicy
    getsebool

    getseboola

    setsebool

    setseboolPallow=[1|0]

    systemconfigselinux(systemconfigsecuritylevelRHEL4)
    Turnon/offsectionsofpolicy

    setseboolPallow_nfs_home_dirs1

    /etc/selinux/targeted/booleans
    66
    67
    ConfiguringPolicy
    ApacheExample
    Systemadministratorhasmultiplechoicesofpolicy

    Booleans

    httpd_disable_trans,httpd_enable_cgihttpd_enable_homedirs
    httpd_tty_comm,httpd_unified
    http://fedora.redhat.com/docs/selinuxapachefc3/

    manhttpd_selinux

    68
    Exercises:ManagingBooleans
    Listallbooleansonyourmachine
    Checkthecontentsof/etc/selinux/targeted/booleans
    Temporarilychangeabooleansstate
    Didthe/etc/selinux/targeted/booleansfilechange?
    Ifyouhavetimetrythepreviousexercisesafteryouturnon
    thehttpd_tty_commboolean

    69
    ManagingSELinuxModules


    SELinuxModules
    ModularPolicy

    InRHEL5/FedoraCore5andlater,theconceptofPolicyModules
    wasintroduced
    Thesemodulecommand

    Copiesthepolicypackage(pp)filesto
    /etc/selinux/targeted/modules/active/modules

    Compilesallinstalledppfilesintonewpolicyfile
    /etc/selinux/targeted/policy/policy.21

    Createsnewfile_contextfileandfile_context.homedirs

    Loadsnewpolicy

    71
    SELinuxPolicyModules
    semodulecommand

    semodulel;Listallmodulescurrentlyloaded

    semoduleb/usr/share/selinux/targeted/enableaudit.pp

    semoduleb/usr/share/selinux/targeted/base.pp

    semoduleimyapache.pp

    semodulermyapache

    72
    73
    Generatingpolicymodules
    Policymodulesconsistsofthreefiles.

    TypeEnforcementFile(te)

    Containstheallowrulesandinterfacecallsassociatedwiththe
    confineddomain

    FileContextFile(fc)

    Containsallofthelabelingfilecontextforthepolicymodule.

    InterfaceFile(if)

    Containsallinterfacesusedbyotherdomainstointeractwiththis
    confineddomain.

    DOMAIN_domtrans,DOMAIN_read_config

    74
    CreatingPolicymoduleswithaudit2allow
    Makingsmallcustomizationstopolicy
    InRHEL4

    Youneededtoinstallselinuxpolicysourcestomodifypolicy

    cd/etc/selinux/targeted/src/policy

    grephttp_t/var/log/messages|audit2allow>>domain/misc/local.te

    makeinstall
    InRHEL5

    grephttp_t/var/log/audit/audit.log|audit2allowMmypolicy

    Thiscommandwillgenerateatefileandcompileitintoappfile.

    semoduleimypolicy.pp

    75
    Buildingpolicymodules
    Installselinuxpolicydevel

    Includesinterfacesforallinstalledpolicymodules

    /usr/share/selinux/devel

    policygentoolhelperapptobeginconstructionofte,if,fcfile

    include/...directoryhasinterfaces

    kernel,services,system,apps,admin

    Makefile(usedtocompilepolicymodules).

    76
    Exercises:ManagingPolicyModules.
    Listallmodulesonyourmachine
    Removethepcscdpolicymodule.
    Whatisthelabeloftherunningprocess?
    Why?
    servicepcscdstop
    restoreconRv/usr/sbin/pcscd/var/run
    AdvancedTopic:

    using/usr/share/selinux/devel/policygentooltryto
    generatepcscdpolicy

    77
    ManagingSELinuxSystems


    ManagingSELinuxsystems
    InRHEL5/FedoraCore5andbeyondanew
    semanageframeworkwasadded
    InRHEL4oftenrequiredcustompolicy

    allowingapachetolistenonport81

    requiredpolicysourcesandtools
    InRHEL5

    semanageportathttp_port_tPtcp81

    79
    SemanageCommands
    SELinuxUsers

    semanageuserl

    semanageuseraguest_u
    LinuxUsertoSELinuxusermapping

    semanageloginasguest_udwalsh
    FileContext

    semanagefcontextat
    httpd_bugzilla_script_exec_t
    80
    /usr/share/bugzilla/cgi(/.*)?
    81
    82
    Exercises:ManagingSELinux
    ListallSELinuxUsers
    AddanSELinuxusertoyourmachine
    Createadirectory/opt/www/html
    Labelitsothatapachecanreadit.
    Makeapermanentchangetothefilecontextsothat
    relabelingthefilesystemwillnotchangethis.

    83
    ConfiguringAudit


    Auditing
    AuditsystemreceivesSELinuxEvents

    Noauditdrunning

    AVCin/var/log/messagesanddmesg

    auditdrunning

    AVCsin/var/log/audit/audit.log
    audit=1Commandrequiredforfullauditing

    85
    AuditingCAPP/EAL4+
    CAPPControlledAccessProtectionProfile

    DACProfile

    Securityfeaturesselection
    eal4+.EAssuranceLevel

    Leveloftestinganddocumentation
    cp/usr/share/doc/audit1.0.12/capp.rules
    /etc/audit.rules

    86
    auditctl
    Utilitytocontrolthekernelsauditsystem

    e[0|1]Disable,Enableaudit

    SEESteveGrubbAuditBOF...

    87
    aureport
    Generatesummaryreportsofauditlogs

    aReportaboutAVCmessages

    iinterpretnumericfieldsforhumanconsumption

    tsTimeStartteTimeEnd

    aureportats1:00:00

    Generateaavcreportsince1AM

    success/failed(Bothifyouselectneither.)

    summary(Totalsofevents)

    88
    ausearch
    SearchAuditDaemonLogs

    mavc

    ts

    xexecutable

    ausearchmavcts1:00:00xnamed

    89
    Exercises:Audit
    Useaureportonauditmessagesonthe
    system
    Searchforapacheavcmessages
    Turnoffauditing?WheretotheAVC
    messageendup?

    90
    CustomizingApache


    CustomizingApachePolicy
    httpdmostcomplexdaemoninRHEL4
    MostcomplexandconfigurableofanyoftheSELinuxpolicies.

    ConfinecompromisedApachewebserverfromdamagingtherestof
    thesystem

    Finergrainedgoals

    PreventingacompromisedwikiCGIscriptfromcorruptingablog
    installationownedbythesameperson

    92
    Exercises:Apache
    Ishttpdrunningunderaconfineddomain?

    Stophttpd

    Startapachedirectly/usr/sbin/httpd

    Whichcontextisitrunningunder?

    Why?
    Killhttpdandstartitwithinaconfineddomain
    Setupanapachewebsitewhichsupportscgiscriptswherethedatais
    locatedin/src/www/datadirectory
    Setupapachetouseusershomedirectoriesandplaceahtmlfilethere
    Advanced:Addacgiscriptthatneedstowritetoaparticulardirectory,
    turnoffhttpd_unifiedandmakethescriptworkinenforcingmode.

    93
    Q/A
    MoreInformationRedHatEnterpriseLinuxResource

    http://www.redhat.com/software/rhel/

    SELinuxResources

    http://www.nsa.gov/selinux

    http://fedora.redhat.com/projects/selinux/

    http://fedoraproject.org/wiki/SELinux

    MailingLists

    selinux@tycho.nsa.govNSAList

    fedoraselinuxlist@redhat.comFedoraSELinuxList

    94

    You might also like