Scribd Logo
Upload

Welcome to Scribd!

  • Chapter 9

    Uploaded by

    kwame
    10 views39 pages
    Chapter 9 Linux

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Chapter 9 Linux

    Copyright:

    © All Rights Reserved
    Download as PDF or read online from Scribd
    Flag for inappropriate content
    10 views39 pages

    Chapter 9

    Uploaded by

    kwame
    Chapter 9 Linux

    Copyright:

    © All Rights Reserved
    Download as PDF or read online from Scribd
    Flag for inappropriate content
    of 39
    Content ‘Security Concopte Tightoning Default Security Socurity Advisorios File Access Contra Liste Manipulating FACLS Viewing FACLs Backing Up FACLE File Creation Permissions with umask User Prvate Group Scheme Alternatives 19 UPG ‘SELinux Secuniy Framework SELinux Modes ‘SELinux Commands Choosing an SELinux Poticy ‘SELinux Booleans Pormissive Domains Graphical SELinux Pokey Tools Basic Firewall Activation Lab Tasks "User Private Groups 2. Using Filesystem ACLs 3. Exploring SeLinux Modes 4. SeLinux File Contexts a 6 8 19 20 21 23 25 2 36 39 Chapter SECURITY ADMINISTRATION Security Concepts ‘Thoro ato many toole useful fo kooping 2 computer eyetom cooure ‘Which ones are used depends on how paranoid the administrator I, the type and value of data being protected, and similar variable factors, Regardless of the tools chosen, there are several security concepts which are commonly applied when configuring systems, Principle of Least Privilege ‘One of the many concepts discussed inthis essay was the ‘principle of least privilege," which they described as "Every program and every User of the system should operate using the least set of privileges ‘necessary to complete the job.” ‘Amongst other things, this idea suggests that programs should not 'be run 8s root which do not need root privileges Instead, programs should be granted the bare minimum of privileges they need to ‘accomplish their task. ‘Multiple Layers of Defense & Diversity in Layers of Defense ‘Obviously, the more layers of defense that are created, the more ‘chances there ar of stopping an outside threat. Because ofthis, people typically use a soled “belt and suspenders" approach to ‘Security in which multiple, redundant defenses are erected to ensure ‘that there is no single point of failure. When creating layered ‘detenses, different kinds of layers should be used whenever possible 92 Security Concepts Principle of least privilege [Muttpte layers of defense Diversity of layers of defense Only as secure as the woakest lnk Slmplcty fs 0 views ‘Security through obscurity to minimize overlap between common fasts. A common application of this concept would be limiting relay access through an SMTP Server to specie IP addresses in its configuration Mes, and lining SMTP-based tetfic using ldwrep and 8 lrewll ‘Only as Secure as the Weakest Link ‘The basie security principle of "Youre only as secure as your weakest link” means that an atacker will seek out the point of least ‘sistance, They wil look for the place where they can get in without bbeing noticed. Therefore, itis important to identify the relative ‘weakness of every link in the chain and try to improve the worst on first. ‘Simplicity isa Virtuo “Many administrators have a tendency to over-complicate their security arrangements. Usually, this Is because of the fala Impression that a system can be so complicated as to be impossible for an outsider to navigate without being noticed and theratore wil ‘be more secure. In fact. the opposite is true. Complex systems actualy afford an attacker a lot more places to hide. Also, a complex system {including systems with hundreds or thousands of appa) is, more likely to have at least one app with known security ‘ulnerabites at any given time. A'simple system (or one with as few ‘apps installed as possible) is much easier to administer, monitor and ‘Udit. There are also far fewer links that could be weak. ARR RRR RRR RRR RRR RAR AR AAA AR ARTA e COC Ur ewwwwwWwNYYENUwUUYuUwWYwuwE ‘Security by Obscurity ‘A.common mantra in socurity circles is that "security through ‘obscurity s not security” However, this wuism is slightly misleading. ‘While security based solely on obscurity (such as assuming @ ‘machine will not ba cracked only because is IP address is not widely known) is inefectual, obfuscation does playa valid role in security (such as not neediessly revealing the user names which have ‘accounts on a machine). Disabling Unneeded Services 'No daemon can be remotely atacked which is not running. Because ofthis, a basie first step used to harden systems isto disable ‘unneeded services. These can be configured easily using chkconfig to enable or disable startup at system boot. Make sure to stop Currently running daemons as wel: this can be done easily using {nit scripts, or the service command. For example, these ‘commands could be used together to ensure that Samba is not ‘configured to start up automatically and isnot currently unning: 4 chkcontig sub off 4 etefinit.d/snb stop ‘output omitted =. In adeition, remember thet many services are started by an Internet superdaomon lke xinetd. Most of these services will need to be disabled as wel. xineta is configured by the /ete/xinetd. conf file. ‘The various files in the /etc/xinetd.d/ directory should be edited to sable individual services. Remember to restart or reload xinetd alter modifying its configuration fs: 1 fetc/init.d/einetd reload ++ + output omitted... You may also send a HUP signal to the daemon. Also, be aware thatthe chkconfig program will also configure xineta services, removing the need to eat /etc/xinetd.a/ configuration files direct. O46 Tightening Default Security Disable all unneeded services standalone daemons + eiseea Disable unneeded accounts Remove all unnecessary SUID/SGID executables Restrict access to privileged accounts Restretromote access tothe machine Restrict physical access tothe machine Disable Unneeded Accounts Though modem Linux distributions ereate system accounts for each service 8s part of the Installation of the services packages), there xe 2 few system accounts that are crested at install me, whether they ‘re needed" or not. n some cases, the removal of packages do not dolete accounts that were added during instalation, Remove All Unnecessary SUID/SGID Executable: Executables with either the SUID, or SGIO bits (or both), set can be a security risk. Remember the SUIDISGID bits allow anyone with execute permission) to launch the program and have it run as the User/group thet owns the program file Itis especially important to pay attention to SUID root executables, Im some cases, there are ways to reconfigure» program (porhaps ‘changing permissions and ownership on certain fis and directories) ‘such that it no longer needs the SUID bit set. this is possible, do IF not, eveluate whether or net the prograrn in question is needed. Restrict Acooss to Privileged Accounts Restrict access to the root account. Ths includes controling access to accounts that have access to the root account. For example, tthe PAM configuration for suis altered so that only members of the ‘wheel group can use it then those user accounts which are members Of the wheel group can be better controled. Thi could include implementing extra requirements for passwords for those Users beyond what is done for others. AAR RARE RR RRR RRR RNR RRR RRA ARN Wwe wwrwewrwwwwwrwwwewwwwrvoVveruwwd Restrict Remote Access to Machines ‘A very common attack is to ty logging into the root account vi ssh remotely trying common and random passwords. This attack is more ctfective when atackers get large numbers of other machines to ty thousands of possbilties against milions of IP addresses. The easy tense isto disallow root access via ssh. Tis can be done by ‘setting PermitRootLogin no within the /etc/ssh/sshd_confi fl Be certain to consider any user accounts who can login over th network. One important change may be to require SSH secure key ‘access oniy, disabling remote password access to the system, This ‘can be done by changing Passwordhuthentication to no, Restrict Physical Access to Machines Its easy to get caught up inal the great security work needed to protect systems and networks. Ifs also just as easy to completely forgot aboutneglect the physical security of the systems being ‘secured, Remember, if an attacker can gain physical access to tho box, then all that wonderfully configured network security is al for aught; the game will end and the attacker will win. For example, ‘with physical access to a target box, the attacker could just reboot, ‘and cause the bootloader to pass inits/bin/bash tothe kernel, oF boot to 9 CD of USB thumb drive, oF take the hard drive, or the whole box. with them e Dont fll into the trp of implementing @ good secunty framework on the network and hosts, then forget about the physical security of the machines. Goneral Security Related Mailing Lists tis difficult at best to thwart attempts to exploit vulnerabilties in software without being informed of those vulnerabilities. Several, Internet maling lists are available to which administrators can subscribe in order to receive notification of security vulnerabilities found in software applications they use. In adltion th (nifamous BUGTRAQ maling list is well worth reading. has a wider scope than enterprisewatch and covers ‘network security advisories and holes in al computer products. itis 8 {ulkdisclosure maling lst, meaning that security holes er often announced even if no fix is yatavalabe for them, and that exploit Code is often posted as proof that a security hole exists. though ‘some vendors argue that full disclosure allows “bad guys" access 10 security holes, the simple tuth is thatthe "bad guys" have typically found secutty holes long before they are announced or patched by the vendor; fUl disclosure serves as an early warning to the "good ‘QuyS" that particular software should be avoided {it possible) more Closely monitored, until itis fixed. In addition to mailing ists, several organizations publish lists of ‘common secufty problems of which to be cognizant. Of these, the ‘most prominent are CERT and SANS. ‘Security Advisories Errata se Hot Network het: //etn reat con/ecrata Maing Lists * BUGTRAO http://w. securityfocus.con/archive/ cent! «SANS nttb://omnsans.otal 1 Red Hats enterprise-satch malig Bist Red Hats entorprise-watch Malling List For administrators of Red Hat Enterprise Linux boxes, itis highly recommended that they subscribe to the low-volume enterprise-watch mailing lst Ths list wil send them emais regarding oll Red Hat security updates. A RRR RRR ERR RRR RAR ARAN ee Cw we wwwwwwrwrvuewwwwwwerwwUWYOWS File Access Control Lists Every file on a Unix or Linux system has one owner and one group for which specific permissions (read, write, and execute) are assigned. if multiple, but not all, users need access to the same fi they must be members of the group with permissions for that fle ‘his arrangement, while simple to understand and administer, i not ‘very flexible. What if there fs more than one group of users wiho each reed to have diferent permissions for the same file? With standard Unix file security, multiple copies of the same file would need to be created and kept synchronized. This is an administrative burden and too complex to be realistic. ‘What is needed to provide ths flexibility isthe ability to assign permissions for multiple users, or groups (or both) to single fle. Fle ‘Access Control Usts or FACLS, are lists of additional users (and groups) and their respective permissions, attached to 9 single Mle. If FACLs are present, they are matched in the same order as regular Unix permissions (ie. user. group. then other; see ACCESS CHECK ALGORITHM of acl(5) for deta) FACL Masks In most places where a mask is used, the mask value indicates which items are to be blocked from being used. For example, a umask with ‘a value of 882 would indicate that the system will not affect the permissions for the owner (user) or group, will never assign write permission for everyone and not afect road or execute permissions. Access Control Lists Facts * Assign diferont permissions to addtional uses and editions, ‘groups an a given fe or drectory + FACLs ar implemented using xa (extended Attributes) 1 This alow an administrator to temporary deny access without actualy changing the PACLS themselves Requires Mlgeystem mounted with acl mount option for everyone, ‘A-FACL mask works in the opposite way. Ifthe mask is set to rw, ‘then read, write and execute permissions on the file will be honored. Ifthe FACL mask is set to rx, then write permission will not be ‘granted to addtional users, or groups, even if set in the FACL. The ‘mask never affects the standard Unix over, group, and other permissions. For normal day-to-day operations, there is no need for the FACL mask to be set to anything other than Evi. ‘The most common use for some other mask sating is when there is ‘2 noad to block everyone temporarily from @ numberof files and directories. With one setfacl command, every fle on the system can have 9 FACL mask of ~--, denying al access for every additional user {and group. Once the problems are fixed, another single setfact ‘command and everyone has access again Without FACL masks, this administrator would have to frst record the FACLs and permissions of every fil and directory on the system that Users might care about, Next, the administrator would wipe out all FACLS on the system. After fixing the problemi), the administrator ‘would have to restore the FACLS on tha system, o7 Creating and Modifying FACLs Linux must have act support built into the kernel module for each filesystem which should support access contol lists. RHEL8 support FACLs when using ext2/ext3, and addtional configuration can provide support for enabling the xfs fs, and other filesystems as well 3s provide FACL suppor for each, FACLS can only be used on filesystems which are mounted with the acl mount option. Place this ‘option in /ete/fstab for filesystems on which you want to use FACs, The setfacl command is used to create a FACL on a given file. # settact -m uicharlotte:nw /depts/recy/ship-log.txt f settacl -m aikkelsontr /depts/recv/ship-log.txt ‘The -2 option tells setf2cl to modify the FACLS on the file(s) specified. Following the modily option is the £ac spec for the new ting FACL or create an 308 aetfacl to rend one or more ACLS from a fle or from STDIY, instead of from the command ine. ‘The frst part ofthe facl_spec specifies what type of FACL entry this Is. Valid values are (ul ser]: idl rperns), glroup]:gidl perms), nnfask]{+1{:peras] or ol ther][:]. For the uid of gid parameter, Setfact will accept either a name or number value ‘The last part of the facl_spec is the permissions to store for the FACL entry. Ths is @ combination of leters representing the parmissions: for read, w for wile, x for exocute, and X for execute, Manipulating FACLs (Creating and Modifying FACLE setiacl “a 1 setfect Directories ond default FACLs Removing FACLS setfacl =x 2 Setfact = ¢ Setfact “> “only ifthe fle is @ directory or akeady has execute permission for ‘Some [other] user This part of the facl_spec can also be left blank to Indicate that no permissions should be granted for this FACL entry. Default FACLs on Directories ‘The setfact command can also seta d{efault) FACL on a director. When such default FACLs exist, any file or directory created within that directory will have those default FACLs assigned automaticaly Defeult FACLs can be crested using setacl lke this: 4 setfacl -m defaultigidevtean:ra /depts/dev/ ‘The /depts/dev/ directory now has a default group FACL giving ‘members of the devtean group read and waite permissions, This FACL will be copied to al files and directories created within the Ieepts/dev! directory. Removing FACLs ‘To remove a FACL, use the setfacl command with the =x option, lke tis 4 setfact -x urcharlotte /depts/payroll/payrates. txt ‘This command removes the FACL for the user charlotte from the payrates.txt fie. The -X option causes setfacl to read the FACL. from a file or from STOTX, instead of from the command line. Use the -b option with setfact to completely remove all FACLS from 2 given fl. The Unix permissions will ot be affected. AR RRR OAR ERE REAR MARA RANA NN VwwwwwwwweWwwwwwruwevVeVwwvwvuwwevNs File Listings When using FACLs on filesystems, it is helpful to know when a fle has a FACL attached to it. The 1s ~L command will produce output such as this when there is 2 FACL present: fis 1 total} stverae---+ root root 3738 Dec 28 17:37 ship-log.txt - Foot root 251 tov 3. 9:61 other. txt Note the plus sign attached to the end of the permissions ofthe first file, This indicates that there are FACL attached to tat fil. Fils ‘without FACLS attached have no plus sign Viewing FACLS ‘The getfact command displays all FACL for one or more fies. f gottact /dopts/recv/ship-log.txt f Eile: ship-log.txt Homer: root 1 group: root Viewing FACLs Recognizing les which have FACLS pate Usting FACLS fe getfacl Notice the three cifferent user: lines. The first ists the standard Unix permissions for the owmer of the fle. The other two are FACLS for ‘ditional users. If getfact is used on a file without a FACL set, the output will be similar to the example, but missing certain ines. The get fact ‘command only shows the standard UNIX permissions of the file in ‘Such cages. There wl also be no mask 29 Backing Up FACLs Most backup software does not yet have the eapabilty to backup FACL along with other file metadata, Using gotfact, FACLS can be backed up. This is done by creating 2 fle isting the FACLS of fles that are going to be backed up. Do this, by redirecting the output of getfacl to a file, such as: 4 getfact -R » > Pacis.txt “The FRCLS.txt file contains the FACLS of alles in the current rectory, including sub-directories, This fle can then be backed up Tke any other file. It should be backed up along with the files whose FACLS it contains ‘The -L option may also be useful. This option causes gatfacl to fallow symbolic inks and include them in its processing. ‘Although it may be tempting to use the ~-absolute-nanes option, ‘which Tels getfact to not strip off the leading / of absolute pathnames, usually you should not. This is because most archiving formats do not record absolute paths, If this switch is used, then the files must be restored to the exact same path In order to be able to Use the file getfacl produced with setfacl to restore the FACLS to the files, 910 Backing Up FACLs Creating FACL backups geefacl ~aveotute-nanes Restoring FACL backups eetfacl “srestore Restoring FACLS and Masks Restoring FACL Backuy Restore or extract the file that contains the FACLs along with the files they are for. ‘With the fle FAcLS.txt which was crested above, the set fact ‘command can be used to set the FACLs specified on their respective fils. 4 sotfacl ~-restoresracis.txt ‘The FACLS-txt fle can be deleted aftr setfacl is done with it FACL Masks During FACL Backup/Restore Operations. When you restore FACL backups using setfacl as descrined above, its important to remember thatthe masks will be reset along with the othor FACLS on each file. If you have (temporary) blocked access. {0 les using masks is pent must be kept in mind when doing tis even more important to think about what masks you have set when creating your backups, as that value is what will be set during FACL restores, ARR RRR RRR RRR ARR RA AAA AAA CO OCC COO OSES OOO EO OOH CT OCU COUU OSES Controlling Initiol File and Directory Permissions When now files and directories are created in Linux, default permissions are inal set. These permissions are calculated by {aking the default permissions of the flasiirectories created and subiracting the umask value from it, The umask iso four digit octal hhumber that cenresents the value of permissions that will be masked ‘ut. In other words, permissions specified inthe umask represent the permissions that wil be automaticaly withheld wnen you create & new file Files and crectories have different datault parmissions when they ae ‘eroated. The dofaul permissions apnlid to files is 6666. For ‘diectaris, the default permissions are 8777. The following example iustrates the process of how inital fla permissions are caleuatod File Directory rienv- 666 Default mode niowwirwx 777 Default mode sss-wrwe 427 Uhask value ~---w-rx 927 Unask value reeee-n-> 664 Initial mode riar-x--- 7$8 Inital node ‘Viewing and Setting the umask Value “The unask command is the uilty thet is provided te view or change the currant umask. The umask comes presot in configuration files and to view the current umask issue the command without any options, ‘The umask may be changed at any time by typing unask followed by the new desired value, Notice thatthe leading digi is not required if itis zor, (and is 20 by default) File Creation Permissions with umask Default permissions for newly er es 686 rection: 777 umask = defines what permissions 1 withold frm the deteu «+ Used to ceply or change your umask 1 Stent sot inthe user or system shall det fas 1 Usea to provide the user prnate group (UPG} sehome ted filesystem objects § umask 022) unask 0072 Security Implications ‘The root account has a default umask of £22, Al fies created by the oat user have default permissions of 644 (rv-r—-r--), alowing only ead access to anyone other than root. Note that a default umask of 862 gives away write permission to ll group membars. Inthe Usor Private Group (UPG} seheme, the default §10UP if a private group with tho samo group name as the username, ‘The rasult is that nowy croatad fies a only writable by that user, readable by everyone. This includes files downloaded from tho Internet: its impossible to download an executable to @ Linux system and accidentally run it ‘An even more secure umask configuration would be £887, restiting access only to the fle owner (.e. 669 for files), Romembor that not all Unix systoms use UPG, or maintain the same deteult unask. Care should be taken when running commands such as sep =xp foo stationy: to make sure that the resulting group evmership and its permissions reflect the same local access, It's impartant to avaid the Common inelinatian of users to grant 777 permissions. ‘The default umask for an unprisiloged user in Red Hat Enterprise Linux i £62, This moane all les will hava permissions of 664 at ‘xeation time: fead and write for user and group, and read for others, on User Private Group Scheme ‘Traditionally Unix systems have placed all users into the same default ‘group. Files ace created with the default group, so al users have ‘Scvess to each others files via common group membership. To Protect users from each other, 8 default umask of 9822 is used so that only the owner has write access, The problem with this approach is that there is no easy way to share files with a group. Users have used a file-cration mask of 022 as a result. This practice ‘works wel in most cases, but it poses a few difculies when users of the system need to work on shared projects. To make shared projects possible, project members are normally put into a supplemental project group and given a shered directory owned by that group where they can save shared fils. Howaver, Because they all hve a 022 fle-creation mask, they must sometimes use chaod ‘and similar utilities on files after thoy edit ther, ‘To overcome this shortcoming, system administrators could use the User Private Group scheme (UPG). inthis configuration every user on the system is placed in private primary group. Having @ private {group allows users to have a default lecreation mask of 002 rather than 022. all users have @ 002 filecreation mask, then users working on shared projects no longer need to change file ownership (oF permissions for neve fs (On Red Hat Enterprise Linux the User Private Group Scheme (UPG) is Used by default f you want to sable it and use the waditional Unix ‘approach then ensure thatthe wseradd command is invoked with the Az User Private Group Scheme 'UPG provides « convenient way to share Mls when working In @ ‘grou project rectory [PG scheme implemented by: 4. placing each user in 2. Setting the umask to 8882 ‘3. Sating the group ovmership ofthe project diectory to @ ommonty shared GID 4, sating the projet droctory SGI 1 option. This is specific option that suppresses the creation and Use of the private group ‘The /eze/bashre script tests ifthe user Is using a User Private Group scheme Ifnot the /ete/bashre script will set the filecreation mask tor. A RAR RRA RRR RR RAR ARR AAA RRA ARO J SOU SUSO OCU WO wWWeWUWUVEYoUWUUYUWUS Facts Instead of setting the SGID permission on a directory, seting 2 default FACL on a directory will ensure that al files and subdlectories created within the dectory are automatically assigned permissions for the spectied user or group. For example, the following would cteate a new directory accessible only to members of the red and blue groups (and of course root). New files and directories created ‘within the drectory would algo be readiwrite to both groups (with subdiectories additionally inherting the execute permission). Finely. Users will not be able to delete files they do not own (although the ‘would allow them to truncate the fil's contents): mkdir -m 1700 data # setfact -m gibl [Note thatthe value of the group and other portion of the umask has, ‘no effect on this scheme and can be set to any valve. [NFS all squash Share Option ‘Another alternative to UPG that provides a convenient collaborative ‘working directory where users can easily work on common files isthe tse of the NFS all_squash share option. For example, consider the following NFS share definition which would allow all users on the ‘station! host to create files in the shared directory with the NFS Server automatically changing the owner UID and GID to the specified Alternatives to UPG Goal: Enable Easy Collaboration tke UPC FACL directory dafelts Network iseysteme = NFS al squesh| 1 Same: forcing permissions and ownership ‘The obvious disadvantage ofthis scheme is thatthe UIDIGID of the true ereator of ies is lost as al files will be owned by the specified ‘anon(uid, gid). However, this does permit users to easily collaborate ‘without being forced to manually change permissions or group ‘ownership ofthe fils, and without compromising the security of ther {les created within other directories, ‘Samba force group and force mode Share Options ‘Similar to the NFS alL_squash option Samba allows fo all les and directories created within a share to have a speciiad mode and ‘owning GID automaticaly set (effectively providing tho equivalent of {an SGIO directory). For example, all writes made to this share by the {wo alowed users will result in fles with an owning group of daxfan: Fle: Tete/anba/ en. cont Teelson-backap] path = /data/kelson-backup writable = yes weite List = dkelson kkelson force directory node = 2778 force exeate node = 0668 force daxtan on3 ‘Security Administrator Specifies Policy ‘The SELinux extensions allow an administrator to define a securty policy. This policy can be vary simple providing only basic limitation, Orit Can be very detailed defining which of the many complex Interactions of system components ate to be allowed. One of the advantages of the SELinux security framework sits flexibility in allowing secuity administrators to ereate a policy that meets their ‘TCB goals. The policy is then loaded and enabled so that the Linux kernel can enforce compliance withthe policy. Policy Defines the "Correct Operation’ of the System When a security administrator creates 2 policy, he or she is ‘essentially dealing the interactions that are expected for correct ‘operation of the system and its services. For example, a program running under specific security context should ether be allowed to imeract witha given file, o it should not. The policy deines the ‘allowed lavel of interaction between the program and then the kernal ‘enforces ifthe program later tries to interact withthe fie in some ‘non-permitied way, oF perhaps interact with some completely diferent fie, then the Kernel will deny the attempt. Security Contoxt ‘The security policy determines the permissible interactions betwoen ‘objects onthe system. To determine ta specticimeracton 1s permitted, the system compares the secunty context of the Interacting objects with the security poi. 014 ‘SELinux Security Framework ‘Allows administrator to specify security polley Policy defnes te "eorct option of he satan ‘Tnteracon of processex and fies 1 uae of POSH Eapebilives 1 Gao of system resoutees (shared memory, ete) 1 network sockets interaction of processes (signals, pipes, IPC, etc.) Uses labels called "Security Contents * ident iey:rote-eype'security-tevel ‘Oscasionalrelebaling tthe floysiom may be requled ‘The security context (sometimes called the label) isa string and consists of the folowing components: {identity = Name of the ‘owner of the object. System objects have ‘special identities. Unix user accounts ean be mapped to specific identities. A default identity (user_u) exists for Uns accounts not ‘exoty mepped oan identity. entity conls the avaible role = For processes, lsts the domain ofthe process. For files, has ’2 placeholder value (object_2) typo'=> Classifies the object a5 to its specific security needs; that ie ‘each object that has unique (with respect to the other objects) ‘security needs wil be assigned e unique type. Conversely, objects with common seourty needs can share the same type. security_level =» Compound value in the form sx-s¥:c¥-c¥ where ‘8X is tho sensitivity love (valid values from 88-815) and eY is the category (¢8-c255}. Used by the MCSIMLS polices. MORRO RARE ER ARR RAR AAA SY OC eee wow woworrVUwUrwwwwwuwwwues elabeling Files I files on the filesystem have the wrong (or no) security context label, then applications can fi, The most common reasons that security labels become incorrect i ether from copying flles, oF running the ‘system with SELinux gisabled. You can relabe files ar directories, Using the setfiles, restorecon, or ehcon commands. You can ‘label the entire flesystem using the fixfiles relabel. command. Enforcing vs Permissive ‘When loaded, SELinux can operate in two different modes: enforcing and permissive. In both modes, SELinux LSM Kernel hooks are active. ‘The diference les in how the hooks affect running processes. enforcing = actions contrary to policy are blocked and event is logged ppormissive = actions contrary to policy are only logged ‘Note that even when SELinux is operating in permissive mode, sctions may be blocked by a standard security check (such as regular noc file permissions) or by another stacked LSM security module, In ‘other words, just because SELinux policy permits an action it isnot {Quarantoed thatthe action will succeed. ‘Togoling SELinux Modes Because chenging the mode SELinux Is operating in is @ key ‘component of managing and troubleshooting, SELinux commands ‘exist for toggling between modes. The setenforce command is used to sot the current running mode of SELinux, and the getenforce ‘command displays the current mode: 4 getentorce Enforcing 216 SELinux Modes Enforcing and Permissive modes Changing the SELinux mode with setenforce is non-persistent and ‘the defeut mode set in /ete/syscontig/selinux wil become the ‘active mode atthe time of the next reboot. Disabling SELinux While permissive mode has many benefits, such as logging security problems, and maintaining system file contexts, disabling SELinux entirely isan option. Disabling SELinux will stop all SELinux {unetionalty inside the Linux Kernel (voiding both the overhead and protection. In most Scenarios disabling SELinux is completely ‘unnecessary, and running in permissive mode is prefered. To disable SELinux edit the fle /ete/syscontig/seLinux and set SSELIWY=disabled, then reboot the system. A System reboot is necessary to start the kernel without SELinux suppor. Ifyou want to reactivate SELinux ata later date tis can be done by editing the ‘same file, changing the mode to permissive or enforcing and ‘rebooting the system. AAR RRA RR ARR RR RRA RRR AAA RRA AAA 3 Sw Cw eww www www wUYewrrUwuWwwWS [New Commands Included with SELinux Several new commands were created to provide an interface to the ‘new SELinux functionality. These commands are provided in the polieycoreutils package. Descriptions and example invocations of these new commands follow. ‘The sestatus Command ‘The sestatus command can be used to display the current state of {an SELinux enabled system. I the =v option is used then the report ‘il include the secutty contexts of all the files and processes Histed inthe /ete/sestatus.con¢ ile. This allows an administrator to {uickly verify the context of key objects. This can be helpful in Spotting incorrect context on etc fle that may commonly have thelr context clobbered due to improper handling 4 sostatus ‘SELinox status enabled ‘SEtinuxts mount: /selinux ‘current node: enforcing Node from config file: enforcing Policy version: 2 Policy fron contig file: ‘targeted “The cheon Command ‘Security contexts on system objects can be changed with the chcon ‘command. It has similar functionality and syntax to the chnod ‘command, but changes contexts instead of traditional Unix ‘SELinux Commands + display curent SELinux settings 1 S7tsbloy contents for files and processes Usted in Tatereestatss. cont hoon ~ set the security context of fle oF files Many core commends have new options to support Sezuty Context permissions. The three options that are used for changing an objects ontext are “u for user, for role, and =t for type. Like many Unix ‘commands, the -R option performs recursive file modification, fis-2 snver--r-- guru guru systex.urobject_rtuser_home_t file.txt { chow -t state hone t flle.tet guru guru systen.urobject_r:staff_honet file.txt Supporting Security Context Labots Many of the core commands that work with files have had options ‘added to support the security context labels for files. When possible, these commends have used the =Z option-with the meaning of the ‘option varying greatly command to command. Examples of ‘commands that have been patched to support SELinux in some way include: Login, su, id, 1s, ps, ep, av, stat, and find, For example: Spe et s+ + output omitted. . . a7 ‘SELinux Policies ‘Thee different SELinux polices are included with the SELinux reference policy: targeted, MLS, and minimum. targeted policy = Originally focused on the network services most Tkely to be the source of a security breach (e.g. Apache, BIND), With the targeted policy, any applications that do not have 3 policy defined will run under the unconfined t, kernel_t, or initre_t domain MLS policy = Multi Level Securty provides @ policy based around ‘secu levels and categories. The goal isto get LSPP, RBAC, and CCAPP certification at EAL 4+. The security model provided by this policy is most commonly used in military or government Seployments and net appropriate for typical corporate systems, with the possible exception of high-profile, sensitive servers Minimum Policy => The minimum policy was introduced in Fedore "10 as a variant of the targeted policy, preserving the unconfined t target 09 tho dotault: all zoniogs ran aa unoonfined_t, kernel t, or initre_t, unless configured to be confined by the administrator. Initial development versions of SELinux contained a single policy that ‘was similar tothe orginal stict policy. Due to conflicts generated by the nascent policy code, SELinux was disabled by default in distributions that first started shipping SELinux. In subsequent versions of Linux, SELinux was enabled and a targeted policy was, implemented. 18 Choosing an SELinux Policy Targetud ‘separate types for most commands and services * orerything eso runs under the unconfined t,Kernel_t, of fnitre-t comoine [MLS (MltiLavel Security) * implements sensitvty and category security labels * pimeriy used in military and government Minimo "Everything rune unconfined. * Al rgeted modules are avaiable if desired Selected vin /etc/seLinux/contig ‘Switching Policis {tis simple to switch between the targeted and MLS policies (or minimum 1. Vetly that the poy files forthe desired policy exist. They are Ccentained in the following RPMS: selinux-policy (configuration), seLinux-policy-minimim, selinux-policy-targeted, and selinux-policy-als, 2. Set the active poliey in /etc/seLinux/coatig to ‘SELINURIYPE=als, SELINUXTYPE*niniman, of ‘SELINDNTYPE*targeted, 3 Reboot the machine for the new policy o take effect. ‘SELinux Kernel Options ‘SELinux functionality can also be controlled by passing paremeters to the kernel on boot. To disable SELinux a single ime at boot, use the interactive GRUB interface to add one of two ootions to the Kemers ‘arguments. To boot into permissive mode, add enforcing=®. To boot without loading SELinux ata add selinoxed, AR AR RRA RR ARR RRR RRR ARR RAAT Oe CO ewe COU wwe YEW EWU wuWY Booleans, ‘To make SELinux mare flexible and easy-to-use, categories of policy have been added that can be turned on or off. These boolean values ‘can be toggled in real time and immediately become active, Most intuitively named such a8 spanassassin_can_network, user_r¥.usb, ‘and naned tite gaster_zones. ‘A complet list of possible boolean values for the current running poliey an be found with the sestatus -b or the getsebool ~a eommands: 4 sestatus -b se snip ss. Policy booléans: allow httpd anon write off allow httpd apeupsd_cgi_script_anon write off allow httpd bugeilla script anon write off allow httpd_nod_auth_pan off alloy httpd squid script anon write off allow httpi_sys_script_anon.write oft allow java_exocatack off ee anip ess SELinux Booleans Easy way of activating certain psiey rales + echo 1 > Voelinut/comait- pending bools Toggling Booleans The most common too! for activating or disabling a boolean value is the setsebool command. Basic usage is as follows: tsebool {-P] boolean nane value ‘The value fie may be true ort to enable tle buolean false oF #10 cisable it. The toggleseboot command can be used to toggle 8 ‘boolean value on or of. Both the setseboo! and toggleseboot ‘commands immediately make changes active inthe running policy Its also possible to enable boolean policy values in the seinuxs This virtua flesystem is similar to /proc, and is usually mounted en Jsetinox. Like /proc, values can be echoed into /selnux to charge ‘SELinux's current configuration. An example could be: {echo 1 > /selinux/booteans/attow ypbind Changes to files in /seLinux/booleans do not take effect immediate, instead SELinux must be alerted to the change. The following command atomically commits all changes made to boolean files # echo 1 > /selinux/eonmit_pending. boots Booleans set using the -P (persistent) option will be writen to the. policy ile on disk and become permanant (ie, suvive a reboot). O19 ‘The disable_trans Booleans Previous releases of Red Hat Enterprise Linux included booleans to selectively disable protection of specific services, Unfortunately, ‘these Booleans were an imperfect solution. Instead of completsly disabling SELinux oolicy enforcement. chanaing the boolesn would ‘merely run the service ina different domain. As a result, fos created by the service would be mislabeled, and related confined services ‘would be unable to interact with the unconfined service. For example, when protected by SELinux, Apache is launched on boot by an init script running in the initret domain, but the process automatically transitions to the httpd_t domain. With httpd disable_trans enabled, Apache would instead remain in the nite t domain and hetpd_t specific policy rules would not protect it Permissive Domains Like running SELinux in permissive mode, when a service's domain is ‘made permissive, SELinux does not enforce policy for that domain. {Log messages are still sent, easing the troubleshooting process. Files Crested by the service are labeled correctly. Other coatined services ‘are alll ble to interact with the permissive service. Compared to permissive mode, however, permissive domains are generally ‘superior because the rest of the system is stil protected by SELinux. ‘The sesanage comm permissive or not. For 9-20 Pormi Fine grained policy contol Replaces disable trans booleans ‘sonanage permissive ~a heepaLt ‘Sonanage permissive -d Rept Senodule “1 | grep poraissive ive Domains vsltod ftpd_t domain permissive: 4 seannage permissive -a fepdt This can be verified by running the following command: 4 senodute -1 | grep permissive permissive ftpt 1.8 To restore vsttpd to confined status: 4 semanage permissive ~4 ftpi_t ARR RRR AR RRA RR RAR RRA AAR RAAT © OOS CCC EOP SSO SESE SSS SCHUH SSES Graphical SELinux Policy Tools systen-config-tolinue + stats, Boolaans,FleLaboing, SELinux user eration and ‘mapping. tansistiors for MLS, network pont. and contol of Toadea' policy modules ‘The system-contigselinux Command "Nowy intioduced in RHELS this tol provides a unified graphical interface for most of the system administration ta5ks associated with ‘SELinw morse teat cement x selection of SELinux mode 2 force reltolof Hesston on txt Look % view ond modi'y SELinux booleans 2 viow and modify file context labeling expressions create SELinux Usors and map thers te Linux user accounts and roles 2 efine translations for MLS securtylovelsicategories 2 dafine notwork ports accessible by SELinux typos add and remove policy modules 9-2 9-22 RObberbOadbannneenanecnacaaheatanu Firewalls on Red Hat Enterprise Linux Systems ‘The firewall creation code built inte the Anaconda installer has Wo ‘modes, Enabled [the default) and Disabled, It uses stateful rues, All netwrk waffic that is pat of (or related to) some established ‘connection initiated by the host is automaticaly alowed along with inbound ICMP end !PSec connections. All othor, oxtoraly initiated, inbound connections are rejected, ‘Ater the system is installed, the firewall ean be configured by using the systen-coafig-firevall 100), ‘The activation of the fiewall is handled by Sys int scripts. The Aptables and ipétables service scripts consult ‘sete/syscontig/iptables-contig and /etc/syscontig/ipstables-config for configuration options. These ‘options include loading and unloading Netter kernel modules and Sseving the current firewall configuration when stopping oF restarting. “The iptables and ipstables service scripts load the contents of Jetc/syscontig/ iptables and Jetc/syscontig/ipétables, respectively, These files can be edited by hand, but depending on Configuration, may be overwritten. Basic Firewall Activation during install o' sttall pocket-fker firewall using No «ht /netfi Iter hernelnotes.ore) Daigration tool ‘ systen-configfirevall (GU! and textmnode lentends) Ea oo poe ae eee jason Almemmreseamrnem | om (Com Sermo Sa Aitee cr mcnany onca 9-23 ‘Task 1: User Private Groups Page: 925 Time: 10 minutes Requirements: 1 (1 station) W (classroom server) ‘Task 2: Using Filesystem ACLs Page: $27 Time: 16 minutes Requirements: (1 station) Task 3: Exploring SELinux Modes Page: 936 Time: 10 minutes Requirements: & (1 station) ‘Task 4: SELinux File Contexts Page: 939 Time: 5 minutes, Requirements: (1 station) 9-26 Lab 9 Estimated Time: 40 minutos ROR AER E RRA AR ARI CEO EEU UUW EW WOW wOUWUUUWOUWYYUS 3 Ser eecnemernsemimitomrimme HEP User Private Groups scheme. Requirements 'B(1 station) (classroom server) Relevance User Private Group scheme is 8 very powerful security mechanism when used correctly. This lab wil give basic skills to implement such @ scheme. 1) The following actions require administrative privileges. Switch toa root login shell Ssu-t Password: makeitso [=] 2) Create two new groups and add them as secondary groups for the guru user: 4 groupedd red 4 groupadd blue 4 Seermod -a -¢ red,blue gure 3) Create o top level directory, /projects/ to hold all project sub-directories. Then ‘roate two sub-directories for the red and blue project. Set the permissions on the ew directories 10 be open tothe group and to include the SGID bit: abdix -p /projects/(red,blue) F ehmod -R 2778 /projects/* 4) Sot the group ownership ofthe new directories and verity: cd /projects/ chgrp blue blue/ harp red red/ 2 root blue 4896 May 2 ‘a. is posem atthe mode ett this Sites 2 root red 4896 Nay 26 ‘be prasence of an SELinux sect context 9-25 55) Switch to the guru account and verity thet its a member of the new red and Dlue groups: 4 su - guru § id -on + output omitted... . ‘The id command can also be used to view group memberstips. 66) Check the current fle-reation mask value to seit i is set tothe collaboration ‘Wiendly value of 8982; 7) Create some empty tet files in each of the project directories and verity thatthe ‘ew files are owmed by the project groups and writable to members of the prove § cd /projects/ § touch {red blue) /testfite 5 isin 1 guru blue 6 May 26 21:18 testfite 1 guru red @ May 26 21:16 testfile [As you can see, a filecreation mask value of 882 makes working in project and departmental directories very straightforward and convenient Cleanup 8) Delete project groups and directories crested eater: § exit *Remeriber that 3s the rot use the su command was 4 grovpdet rea sod to seth to the guru user. 4 geoupdel blue 2-26 fmm orf /projects, ARR RR RAR RR RRR RRR RRA RAR AR AAAS Pewwew sure wwewwuUwUwEwerwwUwOwwwvs omy te inact. =—- Teal ato Remove Als on es Tas % Create, View, and Remove Detault ACLs on directories Using Filesystem ACLs x snd restore FACLS oe oe Estimated Time: 16 minutes Requirements (station) vy 2) 3) ‘The traditional UNDK fle permission model has been in operation for decades and has stood the test of time. However, implementing certain ‘eeuity policies can be cumbersome. Knowing how to deploy and use POSIX fle access control ists (fcls} on Linux will enable simple solutions for those otherwise cumbersome security policy requirements. In order to use FACL on a filesystem, the filesystem must be mounted with the ack option. This lab task wil be performing FACL operations on the / filesystem. Determine which block device the root filesystem is being mounted from and What mount options were used to mount it 4 mount | grep “on / * Idev/napper/vg_stationX-Iv_root on / type exté (rv) ‘+ Notice the options Usted in parenthesis The ael moun: opin i ot ted, howe itis bang used as revealed nthe net st. Use the tune2£s command on the block device holding the root filesystem (obtained in the previous step to view the default mount options defined in the Iilesystem superbloce: 4 tune2ts -1 /dev/xex | grep “Default mount options" Default mount options: ~ user_sattr acl For this lab task, only three groups wil be created that correspond to three ‘missions, There wil be users, managers, and auditors as detailed inthis table: 928 4 5) 8) [Mercory [Gemint [Apato [SubDirectory —_[nexeury genink apoio funder Tnissiondata/ Users Jglenn, vgrisson, |jlovell, ealdrin, [narastog, ‘cooper fecontad’ IncolLins, ashepard Managers ktein read-only, |wbland (read-only, [glow read-oni), wotand glow Sebo [Auditors read-only [narriott. fnarriote, fnarriote, Jeccess) Jcarvatho jearvatho fearvatho More groups could be created to organize managers and auditors as @ traditional approach, however FACL will be used instead. Create necessary users and groups for upcoming steps (see chert: 4 Nabfites/ereate_accts.sh + output onitted « [Now that all the groups and users are crested, the directories that willbe used to store data can be created. Create a /nissiondata/ directory end several sub-directories and observe the default permissions: 4 akdir -p /nissiondata/(nercury,genini, apollo) fed /nissiondata Hs vat total 46 rvxr-xr-x 5 root root 4896 Apr 25 22:36 . fdewie-xe-x 26 root root 4896 Apr 25 22:36 | evar-xr-x 2 root root 4896 Apr 25 22:36 apollo Gdevae-xr-x 2 root root 4896 Apr 25 22:36 gemini evae-xr-x 2 root root 4896 Apr 25 22:36 mercury ‘La is poset ater the made up, ie sigs the presence ofan SELinux scary content, Before using FACLS, it 2 good practice to accomplish as much as reasonably possible using the Laditional file security model. First change the permissions so that only root and group members have access to their respective directories. AAR R RR ARR ARR RR RAR RRR RRA RAR AA ve Yew TUE C UWE TTUWwUUWTUWOwS 8) 9) ‘The groups should have fll read and write access. View the new permissions ‘when done: 4 chgep mercury mercury/ 4 chgrp genini genini/ 4 chgrp apollo apollo/ 4 chmod 1778 * His -at total 48 Grwmr-xe-x § root root 4896 Apr 25 22:36 - ddrumr-xt-x 26 root root 4896 Apr 25 22:36 +. drwmnn-T 2 root apollo 4896 apr 25 22:36 apollo root gemini 4896 Apr 25 22:36 geaini drumnwn--T 2 root mercury 4896 Apr 25 22:36 mercury Using setfact, add a default directory FACL so that in each mission directory, any newly created files are automatically writable by the group members. 4 for i in mereury gemini apollo > do setfacl ~m dig:Si:ne $i/ > done’ ‘This could slso be accomplished using the User Private Group scheme and the GID bit tuned on each directory. ‘With FACLs applied tothe directories, the FACL indicator +, is displayed in long directory listings. Run Ls to see them: fis -1 total 24 wxrvi--T+ 2 root apotlo 4096 Apr 25 22:36 apollo ddruxrvx--T 2 root gemini 4896 Apr 25 22:36 gemini ddrvxtex-—1+ 2 root mezeury 4896 Apr 26 88:85 mercury View one of the FACLS you just applied using getfacl: 4 gotfact nercury/ 4 filer mercury Homer: root 4 group: mercury 10) co) 12) isi he FACL wat was aed ‘Add another default FACL to each mission directory so thatthe maragers with fll readiwrite access will hve thal permission on newly created files and sub-directories 4 setfact -m unvblandsnee mereury/ 4 setfacl -m drurvbland:nix mercury/ 4 setfacl -a uiglow:nex genini/ 4 setfacl -a diu:glov:ner genini/ 4 setfecl -m ut jvebbirwx apollo/ + ebb apollo/ setfacl -m ‘View one of the FACLs you just applied using getfacl: 4 getfact nercury/ 4 filer mercury 1 owner: root 4¥ group: mercury tser:wbland:nix ‘This ACL was ade, “This FAC was aed ‘Add another defaut FACL to each mission directory so thatthe managers with read-only access will have that permission on newiy created files and sub-directories: AR RRR RRR RR RR RRR RRR RRA seowwwwwwwwwewwwwvewwwwwwwwwwvwved 13) 14) 15) View one of the FACLS you just applied using getfacl: 4 gottact meccury/ f file: mercury f omer: root 4 group: mereury +The two manages diferent pemissons on the recon 'As the final default FACL on the mission directories, give the aucitors the ability to ‘enter the directories and list their contents without having waite access: inartiott:r-x mereury/ genini/ apollo! ccarvalhote-x nercury/ genini/ apollo/ om uinarriott:r-x mercury/ genini/ apollo/ 4 setfacl -m urearvalho:e-x mercury/ genini/ apollo/ ‘View the FACLS forall three mission directories: # getfact + oat 16) 1” f file: apotto 4 omer: root 4 group: apollo defavltruser:carvalhorr-x ddefaultsgroups ev ee amps ss [With the default FACLS on the mission directories, any files or subrectories ‘created inside wil inhorit the same FACLS. Create some data files in gach of the directories: 4 mkdir -p nereury/(training/ (zero higho} engineering) 4 ntdir -p genini/(training/(zerod hight) engineering) 4 kdir -p apollo/training/serod, high) engineering) 4 touch (hereury genini, apollo} /payrott dat \When a sub-tirectory is created inside of a directory containing default FACLS two things occur. First the FACLS get applied to the directory, Then second, the ‘default FACLS are applied as wel. The later is important for when fles or Girectories gat created inside of i. Use get fact to see the FACLs on one of the engineering/ sub-directories: 4 getfact mercury/engineering 4 filer nercury/engineering $amer: root ¥ group: root + Not how the fle or Srey that this FACL ack ‘apples toi etd a a enna. ARR ARR RRR ARR RAR RRA AAA AAAI VwwwwwwwwwwwwwwEwuwwwUwwwYwewwwUed 18) 19) aser:kelein:r-x defaultsuserswblandsrv defaultsusermarriott:r-x Inspect the FACLS on ane of the payroll. files: 4 gottact mercury/payroll dat £ filer mercury/payroll dat 1 ommer: root feffectiverry- Remember that default FACLS are only applicable to directories ‘Modify the FACLS on the payrol.dat file so that both managers for 8 mission have readhurite access and thatthe users of the mission have no access at all 4 setfact -m urkklein:rin neroury/payroll.dat ‘The FACLS ar apd here atthe top, Tha deta FACLS get applied as we 9-33 20) 2) 22) 4 sotfact -m unvbland:mex gemini/payroll dat 4 setfacl -m uiglow:rix apotlo/payrolt dat | setfact -x gimercury mercury/payroll.dat 4 setfacl -x g:genini genini/payroll dat. 4 setfecl -x grapollo apollo/payroll dat. Inspect the FACLS on one of the payroll. dat files: 4 getfact mercury/payroll.dat Hler mercury/payroll dat. root Notice the mask changed to rvx 20 it is no longer impacting the individual FACL, ‘nor causing effective actual permissions. ‘Some backup programs do not save FACLs, in that case you must create a text fle with the FACLs in them and backup that text. Create such a text file, then follow up by changing the permissions on afl (this will work for standard permissions or FACLS): f gotfact -R + > Facts.txt 4 chnod 400 vacts.txt + Set steue permissions oberwie users can determine 4 chnod 777 apollo wat fs ets inside the sb decoi. 4 ls -1d apolto Grwmrwarwet 4 root apollo 4896 Feb 11 15:68 apollo Simulate a recovery of FACLS after restoration from @ FACL unaware backup ‘application: 4 setfacl ~-restorerracis. txt RRR RR RRR RRR RAR RR RRR MAA AR AAA JwwwwwwwYWUWVUWWUVWWOWWWwYWOWVOTWUWWdD 4 ts -14 apott evnewe—I 4 10 oot apollo 4896 Feb 11 15:88 apollo 9-35 Obigcves, . Lab 9 ‘Toggle between SELinux modes T Requirements '2 (1 station) oo Relevance 1) Verity that the SELinux related packages 2) 3) Since SELinux can operate in many sifferent modes understanding how to toggle between them isa ertical component of SELinux management, Intalio 4 rpa ~ga | grep -E *(policy|zelinux)’ ibset inox~ Lbselinux-python-2,8.94-2.e16.466 seLinux-poley-3.7-19-54.e16.noarch policycoreutits-py' 9-1.216.4686 Polkit-desktop-policy-0.96-2.el6,noarch Turn off SELinux by changing the SELinux boot time parameters in Jete/selinux/eontig eeTaa nan eontig SeLiWE=disabled Its also possible to pass kernel parameters on boot to manipulate SELinux. A ‘few examples are: selinux=8 or Selinux=1; enforce=8 or enforceel: Its possible thatthe edit (disabling SELinux) may already have been performed ‘on your system in a previous lab. i SELinux was already gisabled, then you can Skip the reboot done in the next step. Disable SELioux by rebooting the system: ARR RRR RAR ARR RRR RAR RAR AAR ANA PeWwwUWVUUWUWUWYVUUWUYUwweUYUVNWWs 4) 5) 6) 8) 4 reboot When the system fnishes rebooting, log in as root and verity that SELinux is off: 4 sestatus SELinux status: disabled Re-onable SELinux and configure it to operate in permissive mode: Tete/ayacontigisetinax Reboot the system to enable the chenge. Wile the system is starting, during ‘execution of the re.sysinit script @ complete relabel will be run: ‘+ Warning ~- SELinux targeted policy relabel is required ‘#4 Relabeling could take a very’ long tine, depending on file s+ ayaton aite and speed of hard drives Pee emip ss Because the system is running in permissive mode, it wll print out deny ‘messages, but will not actually block access to resources. Verity that SELinux is enabled! 4 sestatus StLinox status: enabled SeLinuxfs mounts Jselinux ‘current node: pemissive Node from config file: pemissive Policy version: " Policy from config fite: ‘targeted ee snipes Switch to enforcing mode: 1 sotentorce 1 + S€Uinx starts enacing the loaded ply inmate. 937 4 gotentorce Enforcing ‘The setenforce command changes the cutrent SELinux mode forthe running system. This change will not be retained across reboots. 9) Reconigure the system to un SELinux in efoeng mode on syst Boot 9-38 RR ARR RRR RRR RRA RR RAR RRR RRNA AAA Vw ewww wUWwWOWUWewUwEWUTwewwwwwd oor Eamine the let of th cp and reds on SEL Ta k ne the etlect ofthe cp and my commands on SELinux fle contexts ‘ask 4 Requirements SELinux File Contexts Bit staion) Estimated Time 6 minutes Relevance y 2) 3) ‘When copying and moving files, the SELinux security label fle context) attached toa file can be modified. Understanding the effect of commands ‘on these file context labels wil allow you tof and avoid fle context problems. Create a new file and view the default SELinux fle context assigned 4 echo *data” > /etc/testfite 4 ls =t /ete/testfite srucrsar-=, root root unconfined urobject_rretetis® /ete/testfile Copy and move the file into the /tmp directory and view the file contexts assigned ro te now tes: 4 op /ete/testfite /tap/testtite-cp fav /etc/testfile /tmp/testfile-av 4 le -t /tap/testfile- =reer-r--. Toot root unconfined u:object_r:user_tnp_t:s0 /tnp/testfile-cp

    You might also like