ManagingRedHatEnterpriseLinux5

DanielJWalsh SELinuxLeadEngineer dwalsh@redhat.com KarlMacMillan kmacmill@redhat.com PrincipalSoftwareEngineer

Agenda
1)IntroductiontoSELinux Concepts 2)Policiesand ConfigurationFiles 3)ModifiedOSCommands 4)SELinuxUtilities 5)UnderstandingAudit Messages 6)ManagingFileLabeling
2

7)CustomizingPolicyWith Booleans 8)ManagingSELinux Modules 9)ManagingSELinux Systems 10)ConfiguringAuditing 11)CustomizingApache

IntroductiontoSELinuxConcepts

LinuxAccessControlIntroduction

Linuxaccesscontrolinvolvesthe

kernelcontrolling processes(runningprograms)accessto resources(files,directories,sockets,etc.)

Forexample:

webserverprocessescanreadwebfiles butnot/etc/shadow

Howarethesedecisionsmade?

StandardLinuxAccessControl

Processesandfileshavesecurityproperties

process:userandgroup(realandeffective) resources:userandgroup+accessbits

read,write,andexecuteforuser,group,other

Kernelhashardcodedpolicy Example:

Canfirefoxreadmysshprivatekey?
kmacmill 21375 1 35 11:38 ? 00:00:01 firefox-bin -rw------- 1 kmacmill kmacmill 1743 2006-07-10 id_rsa

ImportantConcepts

Securityproperties:securityrelevantdata

associatedwithprocessesandresources usedtomakeaccesscontroldecisions

Policy:rulesforaccesscontroldecisions Kernelenforcesaccesscontroldecisions

calledreferencevalidationmechanism processesalsoenforceaccesscontrol

databaseserver,dbus,X,etc.

StandardLinuxSecurityProblems

Accessisbasedonusers'access Example:Firefoxcanreadsshkeys

generallyhasnoreasontoreadthem,but ifcompromisedcanpotentiallydisastrous

Fundamentalproblem:

securitypropertiesnotspecificenough kernelcan'tdistinguishapplicationsfromusers

StandardLinuxSecurityProblems

Processescanchangesecurityproperties Example:mailfilesreadableonlybyme

evolutioncanmakethemworldreadable

Fundamentalproblem:

standardaccesscontrolisdiscretionary includesconceptofresourceownership processescanescapesecuritypolicy

StandardLinuxSecurityProblems

Onlytwoprivilegelevels:userandroot Example:apacheprivilegeescalation

apachebugallowsobtainingrootshell entiresystemiscompromised

Fundamentalproblem:

simplisticsecuritypolicy nowaytoenforceleastprivilege

SELinuxIntroduction

SELinuxaddsadditionalaccesscontrol

newsecuritypropertiesonprocesses/resources flexiblesecuritypolicythatcanbechanged

Kernelandapplicationbasedenforcement Designedtoaddresssecurityproblems

mandatory,leastprivilege,andfinegrained noallpowerfulroot

10

Transparenttomostapplications

SELinuxAccessControl

SELinuxhasthreeformsofaccesscontrol

TypeEnforcement(TE)primarymechanism RoleBasedAccessControl(RBAC) MultiLevelSecurity(MLS)

Configurableviapolicylanguage

centralconfigurationfilescontrolallaccess Severalpoliciesavailable(targeted,strict,mls)

11

Allaccessisdeniedbydefault

SELinuxSecurityProperties

Processesandfileshaveasecuritycontext

kmacmill:staff_r:firefox_t:s0 kmacmill:object_r:user_home_t:s0 user:role:type:level

Thekeyfieldistype

usedtoimplementTypeEnforcement

OtherfieldsusedforRBACandMLS

moreontheselater

12

Exercise:SecurityContexts

SeveralutilitiesmodifiedforSELinux TheZoptionusuallyusedtoviewcontexts Examples:

psaeZ>viewcontextsofprocesses lsZ>viewcontextsoffilesanddirectories

Exercises:

Whatisthesecuritycontextof/etc/shadow? Whatisthesecuritycontextofudevd?

13

SolvingLinuxSecurityChallenges

Securitypropertiesneedtoidentify

allrelevantsecurityinformation,e.g.,

processisawebserver(apache) thatwasstartedbyinit

consistentacrossallprocessandresources

Securitypolicyneedstobeflexible

noassumptions(e.g.,noroot) capableofenforcingintegrity,confidentiality,etc.

14

IntroductiontoTypeEnforcement

Basedonasinglesecuritypropertytype

appliedtoprocessesandresources representsallsecurityrelevantinformation Apacheprocesses>httpd_t /var/www/html/index.html>httpd_sys_content_t e.g.,httpd_tcanreadhttpd_sys_content_t

Typesareassignedtoprocessesandresources

Accessisallowedbetweentypes

15

IntroductiontoObjectClasses

Objectclassesspecifythedetailsofaccess Resourcesdividedintoclasses

e.g.,file,dir,socket,process

Eachclasshaspermissions

e.g.,file:read,write,execute,getattr

FullaccessinTypeEnforcement:

allowhttpd_thttpd_sys_content_t:fileread;

16

TypeEnforcementOverview
Apache
(httpd_t)

read

/var/www/html
(httpd_sys_content_t)

/etc/shadow
(shadow_t)

ad re

~/public_html

Apache Policy:
allow httpd_t httpd_sys_content_t : file read;
17

(httpd_sys_content_t)

TypeEnforcementConcepts

Accessisallowedsolelybytype

manyprocessesandresourceshavesametype

simplifiespolicybygrouping

processeswithsametypehavesameaccess

sameforresources(files)

Processtypescalleddomains

sometimesappliedtoresources(e.g.,sockets)

18

Differenceresourcescanhavesametype

AssigningInitialTypes

Filesanddirectories:

configurationfilespecifiesdefaultcontext

calledfilecontexts usespathregex:^/usr/bin/>bin_t

Inheritedfromcontainingdirectoryatruntime

Applicationscanexplicitlysetcontext

chcon:utilitytosetcontexts(thinkchown) passwd:maintainscontexton/etc/shadow

19

AssigningProcessTypes

Processtypesare:

(default)inheritedfromparentprocess setbypolicy(typetransitionrule) setbyapplication(e.g.,login)

Examples:

bash(user_t)>ls(user_t) init(init_t)>httpdinitscript(initrc_t)>httpd(httpd_t) login(login_t)>bash(user_t)

20

TypeTransitionRules

Typetransitionrulessetprocesstypesusing:

parentprocesstypeandexecutablefiletype similartosetuid

Example:startingnameserver

Rule:domain_auto_trans(initrc_t, parentprocess(initrc_t)

named_exec_t, named_t)

executablefiletype(named_exec_t) result>named_t

21

TypeTransitionRules

22

TypeTransitionNotes

Primarymeansforsettingprocesstype

ensuresapplicationsrunincorrectdomain doesnotrequireapplicationmodification

Mustbeallowedbypolicy

e.g.,apachecannotstartprocessesininit_t preventsapplicationsfromgainingprivilege

Bindsspecificexecutabletodomain

e.g.,only/usr/bin/passwdcanruninpasswd_t

23

UserFieldDetails

kmacmill:user_r:user_mozilla_t:s0 NotnecessarilythesameastheLinuxuser Oftenendsin_u:system_u,user_u Notcurrentlyusedinthetargetedpolicy Filesanddirectories:

userinheritedfromprocess systemprocess>filescreatedwithsystem_u

24

RoleFieldDetails

kmacmill:user_r:user_mozilla_t:s0 UsedforRBAC

rolefurtherrestrictsavailabletypetransitions incooperationwithTE(e.g.,user_r/user_t)

Usuallyendswith_r Resourceshavedefaultobject_rrole UsedinstrictandMLSpolicies

25

user_r,staff_r,secadm_r

MLSLevelFieldDetails

kmacmill:user_r:user_mozilla_t:s0 UsedforMLS(orMCS) Oftenhiddenintargetedandstrict(MCS) Identifiesonelevelorrange

singlelevel:s0 range:sos15:c0.c1023

Usuallytranslated

26

s15:c0.c1023>SystemHigh

SELinuxSecurityBenefits

Typescaptureimportantsecurityinformation

accessisbasedonuserandapplicationfunction transitionscaptureprocesscallchains

Processesrunwithleastprivilege

onlywhatisallowedforthetype e.g.,httpd_tcanonlyreadwebpages

Privilegeescalationtightlycontrolled

acompromiseofApachelimitedbypolicy

27

SELinuxConfiguration

StrictPolicy

Asystemwhereeverythingisdeniedbydefault

Youmustspecifyallowrulestograntprivileges

SELinuxdesignedtobeastrictpolicy.

Thepolicyrulesonlyhaveallows,nodenies Minimalprivilege'sforeverydaemon separateuserdomainsforprogramslikeGPG,X,ssh,etc

Difficulttoenforceingeneralpurposeoperatingsystem NotSupportedinRHEL

29

MLSPolicy

StrictpolicywithBellLaPadulaSupport SupportedinRHEL5withspeciallicense. Serveronlyoperatingsystem

NoXwindowssupport limitedpackageset

HP/IBMworkingtowardsgettingEAL4+/LSPPcertification

30

TargetedPolicy
Systemwhereprocessesbydefaultareunconfined.

Onlytargetedprocessesareconfined

UnconfinedDomains

Bydefaultuserprocessesruninunconfined_t Systemprocessesrunininitrc_t Unconfinedprocesseshavethesameaccesstheywouldhave withoutSELinuxrunning

Daemonswithdefinedpolicytransitiontoconfineddomains httpdstartedfromunconfined_ttransitionstohttpd_twhich haslimitedaccess.

31

TargetedDomains

InRHEL4

15targetsdefined httpd,squid,pegasus,Mailman,Named,dhcpd,mysqld,nscd,ntpd. portmap,postgresql,snmpd,syslogd,winbindd

InRHEL5

200targetsdefined

EveryprogramshippedbyRedHatandstartedonbootshould haveadomaindefined

Allsystemspaceisconfined Limitedconfinementforuserspace 20unconfineddomains

32

WhereshouldyourunSELinux?
Internet Corporate Network
RedHatEnterprise LinuxES
Firewall VPN DNS Web FTP

Intranet
RedHatEnterprise LinuxES
DNS Web FTP NFS NIS

RedHatEnterprise LinuxAS

DatabaseCRMERP

RedHatEnterprise LinuxES

DMZ
33

RedHatEnterprise LinuxWS

RedHatEnterprise LinuxES
AppServerFarm

Configfiles

SELinuxstoresitsconfigfilesin/etc/selinux

lsl/etc/selinux rwrr1rootroot515Jan1811:46config drwxrxrx7rootroot4096Jan2314:06strict drwxrxrx7rootroot4096Jan2314:06targeted

/etc/selinux/configidentifiespolicyandenforcingmode

more/etc/selinux/config #ThisfilecontrolsthestateofSELinuxonthesystem. #SELINUX=cantakeoneofthesethreevalues: #enforcingSELinuxsecuritypolicyisenforced. #permissiveSELinuxprintswarningsinsteadofenforcing. #disabledNoSELinuxpolicyisloaded. SELINUX=enforcing #SELINUXTYPE=cantakeoneofthesetwovalues: #targetedOnlytargetednetworkdaemonsareprotected. #strictFullSELinuxprotection. SELINUXTYPE=targeted

34

Configfiles

Directoryunderpolicytypefollowsameformat

contextsdirectorycontainsdefaultcontextsfilesusedbySELinux awareapplications policydircontainscompiledpolicyfile seuserscontainsLinuxUsertoSELinuxusersmappingfile setrans.confcontainsMLS/MCStranslations Modulesdirectoryincludescurrentmodulesusedtobuildpolicy

lsl/etc/selinux/targeted/ total40 drwxrxrx4rootroot4096Jan2909:00contexts drwxrxrx4rootroot4096Jan2909:00modules drwxrxrx2rootroot4096Jan2909:00policy rwrr1rootroot598Jan2317:24setrans.conf rwrr1rootroot143Jan2909:00seusers

35

Configfiles

/etc/selinux/targeted/contexts/files/

file_contexts file_contexts.local file_contexts.homedir homedir_template

36

KernelBootParameters

Kernelparametersoverride/etc/selinux/configsettings selinux=0

BootsthekernelwithSELinuxturnedoff

Allfileswillnolongergetcreatedwithfilecontext. Willrequirearelabelifthemachinegetsbootedagainwith selinuxturnedon.

enforcing=0

Bootsthekernelinpermissivemode Filelabelingcontinues MayNOTgivethesameerrormessagesasinenforcingmode.

37

TargetPolicyManPages

Targetmanpagesexplaincustomfeaturesof thepolicybooleansandfilecontext

httpd_selinux(8)httpdSELinuxPolicydocumentationhttpd_selinux(8) NAME httpd_selinuxSecurityEnhancedLinuxPolicyforthehttpddaemon DESCRIPTION SecurityEnhancedLinuxsecuresthehttpdserverviaflexiblemandatory accesscontrol. FILE_CONTEXTS SELinuxrequiresfilestohaveanextendedattributetodefinethefile type.Policygovernstheaccessdaemonshavetothesefiles.SELinux httpdpolicyisveryflexibleallowinguserstosetuptheirwebser vicesinassecureamethodaspossible. Thefollowingfilecontextstypesaredefinedforhttpd: httpd_sys_content_t Setfileswithhttpd_sys_content_tforcontentwhichisavail ablefromallhttpdscriptsandthedaemon. httpd_sys_script_exec_t Setcgiscriptswithhttpd_sys_script_exec_ttoallowthemto

38

Exercises

ReadthroughacoupleofSELinuxPolicymanpages Whichpolicyisthesystemcurrentlyrunning? Rebootinpermissivemode

DoyouseeadditionalAVCmessages?

39

ModifiedOperatingSystemCommands

ModifiedUtilities

Zisyourfriend

lsZ idZ psauxZ lsofZ netstatZ find/context=

41

ModifiedUtilities

cp

Adoptsdestinationdirectoryorfilessecuritycontext aproblems

mv

MaintainsSourcesDestinationSecuritycontext

install

Setsdefaultsecuritycontextbasedonsystemdefaults

42

ModifiedPrograms

LoginProgramsPAM

sshd,login,xdm passwd,useradd,groupadd

Passwordutilities

rpm

43

Backupanddiscmanagement

tar,zip

Bothnowhaveextendedattributesupport

rsync

X,xattrs

star

starxattrH=exustarcfoutput.tar[files]

amanda tarxv|restoreconf;stillmightbebestoption

44

Exercises:ModifiedLinuxUtilities

Whatsecuritycontextison/etc/resolv.conf? Exploreothersecuritycontextin/etc Whatisthecontextistheapacheprocessrunningwith? Whatisyoursecuritycontext? Createafilein/tmpandmvittoetc

Whatisthesecuritycontextonthefile? Isthisaproblem?

Createanewaccountonyourmachine

Whatisthesecuritycontexton/etc/passwd?/etc/shadow? Whydoyousupposetheyaredifferent?

45

SELinuxUtilities

SELinuxUtilities

libselinuxrpm libselinuxisthedefaultSELinuxlibraryusedbySELinuxaware applications libselinuxutilities

getenforceTellwhethermachineisinenforcing/permissive/disabled setenforce1/0Setsthemachineinenforcing/permissive selinuxenabledUsedbyscriptstotellwhetherSELinuxenabled. matchpathconTellsyouthedefaultcontextoffile/directory avcstatDisplaySELinuxAVCstatistics

libselinuxpython

Pythonbindingstolibselinux

47

SELinuxUtilitiesPolicycoreutils

genhomedircon,fixfiles,restorecon,restorecond,setfiles,chcon,chcat audit2allow,audit2why(SeeUnderstandingSELinuxlogmessages) seconSeeanSELinuxcontext,fromafile,programoruserinput. semodule,semodule_deps,semodule_expand,semodule_link, semodule_package(SeeManaginganSELinuxPolicyModules) load_policyloadanewSELinuxpolicyintothekernel run_initRunainitscriptintheproperSELinuxcontext(mls,strict) semanage,systemconfigselinux(SeeManaginganSELinuxsystem) sestatusSELinuxstatustool setsebool,getsebool(SeeCustomizingthepolicywithbooleans) newroleRunashellwithanewSELinuxrole/level(mls,Strict)

48

Exercises:SELinuxUtilities

Isyourmachineinenforcingmode?

Turnonpermissivemode WhatAVCmessagewasgenerated? Returnmachinetoenforcingmode.

WhatistheSELinuxstatusofyourmachine? Usesestatustocheckthefilecontexton/etc/shadow Createthefile/etc/apache

Changeitscontexttypetohttpd_exec_t Howwouldyougetthisapplicationtorunashttpd_t?

Correctthecontextofallthefilesinetc

49

UnderstandingAuditMessages

UnderstandingSELinuxlogmessages

AVCAccessVectorCache

messagesin/var/log/messagesor/var/log/audit/audit.log

type=AVCmsg=audit(1140184056.443:78):avc:denied{use}forpid=2185 comm="mingetty"name="ptmx"dev=tmpfsino=699scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:kernel_t:s0tclass=fd type=AVCmsg=audit(1166017682.366:876):avc:denied{getattr}forpid=23768 comm="httpd"name="index.html"dev=dm0ino=7996439 scontext=user_u:system_r:httpd_t:s0tcontext=user_u:object_r:user_home_t:s0tclass=file

51

UnderstandingSELinuxlogmessages

AVCMessagescangetcreatedforavarietyofreasons.

Amislabeledfile Aprocessrunningunderthewrongcontext Abuginpolicy.

Basicallyanapplicationgoesdownacodepaththat wasnevertestedbythepolicywriterandgetsan unexpectedAVC.

Anintruder

52

UnderstandingSELinuxlogmessages

audit2allow

Toolthatgeneratespolicyallowrulesfromlogsofdeniedoperations audit2allowi/var/log/audit/audit.log

allowhttpd_tuser_home_t:filegettattr;

audit2why

TranslatesSELinuxauditmessagesintoadescriptionofwhythe accesswasdenied Notveryhelpfultonoviceusers,usedbypolicydevelopers

53

AnalyzingSELinuxAVCMessages

AVCMessagesreferingtofileslabeled*:file_t

MajorLabelingproblem,allfilesprobablyrequirelabels SELinuxkernellabelsfileswithnosecuritycontextfile_t Filewascreatedwhenrunningwithselinux=0oranewdisk. Itissafesttorelabelthesystemtouch/.autorelabel;reboot OnanewdiskyoucanrestoreconRv/MOUNTPOINT

AVCMessagescontainingdefault_t

Probablyalabelingproblem

Ifnotin/youprobablyneedtorelabel Ifin/andyouwantconfineddomainstohaveaccess.Youneed torelabelthefile/directoryusingchcon

54

AnalyzingSELinuxAVCMessages

Manysimilarmessagesaboutthesamefile

Thisusuallyindicatesalabelingproblem Forexample:

Create/home/dwalsh/resolv.conf mv/home/dwalsh/resolv.conf/etc lslZ/etc/resolv.conf Confineddomainswillreporterrorsaccessinguser_home_t restorecon/etc/resolv.conf

55

SELinuxTroubleshootTool

setroubleshoot

ServicelistenstoauditdaemonforAVCmessages Thenprocessesplugindatabaseforknownissues

/usr/share/setroubleshoot/plugins

Displaysknowledgebaseofhowtohandleavcmessage sealertcommandcanlaunchbrowseroranalyzelogfiles Configure/etc/setroubleshoot/setroubleshoot.cfgtosend mail

56

57

MissingAVCmessages
SometimesapplicationsfailwithnoAVCmessages

Settingsetenforce0andtheapplicationworks??? dontauditrules

ExpectedAVCsthatcauseappstotakedifferentcodepaths. SometimescoverupRealerrors

RHEL4

Installselinuxpolicytargetedsources makeC/etc/selinux/targeted/src/policyenableauditload

RHEL5

semoduleb/usr/share/selinux/targeted/enableaudit.pp semoduleb/usr/share/selinux/targeted/base.pp

58

Exercises:SELinuxUtilities

Letscreatesomeavcmessages?

touch/var/www/html/index.html chcontuser_home_t/var/www/html/index.html servicehttpdstart firefoxlocalhost whathappens? CheckthelogfilesforAVCmessages.

WhatauditrulescouldyouaddtosolvetheseAVC? Whydidpolicyrefusethisaccess?

59

ManagingFileLabeling

Managingfilelabeling

Changingafilescontext chcon

Fundamentalutilityusedtochangeafilescontext

chconRthttpd_sys_script_rw_t/var/www/myapp/data chconthttpd_sys_script_t/var/www/cgibin/myapp

Modeledafterchmodcommand ttypequalifier customizable_types

/etc/selinux/targeted/contexts/customizable_types

61

Managingfilelabeling

restorecon

Usedtosetafilebacktothesystemdefaults

setfiles

Usedtoinitializeasystem.UsedattheFilesystemlevel Requiresyoutospecifyfile_contextfile

fixfiles

Scriptthatwrapssetfiles/restoreconwithseveralusefulfeatures Userpmtolistfileswithinspecifiedpackagestorestorefilecontexts restoreconchangesbetweenpreviousfilecontextandnewone

touch/.autorelabel;reboot

62

Managingfilelabeling

Genhomedircon

Usedtogeneratefile_contexts.homedir Sometimeshasproblemswithhomedirlocations.

/etc/selinux/targeted/contexts/files/file_context.local systemconfigsecuritylevel

63

Exercises:Managingfilelabeling

Modify/etc/resolv.conf

cp/etc/resolv.confto/tmp Makesomechangestothesearchstring mvitbackthe/etc Fixitssecuritycontext

Homedirs

Createananewdirectory/export/homes Addauseraccounttothatdirectory Addauseraccounttothe/vardirectory RungenhomedirconWhathappens? Fixthecontextonthesedirectories

64

CustomizingPolicyWithBooleans

Customizingpolicywithbooleans
Booleansareif/then/elsestatementsinpolicy

Configurepolicywithouteditingpolicy getsebool

getseboola

setsebool

setseboolPallow=[1|0]

systemconfigselinux(systemconfigsecuritylevelRHEL4) Turnon/offsectionsofpolicy

setseboolPallow_nfs_home_dirs1 /etc/selinux/targeted/booleans

66

67

ConfiguringPolicy
ApacheExample

Systemadministratorhasmultiplechoicesofpolicy

Booleans

httpd_disable_trans,httpd_enable_cgihttpd_enable_homedirs httpd_tty_comm,httpd_unified

http://fedora.redhat.com/docs/selinuxapachefc3/ manhttpd_selinux

68

Exercises:ManagingBooleans

Listallbooleansonyourmachine Checkthecontentsof/etc/selinux/targeted/booleans Temporarilychangeabooleansstate Didthe/etc/selinux/targeted/booleansfilechange? Ifyouhavetimetrythepreviousexercisesafteryouturnon thehttpd_tty_commboolean

69

ManagingSELinuxModules

SELinuxModules

ModularPolicy

InRHEL5/FedoraCore5andlater,theconceptofPolicyModules wasintroduced

Thesemodulecommand

Copiesthepolicypackage(pp)filesto /etc/selinux/targeted/modules/active/modules Compilesallinstalledppfilesintonewpolicyfile /etc/selinux/targeted/policy/policy.21 Createsnewfile_contextfileandfile_context.homedirs Loadsnewpolicy

71

SELinuxPolicyModules

semodulecommand

semodulel;Listallmodulescurrentlyloaded semoduleb/usr/share/selinux/targeted/enableaudit.pp semoduleb/usr/share/selinux/targeted/base.pp semoduleimyapache.pp semodulermyapache

72

73

Generatingpolicymodules

Policymodulesconsistsofthreefiles.

TypeEnforcementFile(te)

Containstheallowrulesandinterfacecallsassociatedwiththe confineddomain Containsallofthelabelingfilecontextforthepolicymodule. Containsallinterfacesusedbyotherdomainstointeractwiththis confineddomain.

FileContextFile(fc)

InterfaceFile(if)

DOMAIN_domtrans,DOMAIN_read_config

74

CreatingPolicymoduleswithaudit2allow

Makingsmallcustomizationstopolicy InRHEL4

Youneededtoinstallselinuxpolicysourcestomodifypolicy cd/etc/selinux/targeted/src/policy grephttp_t/var/log/messages|audit2allow>>domain/misc/local.te makeinstall

InRHEL5

grephttp_t/var/log/audit/audit.log|audit2allowMmypolicy

Thiscommandwillgenerateatefileandcompileitintoappfile.

semoduleimypolicy.pp

75

Buildingpolicymodules

Installselinuxpolicydevel

Includesinterfacesforallinstalledpolicymodules /usr/share/selinux/devel

policygentoolhelperapptobeginconstructionofte,if,fcfile include/...directoryhasinterfaces

kernel,services,system,apps,admin

Makefile(usedtocompilepolicymodules).

76

Exercises:ManagingPolicyModules.

Listallmodulesonyourmachine Removethepcscdpolicymodule. Whatisthelabeloftherunningprocess? Why? servicepcscdstop restoreconRv/usr/sbin/pcscd/var/run AdvancedTopic:

using/usr/share/selinux/devel/policygentooltryto generatepcscdpolicy

77

ManagingSELinuxSystems

ManagingSELinuxsystems

InRHEL5/FedoraCore5andbeyondanew semanageframeworkwasadded InRHEL4oftenrequiredcustompolicy

allowingapachetolistenonport81 requiredpolicysourcesandtools

InRHEL5

semanageportathttp_port_tPtcp81

79

SemanageCommands

SELinuxUsers

semanageuserl semanageuseraguest_u

LinuxUsertoSELinuxusermapping

semanageloginasguest_udwalsh

FileContext

80

semanagefcontextat httpd_bugzilla_script_exec_t /usr/share/bugzilla/cgi(/.*)?

81

82

Exercises:ManagingSELinux

ListallSELinuxUsers AddanSELinuxusertoyourmachine Createadirectory/opt/www/html Labelitsothatapachecanreadit. Makeapermanentchangetothefilecontextsothat relabelingthefilesystemwillnotchangethis.

83

ConfiguringAudit

Auditing

AuditsystemreceivesSELinuxEvents

Noauditdrunning

AVCin/var/log/messagesanddmesg

auditdrunning

AVCsin/var/log/audit/audit.log

audit=1Commandrequiredforfullauditing

85

AuditingCAPP/EAL4+

CAPPControlledAccessProtectionProfile

DACProfile Securityfeaturesselection

eal4+.EAssuranceLevel

Leveloftestinganddocumentation

cp/usr/share/doc/audit1.0.12/capp.rules /etc/audit.rules

86

auditctl

Utilitytocontrolthekernelsauditsystem

e[0|1]Disable,Enableaudit SEESteveGrubbAuditBOF...

87

aureport

Generatesummaryreportsofauditlogs

aReportaboutAVCmessages iinterpretnumericfieldsforhumanconsumption tsTimeStartteTimeEnd

aureportats1:00:00

Generateaavcreportsince1AM

success/failed(Bothifyouselectneither.) summary(Totalsofevents)

88

ausearch

SearchAuditDaemonLogs

mavc ts xexecutable ausearchmavcts1:00:00xnamed

89

Exercises:Audit

Useaureportonauditmessagesonthe system Searchforapacheavcmessages Turnoffauditing?WheretotheAVC messageendup?

90

CustomizingApache

CustomizingApachePolicy

httpdmostcomplexdaemoninRHEL4 MostcomplexandconfigurableofanyoftheSELinuxpolicies.

ConfinecompromisedApachewebserverfromdamagingtherestof thesystem Finergrainedgoals

PreventingacompromisedwikiCGIscriptfromcorruptingablog installationownedbythesameperson

92

Exercises:Apache

Ishttpdrunningunderaconfineddomain?

Stophttpd Startapachedirectly/usr/sbin/httpd Whichcontextisitrunningunder? Why?

Killhttpdandstartitwithinaconfineddomain Setupanapachewebsitewhichsupportscgiscriptswherethedatais locatedin/src/www/datadirectory Setupapachetouseusershomedirectoriesandplaceahtmlfilethere Advanced:Addacgiscriptthatneedstowritetoaparticulardirectory, turnoffhttpd_unifiedandmakethescriptworkinenforcingmode.

93

Q/A

MoreInformationRedHatEnterpriseLinuxResource

http://www.redhat.com/software/rhel/

SELinuxResources

http://www.nsa.gov/selinux http://fedora.redhat.com/projects/selinux/ http://fedoraproject.org/wiki/SELinux

MailingLists

selinux@tycho.nsa.govNSAList fedoraselinuxlist@redhat.comFedoraSELinuxList

94