Understanding
SELinux
Daniel J Walsh
Red Hat Consulting Engineer
Twitter: @rhatdan
Blog: danwalsh.livejournal.com
Email: dwalsh@redhat.com
What is SELinux trying to tell you?
SELinux 4 Things
1. You have something wrong with your labels
2. You changed the system defaults
but did not tell SELinux about it
3. Applications or SELinux
has bugs
that have not been fixed yet
4. You could be COMPROMIZED!!!
Everyone Please Stand Up
Repeat with me
SELinux is a LABELING system
Every Process has a LABEL
Every File, Directory, System object has a LABEL
Policy rules control access between labeled processes and labeled objects
The Kernel enforces the rules
SELinux is a labeling System
If the labels are wrong, SELinux will generate issues.
Solution? Fix your labels.
http://opensource.com/business/13/11/selinux-policy-guideSELinux Coloring Book:
http://people.redhat.com/duffy/selinux/selinux-coloring-book_A4-Stapled.pdf
SELinux Labels - Type Field
user:role:type:level
system_u:system_r:httpd_t:s0
system_u:object_r:httpd_sys_rw_content_t:s0
Type Enforcement
Type Enforcement
Type Enforcement
Type Enforcement
Type Enforcement
Type Enforcement
SELinux Labels - Level
user:role:type:level
system_u:system_r:svirt_t:s0:c1,c2
system_u:object_r:svirt_sandbox_file_t:s0:c1,c2
MCS Enforcement
Multi Category Security Based on Multi Level Security (MLS)MCS Enforcement
MCS Enforcement
MCS Enforcement
MCS Enforcement
MCS Enforcement
Sadly not everyone wants to store their content where
Dan Walsh wants or expects :^(
Every process and object on
machine has a label
If your files are not labeled correctly
access might be denied
Alternative paths for confined domains?
SELinux needs to KNOW.
http files in /srv/myweb instead of /var/www/html?
Tell SELinux.
# semanage fcontext -a -t httpd_sys_content_t '/srv/myweb(/.*)?' # restorecon -R /srv/myweb
File labeling
SELinux File labels definitions stored in
/etc/selinux/targeted/contexts/file_context.*
semanage fcontext command is used to change default labeling
File labels are stored in the inode Xattrs
restorecon command to apply labels to the file system objects
# semanage fcontext -a -t httpd_sys_content_t '/srv/myweb(/.*)?' # restorecon -R /srv/myweb
File labeling
Big Retailer uses Tivoli
Tivoli stores log files in /var/ibm/tivoli/common/COD/logs
I see AVCs on confined domains denied access var_t files
What is the label of /var/logs directory?
ls -ldZ /var/log drwxr-xr-x. 16 root root system_u:object_r:var_log_t:s0 4096 Dec 2 10:48 /var/log
# semanage fcontext -a -t var_log_t '/var/ibm/tivoli/common/COD/logs(/.*)?' # restorecon -R -v /var
Problem solved
default_t files
By default all non distribition directories in "/"
will be labeled as default_t
SELinux has no idea what type of content is in a default_t file
All confined domains are blocked from accessing default_t files
Big Retailer moves it Home Dirs to /u/home/
This means all home directory content is labeled default_t
Confined applications like sshd and httpd are blocked from read/writing default_t files
We probably want to label /u/home the same we label /home directory
File labeling equivalence
Some times you want entire directory trees to be labeled the same as another directory tree
Some times you want entire directory trees to be labeled the same as another directory tree
semanage fcontext -a -t home_root_t '/u(/.*)?'
semanage fcontext -a -e /u/home /home
Label all files under /u/home as if they were under /home
/u/home/dwalsh/.ssh will get labeled ssh_home_t
/u/home/dwalsh/pubic_html will get labeled httpd_user_content_t
File labeling
File labels are stored in
/etc/selinux/targeted/contexts/file_context.*files
Use semanage fcontext command to change default labeling
Use restorecon command to apply labels to the file system objects
# semanage fcontext -a -t httpd_sys_content_t '/srv/myweb(/.*)?' # restorecon -R /srv/myweb
2. You changed the system defaults
but did not tell SELinux about it
SELinux needs to know
Booleans
Booleans are If-Then-Else rules written into SELinux
If you want httpd to send email
# setsebool -P httpd_can_sendmail 1
If you want user to use ftp to access homedir
# setsebool -P ftp_home_dir 1
How do I know what Booleans are available
semanage boolean --list lists all booleans with explanation
man httpd_selinux lists booleans for the Apache application
setroubleshoot will tell you if there is a boolean available for an AVC
audit2allow -i /var/log/audit/audit.log will tell you if there is a boolean available for an AVC
Audit2allow searches for booleans that will allow the Access being denied in an AVC.
# grep ftp /var/log/audit/audit.log | audit2allow #============= ftpd_t ============== #!!!! This avc can be allowed using one of the these booleans: # allow_ftpd_full_access, ftp_home_dir allow ftpd_t home_root_t:dir search;
Used audit2allow to diagnose issues with
Apache running passenger.
setsebool -P httpd_run_stickshift=1 httpd_execmem=1 allow_httpd_write_anon_write=1
Problem solved
2. You changed the system defaults
but did not tell SELinux about it
SELinux needs to know
Port types
I want sshd to listen on port 55
Use "semanage port" to change the port definition for application
# semanage port -a -t ssh_port_t -p tcp 55
How do I tell what port types are available
man sshd_selinux lists ports for the Apache application
semanage port --list lists ports for the system
port prefix usually matches the type associated with the confined domain
In RHEL7 sepolicy network very handy
sepolicy network to display port information
sepolicy network -t ssh_port_t ssh_port_t: tcp: 22
sepolicy network to display confined process network port information
sepolicy network -d sshd_t sshd_t: tcp name_connect 111 (portmap_port_t) -- Allowed False [ nis_enabled=0 ] 113 (auth_port_t) -- Allowed False [ daemons_use_tcp_wrapper=0 || nis_enabled=0 ] 53 (dns_port_t) 80, 81, 443, 488, 8008, 8009, 8443, 9000 (http_port_t) -- Allowed False [ nis_enabled=0 || authlogin_yubikey=0 ] 88, 750, 4444 (kerberos_port_t) -- Allowed True [ nis_enabled=0 || kerberos_enabled=1 ] 389, 636, 3268, 7389 (ldap_port_t) -- Allowed False [ nis_enabled=0 || authlogin_nsswitch_use_ldap=0 ] 829, 9180, 9701, 9443-9447 (pki_ca_port_t) 32768-61000 (ephemeral_port_t) -- Allowed False [ nis_enabled=0 ] 8955 (dnssec_port_t) 9080 (ocsp_port_t) -- Allowed True [ kerberos_enabled=1 ] all ports < 1024 (reserved_port_type) -- Allowed False [ nis_enabled=0 ] all ports with out defined types (port_t) -- Allowed False [ nis_enabled=0 ] sshd_t: tcp name_bind 22 (ssh_port_t) 5900-5983, 5985-5999 (vnc_port_t) 6000-6020 (xserver_port_t) 32768-61000 (ephemeral_port_t) -- Allowed False [ nis_enabled=0 ] all ports > 500 and < 1024 (rpc_port_type) -- Allowed False [ nis_enabled=0 ] all ports with out defined types (port_t) -- Allowed False [ nis_enabled=0 ] ...
3. Applications or SELinux has bugs
that have not been fixed yet
SELinux policy can have bugs
Unusual Code Paths
Configurations that we never tried
Redirection of stdout
3. Applications or SELinux has bugs
that have not been fixed yet
Applications have bugs
Leaked File Descriptors
Executable Memory
Badly built libraries
Report the bugs in Bugzilla so we can fix them
3. Applications or SELinux has bugs
that have not been fixed yet
You can tell SELinux to just allow using audit2allow
Selinux is blocking postgresql
Did you make sure the Labeling is correct?
Did you make sure there were no appropriate boolean?
Most important thing you will learn today?
Or most abused thing you will learn today?
Use audit2allow to build a policy module
# grep postgresql /var/log/audit/audit.log | audit2allow -M mypostgresql # semodule -i mypostsgresql.pp
Examine mypostgresql.te
Make sure you are not allowing too much?
Ask for help?
TAM and Red Hat Support
#fedora
Fedora-selinux mail list
dwalsh@redhat.com
Report the Bug to TAM, Support or Bugzilla
4. You could be COMPROMIZED!!!
If you have a confined domain that tries to:
Load a kernel module
Turn off SELinux enforcing mode
Write to etc_t? shadow_t
Modify iptables rules
You might be compromised
setroubleshoot not a intrusion detection tool But it will notify you of these situations.
questions?
