Understanding

SELinux

Daniel J Walsh

Red Hat Consulting Engineer

Twitter: @rhatdan

Blog: danwalsh.livejournal.com

Email: dwalsh@redhat.com

What is SELinux trying to tell you?

SELinux 4 Things

1. You have something wrong with your labels

2. You changed the system defaults
but did not tell SELinux about it

3. Applications or SELinux
has bugs
that have not been fixed yet

4. You could be COMPROMIZED!!!

Everyone Please Stand Up

Repeat with me

SELinux is a LABELING system

Every Process has a LABEL

Every File, Directory, System object has a LABEL

Policy rules control access between labeled processes and labeled objects

The Kernel enforces the rules

SELinux is a labeling System

If the labels are wrong, SELinux will generate issues.

Solution? Fix your labels.

Your visual guide to SELinux Policy Enforcement
http://opensource.com/business/13/11/selinux-policy-guide
SELinux Coloring Book:
http://people.redhat.com/duffy/selinux/selinux-coloring-book_A4-Stapled.pdf

SELinux Labels - Type Field

user:role:type:level

system_u:system_r:httpd_t:s0

system_u:object_r:httpd_sys_rw_content_t:s0

Type Enforcement

Type Enforcement

Type Enforcement

Type Enforcement

Type Enforcement

Type Enforcement

SELinux Labels - Level

user:role:type:level

system_u:system_r:svirt_t:s0:c1,c2

system_u:object_r:svirt_sandbox_file_t:s0:c1,c2

MCS Enforcement

Multi Category Security Based on Multi Level Security (MLS)

MCS Enforcement

MCS Enforcement

MCS Enforcement

MCS Enforcement

MCS Enforcement

Sadly not everyone wants to store their content where

Dan Walsh wants or expects :^(

Every process and object on
machine has a label

If your files are not labeled correctly
access might be denied

Alternative paths for confined domains?
SELinux needs to KNOW.

http files in /srv/myweb instead of /var/www/html?
Tell SELinux.

# semanage fcontext -a -t httpd_sys_content_t '/srv/myweb(/.*)?'
# restorecon -R /srv/myweb

File labeling

SELinux File labels definitions stored in
/etc/selinux/targeted/contexts/file_context.*

semanage fcontext command is used to change default labeling

File labels are stored in the inode Xattrs

restorecon command to apply labels to the file system objects

# semanage fcontext -a -t httpd_sys_content_t '/srv/myweb(/.*)?'
# restorecon -R /srv/myweb

File labeling

Big Retailer uses Tivoli

Tivoli stores log files in /var/ibm/tivoli/common/COD/logs

I see AVCs on confined domains denied access var_t files

What is the label of /var/logs directory?

ls -ldZ /var/log
drwxr-xr-x. 16 root root system_u:object_r:var_log_t:s0 4096 Dec  2 10:48 /var/log
# semanage fcontext -a -t var_log_t '/var/ibm/tivoli/common/COD/logs(/.*)?'
# restorecon -R -v /var

Problem solved

default_t files

By default all non distribition directories in "/"
will be labeled as default_t

SELinux has no idea what type of content is in a default_t file

All confined domains are blocked from accessing default_t files

Big Retailer moves it Home Dirs to /u/home/

This means all home directory content is labeled default_t

Confined applications like sshd and httpd are blocked from read/writing default_t files

We probably want to label /u/home the same we label /home directory

File labeling equivalence

Some times you want entire directory trees to be labeled the same as another directory tree

Some times you want entire directory trees to be labeled the same as another directory tree

semanage fcontext -a -t home_root_t '/u(/.*)?'

semanage fcontext -a -e /u/home /home

Label all files under /u/home as if they were under /home

/u/home/dwalsh/.ssh will get labeled ssh_home_t

/u/home/dwalsh/pubic_html will get labeled httpd_user_content_t

File labeling

File labels are stored in
/etc/selinux/targeted/contexts/file_context.*files

Use semanage fcontext command to change default labeling

Use restorecon command to apply labels to the file system objects

# semanage fcontext -a -t httpd_sys_content_t '/srv/myweb(/.*)?'
# restorecon -R /srv/myweb

2. You changed the system defaults
but did not tell SELinux about it

SELinux needs to know

Booleans

Booleans are If-Then-Else rules written into SELinux

If you want httpd to send email

# setsebool -P httpd_can_sendmail 1

If you want user to use ftp to access homedir

# setsebool -P ftp_home_dir 1

How do I know what Booleans are available

semanage boolean --list lists all booleans with explanation

man httpd_selinux lists booleans for the Apache application

setroubleshoot will tell you if there is a boolean available for an AVC

audit2allow -i /var/log/audit/audit.log will tell you if there is a boolean available for an AVC

Audit2allow searches for booleans that will allow the Access being denied in an AVC.

		  
# grep ftp /var/log/audit/audit.log | audit2allow 
#============= ftpd_t ==============
#!!!! This avc can be allowed using one of the these booleans:
#     allow_ftpd_full_access, ftp_home_dir
allow ftpd_t home_root_t:dir search;

Used audit2allow to diagnose issues with
Apache running passenger.

setsebool -P httpd_run_stickshift=1 httpd_execmem=1 allow_httpd_write_anon_write=1

Problem solved

2. You changed the system defaults
but did not tell SELinux about it

SELinux needs to know

Port types

I want sshd to listen on port 55

Use "semanage port" to change the port definition for application

# semanage port -a -t ssh_port_t -p tcp 55

How do I tell what port types are available

man sshd_selinux lists ports for the Apache application

semanage port --list lists ports for the system

port prefix usually matches the type associated with the confined domain

In RHEL7 sepolicy network very handy

sepolicy network to display port information

sepolicy network -t ssh_port_t 
ssh_port_t: tcp: 22
		  

sepolicy network to display confined process network port information

sepolicy network -d sshd_t
sshd_t: tcp name_connect
	111 (portmap_port_t) -- Allowed False [ nis_enabled=0 ]
	113 (auth_port_t) -- Allowed False [ daemons_use_tcp_wrapper=0 || nis_enabled=0 ]
	53 (dns_port_t)
	80, 81, 443, 488, 8008, 8009, 8443, 9000 (http_port_t) -- Allowed False [ nis_enabled=0 || authlogin_yubikey=0 ]
	88, 750, 4444 (kerberos_port_t) -- Allowed True [ nis_enabled=0 || kerberos_enabled=1 ]
	389, 636, 3268, 7389 (ldap_port_t) -- Allowed False [ nis_enabled=0 || authlogin_nsswitch_use_ldap=0 ]
	829, 9180, 9701, 9443-9447 (pki_ca_port_t)
	32768-61000 (ephemeral_port_t) -- Allowed False [ nis_enabled=0 ]
	8955 (dnssec_port_t)
	9080 (ocsp_port_t) -- Allowed True [ kerberos_enabled=1 ]
	all ports < 1024 (reserved_port_type) -- Allowed False [ nis_enabled=0 ]
	all ports with out defined types (port_t) -- Allowed False [ nis_enabled=0 ]

sshd_t: tcp name_bind
	22 (ssh_port_t)
	5900-5983, 5985-5999 (vnc_port_t)
	6000-6020 (xserver_port_t)
	32768-61000 (ephemeral_port_t) -- Allowed False [ nis_enabled=0 ]
	all ports > 500 and  < 1024 (rpc_port_type) -- Allowed False [ nis_enabled=0 ]
	all ports with out defined types (port_t) -- Allowed False [ nis_enabled=0 ]
...

3. Applications or SELinux has bugs
that have not been fixed yet

SELinux policy can have bugs

Unusual Code Paths

Configurations that we never tried

Redirection of stdout

3. Applications or SELinux has bugs
that have not been fixed yet

Applications have bugs

Leaked File Descriptors

Executable Memory

Badly built libraries

Report the bugs in Bugzilla so we can fix them

3. Applications or SELinux has bugs
that have not been fixed yet

You can tell SELinux to just allow using audit2allow

Selinux is blocking postgresql

Did you make sure the Labeling is correct?

Did you make sure there were no appropriate boolean?

Most important thing you will learn today?

Or most abused thing you will learn today?

Use audit2allow to build a policy module

# grep postgresql /var/log/audit/audit.log | audit2allow -M mypostgresql
# semodule -i mypostsgresql.pp

Examine mypostgresql.te

Make sure you are not allowing too much?

Ask for help?
TAM and Red Hat Support
#fedora
Fedora-selinux mail list
dwalsh@redhat.com

Report the Bug to TAM, Support or Bugzilla

4. You could be COMPROMIZED!!!

If you have a confined domain that tries to:

Load a kernel module

Turn off SELinux enforcing mode

Write to etc_t? shadow_t

Modify iptables rules

You might be compromised

setroubleshoot not a intrusion detection tool But it will notify you of these situations.

questions?