22 SELinux syscalls labels modes enforcing permissive disabled context booleans | setenforce Permissive | semanage login -l | ps –eZ | id –Z | semanage boolean –l | matchpathcon
This section will serve as an overview of Security Enhanced Linux (SELinux). In the Working
with file permissions section, we discussed how standard Linux provides protection for the
system. This method is called Discretionary Access Control (DAC), and has some limitations.
For example, a typical user could open his files up, either accidentally or on purpose, for any
other user to read or write. This could allow unauthorized access to sensitive information.
To provide more security, SELinux uses MAC (Mandatory Access Control). MAC uses
a security policy that covers all processes and files in the system. All files in SELinux have
labels that contain security-relevant information.
ls -la ifcfg-eth0
-rw-r--r--. 1 root root 73 Apr 22 2011 ifcfg-eth0
Same file, but with the Z (security context) option to ls:
ls -Z ifcfg-eth0
-rw-r--r--. root root unconfined_u:object_r:default_t:s0ifcfg-eth0
unconfined_u is the user,
object_r is the role,
default_t is the type, and
s0 is the level.
This info is used to make access control decisions. Note that the normal DAC
rules are checked first, if they do not allow the action then the SELinux rules are not used.
------------------------
Now let’s view the list of mappings:
semanage login -l
To view the SELinux contexts for processes run the following command:
ps –eZ
To view the context for user run the following command:
id –Z
The sealert command is used to view the complete SELinux message when
an error occurs. Check your /var/log/messages file to see if any alerts have
been generated, and if so can run sealert -l on the number to get a detailed view.
To get a detailed list of the SELinux Booleans with descriptions run the
following command:
semanage boolean –l
To see the list but without the descriptions run the following command:
getsebool –a
To check if files and directories have the correct SELinux context run the
following command:
matchpathcon
---------------------------
Options to mitigate attacks is SELinux disabled:
[bit@localhost ~]$ cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
[bit@localhost ~]$
[root@localhost ~]# ps Zaeu
LABEL USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
system_u:system_r:xserver_t:s0-s0:c0.c1023 root 1099 0.1 2.7 217716 27824 tty1 Rs+ 12:54 0:07 /usr/bin/Xorg :0 -background none -noreset -audit 4 -verbose -auth /run/gdm/
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 bit 3404 0.0 0.2 116160 2968 pts/0 Ss 12:55 0:00 bash SESSION_MANAGER=local/unix:@/tmp/.ICE-unix/2729,unix/unix:/tmp/
=======================
[root@localhost ~]# netstat -Ztulpen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name Security Context
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 0 16075 1/systemd system_u:system_r:init_t:s0
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 0 46601 5285/httpd system_u:system_r:httpd_t:s0
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 0 23726 1618/dnsmasq system_u:system_r:dnsmasq_t:s0-s0:c0.c1023
[root@localhost tmp]# semanage boolean -l | grep tftp
tftp_anon_write (off , off) Allow tftp to modify public files used for public file transfer services.
tftp_home_dir (on , off) Allow tftp to read and write files in the user home directories
[root@localhost tmp]#
[root@localhost tmp]# setsebool -P tftp_home_dir on
[root@localhost tmp]# semanage boolean -l | grep tftp
tftp_anon_write (off , off) Allow tftp to modify public files used for public file transfer services.
tftp_home_dir (on , on) Allow tftp to read and write files in the user home directories
[root@localhost tmp]#
with file permissions section, we discussed how standard Linux provides protection for the
system. This method is called Discretionary Access Control (DAC), and has some limitations.
For example, a typical user could open his files up, either accidentally or on purpose, for any
other user to read or write. This could allow unauthorized access to sensitive information.
To provide more security, SELinux uses MAC (Mandatory Access Control). MAC uses
a security policy that covers all processes and files in the system. All files in SELinux have
labels that contain security-relevant information.
ls -la ifcfg-eth0
-rw-r--r--. 1 root root 73 Apr 22 2011 ifcfg-eth0
Same file, but with the Z (security context) option to ls:
ls -Z ifcfg-eth0
-rw-r--r--. root root unconfined_u:object_r:default_t:s0ifcfg-eth0
unconfined_u is the user,
object_r is the role,
default_t is the type, and
s0 is the level.
This info is used to make access control decisions. Note that the normal DAC
rules are checked first, if they do not allow the action then the SELinux rules are not used.
------------------------
Now let’s view the list of mappings:
semanage login -l
To view the SELinux contexts for processes run the following command:
ps –eZ
To view the context for user run the following command:
id –Z
The sealert command is used to view the complete SELinux message when
an error occurs. Check your /var/log/messages file to see if any alerts have
been generated, and if so can run sealert -l on the number to get a detailed view.
To get a detailed list of the SELinux Booleans with descriptions run the
following command:
semanage boolean –l
To see the list but without the descriptions run the following command:
getsebool –a
To check if files and directories have the correct SELinux context run the
following command:
matchpathcon
---------------------------
Options to mitigate attacks is SELinux disabled:
Remount filesystem without executable permission
in SELinux you can set which application have which permissions to which directories on computer
SELinux s hould be used in you have direct connection to the Internet
Everything happens on computer via syscalls
if there is wrong lables on /blah
get attribute system call is issued
if SELinux is in enforcing mode it will stop, if the label is wrong, it won't be allowed.
[bit@localhost ~]$ cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
[bit@localhost ~]$
=====================
In order to set disabled mode, system should be rebooted
=====================
[bit@localhost ~]$ getenforce
Enforcing
[bit@localhost ~]$ sudo setenforce Permissive
[sudo] password for bit:
[bit@localhost ~]$ getenforce
Permissive
[bit@localhost ~]$
=====================
One of the option that ftp doesn't work, SELinux.
We set it as Permissive during troubleshooting.
=====================
Everything in RHEL 7 has a context
[bit@localhost ~]$ ls -Z
drwxr-xr-x. bit bit unconfined_u:object_r:user_home_t:s0 Desktop
drwxr-xr-x. bit bit unconfined_u:object_r:user_home_t:s0 Documents
drwxr-xr-x. bit bit unconfined_u:object_r:user_home_t:s0 Downloads
user part - unconfined_u
role part - object_r
type part - user_home_t
Context is available on processes as well
[bit@localhost ~]$ ps aZ
LABEL PID TTY STAT TIME COMMAND
system_u:system_r:xserver_t:s0-s0:c0.c1023 1099 tty1 Ss+ 0:04 /usr/bin/Xorg :0 -backg
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3404 pts/0 Ss 0:00 bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5061 pts/0 T 0:00 grep -E --col
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5198 pts/0 R+ 0:00 ps aZ
[bit@localhost ~]$
LABEL USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
system_u:system_r:xserver_t:s0-s0:c0.c1023 root 1099 0.1 2.7 217716 27824 tty1 Rs+ 12:54 0:07 /usr/bin/Xorg :0 -background none -noreset -audit 4 -verbose -auth /run/gdm/
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 bit 3404 0.0 0.2 116160 2968 pts/0 Ss 12:55 0:00 bash SESSION_MANAGER=local/unix:@/tmp/.ICE-unix/2729,unix/unix:/tmp/
=======================
[root@localhost ~]# netstat -Ztulpen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name Security Context
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 0 16075 1/systemd system_u:system_r:init_t:s0
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 0 46601 5285/httpd system_u:system_r:httpd_t:s0
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 0 23726 1618/dnsmasq system_u:system_r:dnsmasq_t:s0-s0:c0.c1023
=======================
Context is used to match process, file or port it wants to access
=======================
BOOLEANS
[root@localhost tmp]# getsebool -a | grep ftp
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
tftp_home_dir --> off
[root@localhost tmp]# setsebool tftp_home_dir on
[root@localhost tmp]# getsebool -a | grep ftp
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
tftp_home_dir --> on
[root@localhost tmp]#
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
tftp_home_dir --> off
[root@localhost tmp]# setsebool tftp_home_dir on
[root@localhost tmp]# getsebool -a | grep ftp
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
tftp_home_dir --> on
[root@localhost tmp]#
============================
[root@localhost tmp]# semanage boolean -l | grep tftp
tftp_anon_write (off , off) Allow tftp to modify public files used for public file transfer services.
tftp_home_dir (on , off) Allow tftp to read and write files in the user home directories
[root@localhost tmp]#
change applies only after reboot
============================
[root@localhost tmp]# setsebool -P tftp_home_dir on
[root@localhost tmp]# semanage boolean -l | grep tftp
tftp_anon_write (off , off) Allow tftp to modify public files used for public file transfer services.
tftp_home_dir (on , on) Allow tftp to read and write files in the user home directories
[root@localhost tmp]#
Comments
Post a Comment