Friday, April 25, 2014

SELINUX policy set up

 SE Linux Policy [ Security Enhanced Linux Policy ]

Client====
Firewall==
TCP Wrapper==-
SElinux==
Server ==

TCP Wrapper = Allow/Deny using Services
Firewall    = All/Deny using IP address
----------------------------------------------------------------------------------------------

Modes of SE Linux :

1.    Enforcing
2.    Permissive
3.    Disables

Enforcing :   
 i.)  It prevents unauthorized access for files and services
 ii.) It Creates logs for unauthorized access.

Permissive:   
 i.)  It creates logs only but doesn't prevent

Disabled  :   
 i.)  It doesn't create and prevent the logs, since Selinux is disables already
----------------------------------------------------------------------------------------------

How to change :

# getenforce          // Show the SE linux mode
# setenforce 0        // To change to Permissive mode
# setenforce 1        // To change to Enforcing mode
----------------------------------------------------------------------------------------------

To disable it, goto Configuration file :

# vi /etc/sysconfig/selinux    OR vi /etc/selinux/config
  SELINUX=disabled
  :wq
----------------------------------------------------------------------------------------------

To see log files :

# cat /var/log/messages | less
----------------------------------------------------------------------------------------------

Types of SELINUX :

1.    Targeted :             It contains system default security [processes are protected]
2.    MLS (MultiLevel Security) :    we create self defined rules to secure our system and process

** If we copy/Paste the files from one location to another location, it will apply SElinux content as per another location
** IF we move the files from one location to another location, it will carry same SElinux content to another location

--------------------------------------------------------------------------------------------------

Lab exercise :

1.) Create 4 files at different locations :
# touch /tmp/test1
# ls -lZ
# touch /etc/test2
# ls -lZ
# touch /home/test3
# ls -lZ
# touch /var/www/html/test1
# ls -lZ

2.) Copy test1 file to /var/www/html
# cp /tmp/test1 /var/www/html

3.) Moce test3 file to /var/www/html
# mv /home/test3 /var/www/html

4.) Now, see the property of the directory
# ls -lZ

5.) To Apply default, SElinux content to all files in the /var/www/html folder
# restorecon -Rv /var/www/html

6.) Now, if you create a file in desktop and file remains there and you want to apply SElinux content of html folder
# mkdir /root/Desktop/index.html
# chcon -Rv --reference /var/www/html /root/Desktop/index.html

---------------------------------------------------------------------------------------

Booleans

Booleans are the By Default permissions that allows or restricts to change the behavior of SElinux,
SELinux can change or tune it according to the requirements.

To view Boolean value of Service/System

# getsbool -a
    OR
# getsbool -a | grep ftp
# setsebool -P allow_ftpd_amon_write on        // -P = Permanent ; allow_ftpd_amon_write = service name ; on=on/off
----------------------------------------------------------------------------------------

VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV


# ls -lZ
-rw-------. root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfg
# touch myfile
# ls -Z myfile
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 myfile

SELinux provides a user (unconfined_u), a role (object_r), a type (user_home_t), and a level (s0).
More often you would be interested in type.

VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV

Within SELinux, a security context is represented as variable-length strings that define the SELinux user, their role, a type identifier and an optional MCS / MLS security range or level as follows:
user:role:type[:range]
Where:
user ==> The SELinux user identity. This can be associated to one or more roles that the SELinux user is allowed to use.
role ==> The SELinux role. This can be associated to one or more types the SELinux user is allowed to access.
type ==> When a type is associated with a process, it defines what processes (or domains) the SELinux user (the subject) can access.
When a type is associated with an object, it defines what access permissions the SELinux user has to that object.
range ==> This field can also be know as a level and is only present if the policy supports MCS or MLS. The entry can consist of:
A single security level that contains a sensitivity level and zero or more categories (e.g. s0, s1:c0, s7:c10.c15).
A range that consists of two security levels (a low and high) separated by a hyphen (e.g. s0 - s15:c0.c1023).

VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV

This information is used to make access control decisions. On Distributed Access Control System (DAC systems), access is controlled based on Linux user and group IDs. SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first.

The Z option can be used with ps, ls, cp, id, and others. For instance, to view your security context:

# id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

To view the security context associated with a file, run the following command,
# ls -lZ myfile
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 myfile

There are multiple commands for managing the SELinux context for files, such as chcon, semanage fcontext, and restorecon.

# semanage fcontext -l | more
# semanage fcontext -l | grep '/var/www'
/var/www(/.*)?                                     all files          system_u:object_r:httpd_sys_content_t:s0

Lets say you change your default document root to /opt/www, you will have different context. You need to change it to httpd_sys_content_t type. Other wise your web server will not work.
To change to a new context, you can use following command to add new context.
# semanage fcontext -a -t httpd_sys_content_t '/opt/www(/.*)?'
Note: -a --> to add a new fcontext with the type (-t) httpd_sys_content_t, and targets /opt/www and any sub-directories and files.

# semanage fcontext -l | grep 'srv/www'  # list the fcontexts

# restorecon -Rv /opt/www
The restorecon command sets default contexts on files and directories, according to policy.

# echo "For selinux test" >test.file
# ls -lZ test.file
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 test.file

# mv test.file /var/www/html/
# ls -lZ /var/www/html/test.file
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 /var/www/html/test.file

# restorecon -v /var/www/html/test.file
restorecon reset /var/www/html/test.file context unconfined_u:object_r:user_tmp_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0

Note: if you change selinux from disabled to enforce or permissive mode, contexts have to re-label to the entire filesystem running restorecon / because context are not set so reboot is recommeneded.

VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV

Temporary Changes: chcon
The chcon command changes the SELinux context for files. However, changes made with the chcon command do not survive a file system relabel, or the execution of the restorecon command. SELinux policy controls whether users are able to modify the SELinux context for any given file. When using chcon, users provide all or part of the SELinux context to change.

Run the chcon -t type file-name command to change the file type, where type is a type, such as httpd_sys_content_t, and file-name is a file or directory name.

Run the chcon -R -t type directory-name command to change the type of the directory and its contents, where type is a type, such as httpd_sys_content_t, and directory-name is a directory name.


Changing a File's or Directory's Type

# ls -Z myfile
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 myfile

#  chcon -t samba_share_t myfile
# ls -lZ myfile
-rw-r--r--. root root unconfined_u:object_r:samba_share_t:s0 myfile

Use restorecon -v myfile command to restore the SELinux context for the myfile file.
-v shows the change

# restorecon -v myfile

Changing a Directory and its Contents Types
# mkdir /best
# touch /best/note{1,2,3}
# ls -lZ /best
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 note1
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 note2
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 note3

Run the chcon -R -t httpd_sys_content_t /best/ command to change the type of the /web/ directory context.
# chcon -R -t httpd_sys_content_t /best/
# ls -lZ /best
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 note1
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 note2
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 note3

To restore the default SELinux contexts:
# restorecon -R -v /best/
restorecon reset /best context unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:default_t:s0
restorecon reset /best/note1 context unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:default_t:s0
restorecon reset /best/note2 context unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:default_t:s0
restorecon reset /best/note3 context unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:default_t:s0

No comments:

Post a Comment