Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
redhat:base-redhat:selinux-redhat [2017/08/23 09:37] – [SELinux Access Control] michael | redhat:base-redhat:selinux-redhat [2017/11/08 15:00] – michael | ||
---|---|---|---|
Line 6: | Line 6: | ||
**Security-Enhanced Linux (SELinux)** is a mandatory access control (MAC) security mechanism implemented in the kernel. SELinux was first introduced in CentOS 4 and significantly enhanced in later CentOS releases. These enhancements mean that content varies as to how to approach SELinux over time to solve problems. | **Security-Enhanced Linux (SELinux)** is a mandatory access control (MAC) security mechanism implemented in the kernel. SELinux was first introduced in CentOS 4 and significantly enhanced in later CentOS releases. These enhancements mean that content varies as to how to approach SELinux over time to solve problems. | ||
- | <WRAP center | + | |
+ | <WRAP center | ||
==== Some of the Problems ==== | ==== Some of the Problems ==== | ||
In order to better understand why SELinux is important and what it can do for you, it is easiest to look at some examples. Without SELinux enabled, only traditional discretionary access control (DAC) methods such as file permissions or access control lists (ACLs) are used to control the file access of users. Users and programs alike are allowed to grant insecure file permissions to others or, conversely, to gain access to parts of the system that should not otherwise be necessary for normal operation. For example: | In order to better understand why SELinux is important and what it can do for you, it is easiest to look at some examples. Without SELinux enabled, only traditional discretionary access control (DAC) methods such as file permissions or access control lists (ACLs) are used to control the file access of users. Users and programs alike are allowed to grant insecure file permissions to others or, conversely, to gain access to parts of the system that should not otherwise be necessary for normal operation. For example: | ||
Line 68: | Line 69: | ||
<WRAP center round important 100%> | <WRAP center round important 100%> | ||
'' | '' | ||
+ | </ | ||
+ | |||
+ | ---- | ||
+ | |||
+ | <WRAP center box 100%> | ||
+ | ===== RPM dependencies to manage SELinux ===== | ||
+ | Throughout this text, we already saw programs such as '' | ||
+ | |||
+ | - Log in as root and install the following basic toolkit to work with SELinux: < | ||
+ | - Now, we need some additional tools that will also be needed later in the SELinux Debugging:< | ||
+ | - Next, install and configure the SELinux manual pages as they are not available by default on CentOS 7, but are important for getting detailed information about specific policies, security contexts, and SELinux Booleans later. First, we need to install another package: < | ||
+ | - Afterwards, let's generate all the man pages for all SELinux security context policies currently available on the system, and then update the manual pages database afterwards: < | ||
+ | |||
+ | |||
</ | </ | ||
Line 87: | Line 102: | ||
The **targeted** SELinux policy on Redhat/ | The **targeted** SELinux policy on Redhat/ | ||
- | * Type Enforcement (TE): Type Enforcement is the primary mechanism of access control used in the targeted policy | + | * <wrap em>Type Enforcement (TE):</ |
- | * Role-Based Access Control (RBAC): Based around SELinux users (not necessarily the same as the Linux user), but not used in the default configuration of the targeted policy | + | * <wrap em>Role-Based Access Control (RBAC):</ |
- | * Multi-Level Security (MLS): Not commonly used and often hidden in the default targeted policy. | + | * <wrap em>Multi-Level Security (MLS):</ |
- | * Multi-Category Security(MCS): | + | * <wrap em>Multi-Category Security(MCS): |
- | All processes and files have an SELinux security context. Let's see these in action by looking at the SELinux security context of the Apache homepage: '/ | + | ''< |
+ | <WRAP center box 100%> | ||
+ | < | ||
+ | # ls -Z / | ||
+ | </ | ||
+ | <sxh plain; gutter: false;> | ||
+ | -rw-r--r-- | ||
+ | </ | ||
+ | </ | ||
+ | In addition to the standard file permissions and ownership, we can see the SELinux security context fields: '' | ||
+ | |||
+ | This is based upon user: | ||
+ | |||
+ | Now consider the SELinux security context of the Apache web server process: ' | ||
+ | |||
+ | <WRAP center box 100%> | ||
+ | < | ||
+ | # ps axZ | grep httpd | ||
+ | </ | ||
+ | <sxh plain; gutter: false;> | ||
+ | system_u: | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | Here we see the from the type field that Apache is running under the '' | ||
+ | |||
+ | Finally, let's look at the SELinux security context of a file in our home directory: | ||
+ | |||
+ | <WRAP center box 100%> | ||
+ | < | ||
+ | # ls -Z / | ||
+ | </ | ||
+ | <sxh plain; gutter: false;> | ||
+ | -rw-r--r-- | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | here we see the type is user_home_t, | ||
+ | |||
+ | Access is only allowed between similar types, so Apache running as httpd_t can read / | ||
+ | |||
+ | |||
+ | ==== Role-Based Access Control (RBAC) ==== | ||
+ | |||
+ | Although the default configuration of the targeted policy is to use unconfined logins, the administrator can quite easily switch to the **Role-Based Access Control** model. This model also switches to ' | ||
+ | |||
+ | FIXME | ||
+ | ==== Multi-Category Security (MCS) ==== | ||
Line 100: | Line 162: | ||
https:// | https:// | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ---- | ||
+ | |||
+ | |||
+ | ===== SELinux Troubleshooting ===== | ||
+ | Um SELinux denied Meldungen ausfindig zu machen, mach man am einfachsten ein " | ||
+ | |||
+ | <WRAP center box 100%> | ||
+ | < | ||
+ | |||
+ | <sxh plain; gutter: false> | ||
+ | type=AVC msg=audit(1505717571.241: | ||
+ | type=AVC msg=audit(1505717571.241: | ||
+ | type=AVC msg=audit(1505717571.250: | ||
+ | type=AVC msg=audit(1505717571.250: | ||
+ | type=AVC msg=audit(1505717573.862: | ||
+ | type=AVC msg=audit(1505717573.862: | ||
+ | type=AVC msg=audit(1505717573.863: | ||
+ | type=AVC msg=audit(1505717573.863: | ||
+ | type=AVC msg=audit(1505717592.480: | ||
+ | type=AVC msg=audit(1505717592.480: | ||
+ | type=AVC msg=audit(1505717592.481: | ||
+ | type=AVC msg=audit(1505717592.481: | ||
+ | type=AVC msg=audit(1505717672.128: | ||
+ | type=USER_AVC msg=audit(1505717701.127: | ||
+ | type=AVC msg=audit(1505717714.165: | ||
+ | </ | ||
+ | |||
+ | </ | ||
+ | |||
+ | Wenn man nun jedoch vor komplizierteren SELinux Problemen steht, empfielt es sich mit den Setools für SELinux zu arbeiten. | ||
+ | |||
+ | ==== Verwenden von Setools / Setroubleshoot ==== | ||
+ | |||
+ | * Installation von den Troubleshoot Packages //(Falls nicht schon vorhanden)//: | ||
+ | * Um nun die Fehler aus unserem Audit.log automatisiert auszuwerten folgenden Befehl ausführen: <WRAP center box 100%> | ||
+ | < | ||
+ | Jeder hier generierte Report, beschreibt zuerst den Fehler, und erklärt danach möglichst genau, wie das Problem behoben werden kann. Ausgabe des Befehls: | ||
+ | |||
+ | <sxh plain; gutter: false> | ||
+ | [root@admin-server ~]# sealert -a / | ||
+ | 100% done | ||
+ | found 1 alerts in / | ||
+ | -------------------------------------------------------------------------------- | ||
+ | |||
+ | SELinux is preventing / | ||
+ | |||
+ | ***** Plugin catchall (100. confidence) suggests | ||
+ | |||
+ | If you believe that java (deleted) should be allowed name_connect access on the port 3306 tcp_socket by default. | ||
+ | Then you should report this as a bug. | ||
+ | You can generate a local policy module to allow this access. | ||
+ | Do | ||
+ | allow this access for now by executing: | ||
+ | # ausearch -c ' | ||
+ | # semodule -i my-java.pp | ||
+ | |||
+ | |||
+ | Additional Information: | ||
+ | Source Context | ||
+ | Target Context | ||
+ | Target Objects | ||
+ | Source | ||
+ | Source Path / | ||
+ | 7_3.x86_64/ | ||
+ | Port 3306 | ||
+ | Host < | ||
+ | Source RPM Packages | ||
+ | headless-1.8.0.144-0.b01.el7_4.x86_64 | ||
+ | Target RPM Packages | ||
+ | Policy RPM selinux-policy-3.13.1-166.el7_4.4.noarch | ||
+ | Selinux Enabled | ||
+ | Policy Type | ||
+ | Enforcing Mode Permissive | ||
+ | Host Name | ||
+ | Platform | ||
+ | 3.10.0-693.2.2.el7.x86_64 #1 SMP Tue Sep 12 | ||
+ | 22:26:13 UTC 2017 x86_64 x86_64 | ||
+ | Alert Count 16 | ||
+ | First Seen 2017-09-17 13:33:21 CEST | ||
+ | Last Seen | ||
+ | Local ID 42523e63-a9ef-438e-8a07-7e8d128d669b | ||
+ | |||
+ | Raw Audit Messages | ||
+ | type=AVC msg=audit(1505717714.165: | ||
+ | |||
+ | |||
+ | type=SYSCALL msg=audit(1505717714.165: | ||
+ | |||
+ | Hash: java, | ||
+ | |||
+ | </ | ||
+ | |||
+ | '' | ||
+ | < | ||
+ | # ausearch -c ' | ||
+ | # semodule -i my-java.pp | ||
+ | </ | ||
+ | |||
+ | * '' | ||
+ | * ''< | ||
+ | |||
+ | |||
+ | </ | ||
+ | |||
+ | |||
+ | * http:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | |||
+ | |||
+ | |||
+ | ---- | ||
+ | |||
+ | ===== Redhat Dokumentation zum Thema ===== | ||
+ | |||
+ | <WRAP center round download 80%> | ||
+ | '' | ||
+ | </ | ||
+ | |||
+ | |||
+ |