redhat:base-redhat:selinux-redhat

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
Next revisionBoth sides next revision
redhat:base-redhat:selinux-redhat [2017/08/23 09:37] – [SELinux Access Control] michaelredhat:base-redhat:selinux-redhat [2018/01/09 15:04] – [Verwenden von Setools / Setroubleshoot] michael
Line 6: Line 6:
 **Security-Enhanced Linux (SELinux)** is a mandatory access control (MAC) security mechanism implemented in the kernel. SELinux was first introduced in CentOS 4 and significantly enhanced in later CentOS releases. These enhancements mean that content varies as to how to approach SELinux over time to solve problems. **Security-Enhanced Linux (SELinux)** is a mandatory access control (MAC) security mechanism implemented in the kernel. SELinux was first introduced in CentOS 4 and significantly enhanced in later CentOS releases. These enhancements mean that content varies as to how to approach SELinux over time to solve problems.
  
-<WRAP center box 100%>+ 
 +<WRAP center important 100%>
 ==== Some of the Problems ==== ==== Some of the Problems ====
 In order to better understand why SELinux is important and what it can do for you, it is easiest to look at some examples. Without SELinux enabled, only traditional discretionary access control (DAC) methods such as file permissions or access control lists (ACLs) are used to control the file access of users. Users and programs alike are allowed to grant insecure file permissions to others or, conversely, to gain access to parts of the system that should not otherwise be necessary for normal operation. For example: In order to better understand why SELinux is important and what it can do for you, it is easiest to look at some examples. Without SELinux enabled, only traditional discretionary access control (DAC) methods such as file permissions or access control lists (ACLs) are used to control the file access of users. Users and programs alike are allowed to grant insecure file permissions to others or, conversely, to gain access to parts of the system that should not otherwise be necessary for normal operation. For example:
Line 68: Line 69:
 <WRAP center round important 100%> <WRAP center round important 100%>
 ''**Note:** When switching from Disabled to either Permissive or Enforcing mode, it is highly recommended that the system be rebooted and the filesystem relabeled.'' ''**Note:** When switching from Disabled to either Permissive or Enforcing mode, it is highly recommended that the system be rebooted and the filesystem relabeled.''
 +</WRAP>
 +
 +----
 +
 +<WRAP center box 100%>
 +===== RPM dependencies to manage SELinux =====
 +Throughout this text, we already saw programs such as ''**semanage** from the rpm **policecoreutils-python** package **to manage our SELinux environment**''. If you missed installing it, we will begin this recipe by doing so (skip step 1 if you have already done this before):
 +
 +  - Log in as root and install the following basic toolkit to work with SELinux: <code># yum install policycoreutils-python</code>
 +  - Now, we need some additional tools that will also be needed later in the SELinux Debugging:<code># yum install setools setools-console setroubleshoot*</code>
 +  - Next, install and configure the SELinux manual pages as they are not available by default on CentOS 7, but are important for getting detailed information about specific policies, security contexts, and SELinux Booleans later. First, we need to install another package: <code># yum install policycoreutils-devel</code>
 +  - Afterwards, let's generate all the man pages for all SELinux security context policies currently available on the system, and then update the manual pages database afterwards: <code># sepolicy manpage -a -p /usr/share/man/man8; mandb</code>
 +
 +
 </WRAP> </WRAP>
  
Line 87: Line 102:
 The **targeted** SELinux policy on Redhat/CentOS ships with **4 forms of access control**: The **targeted** SELinux policy on Redhat/CentOS ships with **4 forms of access control**:
  
-  * Type Enforcement (TE): Type Enforcement is the primary mechanism of access control used in the targeted policy +  * <wrap em>Type Enforcement (TE):</wrap> Type Enforcement is the primary mechanism of access control used in the targeted policy 
-  * Role-Based Access Control (RBAC): Based around SELinux users (not necessarily the same as the Linux user), but not used in the default configuration of the targeted policy +  * <wrap em>Role-Based Access Control (RBAC):</wrap> Based around SELinux users (not necessarily the same as the Linux user), but not used in the default configuration of the targeted policy 
-  * Multi-Level Security (MLS): Not commonly used and often hidden in the default targeted policy. +  * <wrap em>Multi-Level Security (MLS):</wrap> Not commonly used and often hidden in the default targeted policy. 
-  * Multi-Category Security(MCS): An extension of Multi-Level Security, used in the targeted policy to implement compartmentalization of virtual machines and containers through sVirt.+  * <wrap em>Multi-Category Security(MCS):</wrap> An extension of Multi-Level Security, used in the targeted policy to implement compartmentalization of virtual machines and containers through sVirt.
  
-All processes and files have an SELinux security contextLet's see these in action by looking at the SELinux security context of the Apache homepage: '/var/www/html/index.html'+''<wrap em>All processes and files have an SELinux security context!</wrap> Let's see these in action by looking at the SELinux security context of the Apache homepage: '/var/www/html/index.html'''
  
 +<WRAP center box 100%>
 +<code>
 +# ls -Z /var/www/html/index.html 
 +</code>
 +<sxh plain; gutter: false;>
 +-rw-r--r--  username username system_u:object_r:httpd_sys_content_t /var/www/html/index.html 
 +</sxh>
 +</WRAP>
  
 +In addition to the standard file permissions and ownership, we can see the SELinux security context fields: ''system_u:object_r:httpd_sys_content_t''.
 +
 +This is based upon user:role:type:mls. In our example above, user:role:type fields are displayed and mls is hidden. Within the default targeted policy, type is the important field used to implement Type Enforcement, in this case ''httpd_sys_content_t''.
 +
 +Now consider the SELinux security context of the Apache web server process: 'httpd'
 +
 +<WRAP center box 100%>
 +<code>
 +# ps axZ | grep httpd
 +</code>
 +<sxh plain; gutter: false;>
 +system_u:system_r:httpd_t        3234 ?        Ss     0:00 /usr/sbin/httpd
 +</sxh>
 +</WRAP>
 +
 +Here we see the from the type field that Apache is running under the ''httpd_t'' type domain.
 +
 +Finally, let's look at the SELinux security context of a file in our home directory:
 +
 +<WRAP center box 100%>
 +<code>
 +# ls -Z /home/username/myfile.txt 
 +</code>
 +<sxh plain; gutter: false;>
 +-rw-r--r--  username username user_u:object_r:user_home_t      /home/username/myfile.txt
 +</sxh>
 +</WRAP>
 +
 +here we see the type is user_home_t, the default type for files in a user's home directory.
 +
 +Access is only allowed between similar types, so Apache running as httpd_t can read /var/www/html/index.html of type httpd_sys_content_t. Because Apache runs in the httpd_t domain and does not have the userid:username, it can not access **/home/username/myfile.txt** even though this file is world readable because **/home/username/myfile.txt** SELinux security context is not of type httpd_t. If Apache were to be exploited, assuming for the sake of this example that the **root** account right needed to effect a SELinux re-labeling into another context were not obtained, it would not be able to start any process not in the httpd_t domain (which prevents escalation of privileges) or access any file not in an httpd_t related domain.
 +
 +
 +==== Role-Based Access Control (RBAC) ====
 +
 +Although the default configuration of the targeted policy is to use unconfined logins, the administrator can quite easily switch to the **Role-Based Access Control** model. This model also switches to 'strict' mode for user domains, to allow targeting each program individually. To enable this, use **semanage-login** to add a login mapping for your user.
 +
 +FIXME
 +====  Multi-Category Security (MCS) ====
  
  
Line 100: Line 162:
  
 https://wiki.centos.org/HowTos/SELinux https://wiki.centos.org/HowTos/SELinux
 +
 +
 +
 +
 +
 +----
 +
 +
 +===== SELinux Troubleshooting =====
 +Um SELinux denied Meldungen ausfindig zu machen, mach man am einfachsten ein "cat" auf das SELinux audit.log mit der Kombination von "grep". Beispiel:
 +
 +<WRAP center box 100%>
 +<code># cat /var/log/audit/audit.log | grep avc</code>
 +
 +<sxh plain; gutter: false>
 +type=AVC msg=audit(1505717571.241:949): avc:  denied  { name_connect } for  pid=1217 comm="java" dest=3306 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
 +type=AVC msg=audit(1505717571.241:950): avc:  denied  { name_connect } for  pid=1217 comm="java" dest=3306 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
 +type=AVC msg=audit(1505717571.250:951): avc:  denied  { name_connect } for  pid=1217 comm="java" dest=3306 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
 +type=AVC msg=audit(1505717571.250:952): avc:  denied  { name_connect } for  pid=1217 comm="java" dest=3306 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
 +type=AVC msg=audit(1505717573.862:953): avc:  denied  { name_connect } for  pid=1217 comm="java" dest=3306 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
 +type=AVC msg=audit(1505717573.862:954): avc:  denied  { name_connect } for  pid=1217 comm="java" dest=3306 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
 +type=AVC msg=audit(1505717573.863:955): avc:  denied  { name_connect } for  pid=1217 comm="java" dest=3306 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
 +type=AVC msg=audit(1505717573.863:956): avc:  denied  { name_connect } for  pid=1217 comm="java" dest=3306 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
 +type=AVC msg=audit(1505717592.480:962): avc:  denied  { name_connect } for  pid=1217 comm="java" dest=3306 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
 +type=AVC msg=audit(1505717592.480:963): avc:  denied  { name_connect } for  pid=1217 comm="java" dest=3306 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
 +type=AVC msg=audit(1505717592.481:964): avc:  denied  { name_connect } for  pid=1217 comm="java" dest=3306 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
 +type=AVC msg=audit(1505717592.481:965): avc:  denied  { name_connect } for  pid=1217 comm="java" dest=3306 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
 +type=AVC msg=audit(1505717672.128:996): avc:  denied  { name_connect } for  pid=1217 comm="java" dest=3306 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
 +type=USER_AVC msg=audit(1505717701.127:1000): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
 +type=AVC msg=audit(1505717714.165:1003): avc:  denied  { name_connect } for  pid=1217 comm="java" dest=3306 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
 +</sxh>
 +
 +</WRAP>
 +
 +Wenn man nun jedoch vor komplizierteren SELinux Problemen steht, empfielt es sich mit den Setools für SELinux zu arbeiten.
 +
 +==== Verwenden von Setools / Setroubleshoot ====
 +
 +  * Installation von den Troubleshoot Packages //(Falls nicht schon vorhanden)//: <code># yum install setroubleshoot setools -y</code>
 +  * Um nun die Fehler aus unserem Audit.log automatisiert auszuwerten folgenden Befehl ausführen: <WRAP center box 100%>
 +<code># sealert -a /var/log/audit/audit.log</code>
 +Jeder hier generierte Report, beschreibt zuerst den Fehler, und erklärt danach möglichst genau, wie das Problem behoben werden kann. Ausgabe des Befehls:
 +
 +<sxh plain; gutter: false>
 +[root@admin-server ~]# sealert -a /var/log/audit/audit.log
 +100% done
 +found 1 alerts in /var/log/audit/audit.log
 +--------------------------------------------------------------------------------
 +
 +SELinux is preventing /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.141-1.b16.el7_3.x86_64/jre/bin/java (deleted) from name_connect access on the tcp_socket port 3306.
 +
 +*****  Plugin catchall (100. confidence) suggests   **************************
 +
 +If you believe that java (deleted) should be allowed name_connect access on the port 3306 tcp_socket by default.
 +Then you should report this as a bug.
 +You can generate a local policy module to allow this access.
 +Do
 +allow this access for now by executing:
 +# ausearch -c 'java' --raw | audit2allow -M my-java
 +# semodule -i my-java.pp
 +
 +
 +Additional Information:
 +Source Context                system_u:system_r:tomcat_t:s0
 +Target Context                system_u:object_r:mysqld_port_t:s0
 +Target Objects                port 3306 [ tcp_socket ]
 +Source                        java
 +Source Path                   /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.141-1.b16.el
 +                              7_3.x86_64/jre/bin/java (deleted)
 +Port                          3306
 +Host                          <Unknown>
 +Source RPM Packages           java-1.8.0-openjdk-
 +                              headless-1.8.0.144-0.b01.el7_4.x86_64
 +Target RPM Packages
 +Policy RPM                    selinux-policy-3.13.1-166.el7_4.4.noarch
 +Selinux Enabled               True
 +Policy Type                   targeted
 +Enforcing Mode                Permissive
 +Host Name                     admin-server.blacknet
 +Platform                      Linux admin-server.blacknet
 +                              3.10.0-693.2.2.el7.x86_64 #1 SMP Tue Sep 12
 +                              22:26:13 UTC 2017 x86_64 x86_64
 +Alert Count                   16
 +First Seen                    2017-09-17 13:33:21 CEST
 +Last Seen                     2017-09-18 08:55:14 CEST
 +Local ID                      42523e63-a9ef-438e-8a07-7e8d128d669b
 +
 +Raw Audit Messages
 +type=AVC msg=audit(1505717714.165:1003): avc:  denied  { name_connect } for  pid=1217 comm="java" dest=3306 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
 +
 +
 +type=SYSCALL msg=audit(1505717714.165:1003): arch=x86_64 syscall=connect success=yes exit=0 a0=77 a1=7f4cb79f6380 a2=1c a3=504 items=0 ppid=1 pid=1217 auid=4294967295 uid=91 gid=91 euid=91 suid=91 fsuid=91 egid=91 sgid=91 fsgid=91 tty=(none) ses=4294967295 comm=java exe=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/bin/java subj=system_u:system_r:tomcat_t:s0 key=(null)
 +
 +Hash: java,tomcat_t,mysqld_port_t,tcp_socket,name_connect
 +
 +</sxh>
 +</WRAP>
 +
 +  * Wie oben ersichtlich, wird zu unserem Problem eine **Lösung durch Eingabe von folgenden zwei Befehlen** empfohlen: <WRAP center box 100%>
 +<code>
 +# ausearch -c 'java' --raw | audit2allow -M guacamole-java
 +# semodule -i guacamole-java.pp
 +</code>
 +
 +  * ''**Der erste Befehl, erstellt im aktuellen Verzeichnis eine neue SELinux Regel** im ***.te Format (Text)** und **kompiliert** sie anschliessend in ein ***.pp Format.** //(Der in der Ausgabe verwendete Namen "my-java" kann beliebig festgelet werden! z.B. wie bei mir: guacamole-java)//''
 +  * ''<wrap em>Mit dem zweiten Befehl, wird die Regel dann permanent aktiviert!</wrap>''
 +
 +</WRAP>
 +
 +
 +  * http://www.serverlab.ca/tutorials/linux/administration-linux/troubleshooting-selinux-centos-red-hat/
 +  * https://serverfault.com/questions/321301/how-do-i-view-the-contents-of-a-selinux-policy-package
 +  * https://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-sel-building-policy-module.html
 +  * https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html
 +
 +
 +
 +----
 +
 +===== Redhat Dokumentation zum Thema =====
 +
 +<WRAP center round download 80%>
 +''{{ :redhat:base-redhat:red_hat_enterprise_linux-7-selinux_users_and_administrators_guide-en-us.pdf |}}''
 +</WRAP>
 +
 +
 +
  • redhat/base-redhat/selinux-redhat.txt
  • Last modified: 2018/05/08 11:22
  • by michael