Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revisionLast revisionBoth sides next revision | ||
redhat:base-redhat:selinux-redhat [2017/09/06 17:18] – [Multi-Category Security (MCS)] michael | redhat:base-redhat:selinux-redhat [2018/05/08 11:14] – [Role-Based Access Control (RBAC)] michael | ||
---|---|---|---|
Line 4: | Line 4: | ||
===== Introduction ===== | ===== Introduction ===== | ||
- | **Security-Enhanced Linux (SELinux)** | + | **Security-Enhanced Linux (SELinux)** |
- | <WRAP center | + | |
+ | <WRAP center | ||
==== Some of the Problems ==== | ==== Some of the Problems ==== | ||
In order to better understand why SELinux is important and what it can do for you, it is easiest to look at some examples. Without SELinux enabled, only traditional discretionary access control (DAC) methods such as file permissions or access control lists (ACLs) are used to control the file access of users. Users and programs alike are allowed to grant insecure file permissions to others or, conversely, to gain access to parts of the system that should not otherwise be necessary for normal operation. For example: | In order to better understand why SELinux is important and what it can do for you, it is easiest to look at some examples. Without SELinux enabled, only traditional discretionary access control (DAC) methods such as file permissions or access control lists (ACLs) are used to control the file access of users. Users and programs alike are allowed to grant insecure file permissions to others or, conversely, to gain access to parts of the system that should not otherwise be necessary for normal operation. For example: | ||
- | * Administrators have no way to control users: A user could set world readable permissions on sensitive files such as ssh keys and the directory containing such keys, customarily: | + | * '' |
- | * Processes can change security properties: A user's mail files should be readable only by that user, but the mail client software has the ability to change them to be world readable | + | * '' |
- | * Processes inherit user's rights: Firefox, if compromised by a **trojaned** version, could read a user's private ssh keys even though it has no reason to do so. | + | * '' |
Essentially under the traditional DAC model, there are two privilege levels, root and user, and no easy way to enforce a model of least-privilege. Many processes that are launched by root later drop their rights to run as a restricted user and some processes may be run in a chroot jail but all of these security methods are discretionary. | Essentially under the traditional DAC model, there are two privilege levels, root and user, and no easy way to enforce a model of least-privilege. Many processes that are launched by root later drop their rights to run as a restricted user and some processes may be run in a chroot jail but all of these security methods are discretionary. | ||
Line 68: | Line 69: | ||
<WRAP center round important 100%> | <WRAP center round important 100%> | ||
'' | '' | ||
+ | </ | ||
+ | |||
+ | ---- | ||
+ | |||
+ | <WRAP center box 100%> | ||
+ | ===== RPM dependencies to manage SELinux ===== | ||
+ | Throughout this text, we already saw programs such as '' | ||
+ | |||
+ | - Log in as root and install the following basic toolkit to work with SELinux: < | ||
+ | - Now, we need some additional tools that will also be needed later in the SELinux Debugging:< | ||
+ | - Next, install and configure the SELinux manual pages as they are not available by default on CentOS 7, but are important for getting detailed information about specific policies, security contexts, and SELinux Booleans later. First, we need to install another package: < | ||
+ | - Afterwards, let's generate all the man pages for all SELinux security context policies currently available on the system, and then update the manual pages database afterwards: < | ||
+ | |||
+ | |||
</ | </ | ||
Line 87: | Line 102: | ||
The **targeted** SELinux policy on Redhat/ | The **targeted** SELinux policy on Redhat/ | ||
- | * <wrap em>Type Enforcement (TE):</ | + | * '' |
- | * <wrap em> | + | * '' |
- | * <wrap em> | + | * '' |
- | * <wrap em> | + | * '' |
''< | ''< | ||
Line 133: | Line 148: | ||
here we see the type is user_home_t, | here we see the type is user_home_t, | ||
- | Access is only allowed between similar types, so Apache running as httpd_t can read / | + | Access is only allowed between similar types, so Apache running as '' |
Line 140: | Line 155: | ||
Although the default configuration of the targeted policy is to use unconfined logins, the administrator can quite easily switch to the **Role-Based Access Control** model. This model also switches to ' | Although the default configuration of the targeted policy is to use unconfined logins, the administrator can quite easily switch to the **Role-Based Access Control** model. This model also switches to ' | ||
- | FIXME | + | < |
+ | # semanage login -a -s " | ||
+ | </ | ||
+ | |||
+ | The semanage-login command maps a Linux username to an SELinux user named " | ||
+ | |||
+ | < | ||
+ | # sudo -r sysadm_r -i | ||
+ | </ | ||
+ | |||
+ | This can be automated by adding a configuration file under / | ||
+ | |||
+ | <sxh plain; gutter: false;> | ||
+ | %wheel | ||
+ | </ | ||
+ | |||
+ | It is still possible to login as an unconfined user or switch to the unconfined role via **newrole**, | ||
+ | |||
+ | < | ||
+ | # semanage user -a -R " | ||
+ | </ | ||
+ | |||
+ | Then substituting staff_u for my_staff_u in the semanage-login command. Now attempting to switch to the unconfined_r role will result in an **AVC** and **SELINUX_ERR** message. If the admin wishes to remove the ability to login as an unconfined user completely, they should remap the __default__ login to a more suitable SELinux user, again using semanage-login. | ||
+ | |||
+ | < | ||
+ | # semanage login -m -s " | ||
+ | </ | ||
+ | |||
+ | If a user wishes to login as a role other than their default it is up to the login program to provide this functionality. SSH allows logging in with an alternative SELinux role by specifying it as part of the login identifier (e.g., as a staff user logging in as unconfined_r). | ||
+ | |||
+ | < | ||
+ | # ssh < | ||
+ | </ | ||
+ | |||
+ | The strict model that comes with Role-Based Access Control isn't perfect from a perspective of least privilege; running a quick search using policy analysis tools we can see that several confined programs can still read a users private SSH keys. | ||
+ | |||
+ | <WRAP center box 100%> | ||
+ | < | ||
+ | # sesearch -ACS -t ssh_home_t -c file -p read | ||
+ | </ | ||
+ | |||
+ | <sxh plain; gutter: false;> | ||
+ | Found 132 semantic av rules: | ||
+ | allow snapperd_t file_type : file { ioctl read getattr lock open } ; | ||
+ | allow oddjob_mkhomedir_t user_home_type : file { ioctl read write create getattr setattr lock append unlink link rename open } ; | ||
+ | allow mplayer_t non_security_file_type : file { ioctl read getattr lock open } ; | ||
+ | allow sendmail_t user_home_type : file { ioctl read getattr lock open } ; | ||
+ | allow systemd_tmpfiles_t non_auth_file_type : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ; | ||
+ | allow login_pgm ssh_home_t : file { ioctl read getattr lock open } ; | ||
+ | allow ssh_keygen_t ssh_home_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; | ||
+ | allow colord_t user_home_type : file { read getattr } ; | ||
+ | ... snip ... | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | '' | ||
+ | |||
+ | Beyond the strict model, Role-Based Access Control also provides a mechanism for limiting the scope of what a user can do when they use **sudo** to switch to root. It is often desirable to enforce least privilege on users with specific roles like DBAs or auditors and the targeted policy includes several user roles for purposes like those, with documentation in their respective manual pages as mentioned in Policy Documentation. | ||
+ | |||
+ | <WRAP center box 100%> | ||
+ | < | ||
+ | # seinfo -r | ||
+ | </ | ||
+ | <sxh plain; gutter: false;> | ||
+ | Roles: 14 | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | To map a user to one of these admin roles, the same semanage-user command is used as before to create a new SELinux user associated with the desired roles, and then semanage-login to associate the Linux login with the SELinux user. If the user should also be able to start system daemons they administrate from their user domain (i.e., to start mysql as dbadm_r for debugging from a shell) the system_r role should be included in their list of associated roles. | ||
+ | |||
+ | < | ||
+ | # semanage user -a -R " | ||
+ | # semanage login -a -s " | ||
+ | </ | ||
==== Multi-Category Security (MCS) ==== | ==== Multi-Category Security (MCS) ==== | ||
Line 147: | Line 249: | ||
https:// | https:// | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ---- | ||
+ | |||
+ | |||
+ | ===== SELinux Troubleshooting ===== | ||
+ | Um SELinux denied Meldungen ausfindig zu machen, mach man am einfachsten ein " | ||
+ | |||
+ | <WRAP center box 100%> | ||
+ | < | ||
+ | |||
+ | <sxh plain; gutter: false> | ||
+ | type=AVC msg=audit(1505717571.241: | ||
+ | type=AVC msg=audit(1505717571.241: | ||
+ | type=AVC msg=audit(1505717571.250: | ||
+ | type=AVC msg=audit(1505717571.250: | ||
+ | type=AVC msg=audit(1505717573.862: | ||
+ | type=AVC msg=audit(1505717573.862: | ||
+ | type=AVC msg=audit(1505717573.863: | ||
+ | type=AVC msg=audit(1505717573.863: | ||
+ | type=AVC msg=audit(1505717592.480: | ||
+ | type=AVC msg=audit(1505717592.480: | ||
+ | type=AVC msg=audit(1505717592.481: | ||
+ | type=AVC msg=audit(1505717592.481: | ||
+ | type=AVC msg=audit(1505717672.128: | ||
+ | type=USER_AVC msg=audit(1505717701.127: | ||
+ | type=AVC msg=audit(1505717714.165: | ||
+ | </ | ||
+ | |||
+ | </ | ||
+ | |||
+ | Wenn man nun jedoch vor komplizierteren SELinux Problemen steht, empfielt es sich mit den Setools für SELinux zu arbeiten. | ||
+ | |||
+ | ==== Verwenden von Setools / Setroubleshoot ==== | ||
+ | |||
+ | * Installation von den Troubleshoot Packages //(Falls nicht schon vorhanden)//: | ||
+ | * Um nun die Fehler aus unserem Audit.log automatisiert auszuwerten folgenden Befehl ausführen: <WRAP center box 100%> | ||
+ | < | ||
+ | Jeder hier generierte Report, beschreibt zuerst den Fehler, und erklärt danach möglichst genau, wie das Problem behoben werden kann. Ausgabe des Befehls: | ||
+ | |||
+ | <sxh plain; gutter: false> | ||
+ | [root@admin-server ~]# sealert -a / | ||
+ | 100% done | ||
+ | found 1 alerts in / | ||
+ | -------------------------------------------------------------------------------- | ||
+ | |||
+ | SELinux is preventing / | ||
+ | |||
+ | ***** Plugin catchall (100. confidence) suggests | ||
+ | |||
+ | If you believe that java (deleted) should be allowed name_connect access on the port 3306 tcp_socket by default. | ||
+ | Then you should report this as a bug. | ||
+ | You can generate a local policy module to allow this access. | ||
+ | Do | ||
+ | allow this access for now by executing: | ||
+ | # ausearch -c ' | ||
+ | # semodule -i my-java.pp | ||
+ | |||
+ | |||
+ | Additional Information: | ||
+ | Source Context | ||
+ | Target Context | ||
+ | Target Objects | ||
+ | Source | ||
+ | Source Path / | ||
+ | 7_3.x86_64/ | ||
+ | Port 3306 | ||
+ | Host < | ||
+ | Source RPM Packages | ||
+ | headless-1.8.0.144-0.b01.el7_4.x86_64 | ||
+ | Target RPM Packages | ||
+ | Policy RPM selinux-policy-3.13.1-166.el7_4.4.noarch | ||
+ | Selinux Enabled | ||
+ | Policy Type | ||
+ | Enforcing Mode Permissive | ||
+ | Host Name | ||
+ | Platform | ||
+ | 3.10.0-693.2.2.el7.x86_64 #1 SMP Tue Sep 12 | ||
+ | 22:26:13 UTC 2017 x86_64 x86_64 | ||
+ | Alert Count 16 | ||
+ | First Seen 2017-09-17 13:33:21 CEST | ||
+ | Last Seen | ||
+ | Local ID 42523e63-a9ef-438e-8a07-7e8d128d669b | ||
+ | |||
+ | Raw Audit Messages | ||
+ | type=AVC msg=audit(1505717714.165: | ||
+ | |||
+ | |||
+ | type=SYSCALL msg=audit(1505717714.165: | ||
+ | |||
+ | Hash: java, | ||
+ | |||
+ | </ | ||
+ | </ | ||
+ | |||
+ | * Wie oben ersichtlich, | ||
+ | < | ||
+ | # ausearch -c ' | ||
+ | # semodule -i guacamole-java.pp | ||
+ | </ | ||
+ | |||
+ | * '' | ||
+ | * ''< | ||
+ | |||
+ | </ | ||
+ | |||
+ | |||
+ | * http:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | |||