Difference between revisions of "SELinux"
Jump to navigation
Jump to search
(→auditd) |
|||
(28 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | == | + | ==Background== |
− | * | + | * Security Enhanced Linux |
− | * | + | * SELinux answers the question "May {subject} do {action} to {object}?" |
− | * | + | * Steps beyond traditional UNIX file permissions |
− | * | + | ** A.k.a., Discretionary Access Control (DAC) - The standard access policy based on user, group and other permissions |
+ | ** Does not enable fine-grained security policies | ||
+ | * SELinux implements Mandatory Access Control (MAC) | ||
+ | ** MAC rules are checked only after DAC!!!! This is why a denial might not show up in the audit!!!!! | ||
+ | * Every process and system label has a special security label called an SELinux context. | ||
+ | |||
+ | |||
+ | ==References== | ||
+ | * [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/index SELinux Users and Administrators Guide for RHEL 7] | ||
* [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/chap-security-enhanced_linux-troubleshooting CentOS6 SELinux troubleshooting] | * [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/chap-security-enhanced_linux-troubleshooting CentOS6 SELinux troubleshooting] | ||
** "SELinux decisions, such as allowing or disallowing access, are cached. This cache is known as the Access Vector Cache (AVC). Denial messages are logged when SELinux denies access. These denials are also known as "AVC denials"" | ** "SELinux decisions, such as allowing or disallowing access, are cached. This cache is known as the Access Vector Cache (AVC). Denial messages are logged when SELinux denies access. These denials are also known as "AVC denials"" | ||
* [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems CentOS7 SELinux troubleshooting] | * [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems CentOS7 SELinux troubleshooting] | ||
− | |||
− | |||
* [https://www.serverlab.ca/tutorials/linux/web-servers-linux/configuring-selinux-policies-for-apache-web-servers/ Configuring SELinux for apache web servers] | * [https://www.serverlab.ca/tutorials/linux/web-servers-linux/configuring-selinux-policies-for-apache-web-servers/ Configuring SELinux for apache web servers] | ||
+ | |||
+ | |||
+ | ==SELinux context fields== | ||
+ | * Unconfined processes run in the unconfined_service_t domain | ||
+ | ** Processes running in unconfined domains fall back to using DAC rules exclusively | ||
+ | * By default, newly-created files and directories inherit the SELinux type of their parent directories. | ||
+ | |||
+ | ===user=== | ||
+ | * <code>semanage login -l</code> to check how Linux users are mapped to SELinux users | ||
+ | |||
+ | ===role=== | ||
+ | * Part of the Role-Based Access Control (RBAC) security model | ||
+ | * SELinux users are authorized for roles | ||
+ | * Roles are authorized for domains | ||
+ | * <code>seinfo -r</code> - List available roles | ||
+ | |||
+ | ===type=== | ||
+ | * The most common policy rule which defines the allowed interactions between processes and system resources uses SELinux types and not the full SELinux context | ||
+ | * SELinux types usually end with _t | ||
+ | * <code>seinfo -t | sort | grep http</code> - e.g., show all types that have string "http" in them | ||
+ | |||
+ | ===security level=== | ||
+ | * Usually something like <code>s0</code> | ||
+ | * Like levels of clearance | ||
+ | ** Unclassified | ||
+ | ** Confidential | ||
+ | ** Secret | ||
+ | ** Top Secret | ||
+ | |||
+ | ==Simple Commands and important files== | ||
+ | * SE Control programs: getsebool, setsebool, booleans, togglesebool, semanage | ||
+ | |||
+ | ===man files=== | ||
+ | * <code>man selinux</code> | ||
+ | ** <code>man -k selinux | less</code> to see list of SELinux topics, of which there are MANY. | ||
+ | |||
+ | ===seinfo=== | ||
+ | * get statistics for policy file | ||
+ | |||
+ | ===sestatus=== | ||
+ | * Get status, e.g., whether in enforcing or not | ||
+ | ** also setenforce and getenforce | ||
+ | |||
+ | ===sesearch=== | ||
+ | * <code>yum install setools-console</code> | ||
+ | * SELinux policy query tool | ||
+ | |||
+ | ===chcon=== | ||
+ | * Temporarily changes the context for files | ||
+ | * label changes do not survive when the file system is relabeled OR when <code>restorecon</code> is run. | ||
+ | ** For permanent changes that survive a file system relabel, use the semanage utility | ||
+ | * options | ||
+ | ** -v: verbose flag | ||
+ | ** -R: recursive flag | ||
+ | ** -u USER | ||
+ | ** -r ROLE | ||
+ | ** -l RANGE: as in security range | ||
+ | ** -t TYPE | ||
+ | ** --reference=RFILE | ||
+ | |||
+ | ===semodule=== | ||
+ | * Use to load modules created by audit2allow | ||
+ | * | ||
+ | |||
+ | ==Important files== | ||
+ | * /etc/selinux/config - Main configuration file | ||
+ | * /sys/fs/selinux/policy - Policy file | ||
+ | * /etc/selinux/targeted/contexts/files/file_contexts.local - when you chcon or semanage fcontext, changes are listed in here. | ||
+ | ** See changes with <code>semanage fcontext -C -l</code> | ||
+ | |||
+ | ==See SELinux contexts== | ||
+ | * <code>ls -Z</code> - List file contexts | ||
+ | * <code>ps aux -Z</code> - List process contexts | ||
+ | * <code>id -Z</code> - What is my user context? | ||
+ | ** To list the available SELinux users - <code>seinfo -u</code> | ||
+ | * <code>ss -x -a -Z</code> - List all unix sockets and their contexts | ||
+ | * Preserving contexts on copy example: <code>cp --preserve=context file1 /var/www/html/</code> | ||
+ | * <code>matchpathcon -V /var/www/html/*</code> - compares the current SELinux context to the correct, default context | ||
+ | |||
==semanage== | ==semanage== | ||
* SELinux Policy Management tool | * SELinux Policy Management tool | ||
− | * <code>semanage fcontext -a -t httpd_sys_content_t "/var/www/lgorders/admin(/.*)?</code> | + | * subcommands |
+ | ** import | ||
+ | ** export | ||
+ | ** login | ||
+ | ** user | ||
+ | ** port - manage network port type definitions | ||
+ | ** interface | ||
+ | ** module | ||
+ | ** node | ||
+ | ** fcontext - Manage file context mapping definitions | ||
+ | ** boolean - Manage booleans to selectively enable functionality | ||
+ | ** permissive - manage process type enforcement | ||
+ | ** dontaudit - disable/enable dontaudit rules in policy | ||
+ | ** ibpkey | ||
+ | ** ibendport | ||
+ | |||
+ | ===semanage boolean=== | ||
+ | * boolean httpd_unified: when disabled, the webserver document directory becomes a read-only world (httpd_sys_content_t). | ||
+ | * <code>semanage boolean -l | sort | less</code> - list all SELinux booleans | ||
+ | ** Pre CentOS 6: <code>getsebool -a | grep httpd</code> | ||
+ | |||
+ | ===semanage fcontext=== | ||
+ | * PERSISTENTLY change the SELinux context of files | ||
+ | ** Adds an entry to file_contexts.local | ||
+ | * THEN have to run restorecon to actually change the type | ||
+ | * [https://www.systutorials.com/docs/linux/man/8-semanage-fcontext/ man 8 semanage-fcontext] | ||
+ | * options | ||
+ | ** -v: verbose | ||
+ | ** -a: add a new record | ||
+ | ** -d: delete an locally added context | ||
+ | ** -t TYPE | ||
+ | ** -e REFERENCEFILE | ||
+ | |||
+ | ====Examples==== | ||
+ | * <code>semanage fcontext -a -t httpd_sys_content_t "/var/www/lgorders/admin(/.*)?"</code> | ||
+ | * <code>restorecon -R -v /var/www/lgorders/admin</code> | ||
+ | * <code>[sudo] semanage fcontext -C -l</code> - show contexts to newly created files and directories | ||
+ | |||
+ | ===semanage port=== | ||
+ | * <code>semanage port -l</code> - List all the ports and contexts known to SELinux | ||
+ | ** e.g. <code>semanage port -l | grep http</code> | ||
+ | |||
==restorecon== | ==restorecon== | ||
− | * | + | * Restores the default SELinux context for files |
− | |||
* <code>restorecon -Rv .</code> | * <code>restorecon -Rv .</code> | ||
− | ** -n | + | ** -n: dry-run (passively check whether the file contexts are all set as specified by the active policy) |
+ | ** -R: recursive | ||
+ | ** -v: verbose | ||
# When you cp files from one location to another, they keep their original context | # When you cp files from one location to another, they keep their original context | ||
Line 26: | Line 153: | ||
* If Linux audit daemon (see below) is turned on, SELinux problems should be written to file <code>/var/log/audit/audit.log </code> | * If Linux audit daemon (see below) is turned on, SELinux problems should be written to file <code>/var/log/audit/audit.log </code> | ||
* <code>audit2allow</code> and <code>audit2why</code> | * <code>audit2allow</code> and <code>audit2why</code> | ||
+ | ** cat /var/log/audit/audit.log | audit2allow | ||
* <code>man auditd</code> | * <code>man auditd</code> | ||
* /etc/audit/auditd.conf | * /etc/audit/auditd.conf | ||
Line 34: | Line 162: | ||
=== auditctl === | === auditctl === | ||
* a utility to assist controlling the kernel's audit system | * a utility to assist controlling the kernel's audit system | ||
− | * -a always,exit = append action always to syscall exit list | + | * To see unsuccessful open call's <code>auditctl -a exit,always -S open -F success!=0</code> |
− | * -S open = any open call made by a program | + | ** -a always,exit = append action always to syscall exit list |
− | * -F success!=0 = create a rule field evaluating on the exit value | + | ** -S open = any open call made by a program |
+ | ** -F success!=0 = create a rule field evaluating on the exit value | ||
+ | ** You may have to do a <code>service auditd restart</code> after, not sure. | ||
==== examples==== | ==== examples==== | ||
− | * <code>auditctl -a always,exit -S all -F pid=1005</code> | + | * <code>auditctl -l</code> - list all user defined audit hooks |
− | + | * <code>auditctl -D</code> - delete all user defined hooks | |
− | * <code>auditctl -a always,exit -S openat -F auid=510</code> | + | * <code>auditctl -a always,exit -S all -F pid=1005</code> - To see all syscalls made by a specific program |
− | + | * <code>auditctl -a always,exit -S openat -F auid=510</code> - To see files opened by a specific user | |
− | * <code>auditctl -a always,exit -S openat -F success=0</code> | + | * <code>auditctl -a always,exit -S openat -F success=0</code> - To see unsuccessful openat calls |
− | * | + | * <code>auditctl -a exit,always -S open -F success=0</code> - To see unsuccessful open calls |
− | * <code>auditctl -w /etc/shadow -p wa</code> or <code>auditctl -a always,exit -F path=/etc/shadow -F perm=wa</code> | + | * <code>auditctl -w /etc/shadow -p wa</code> or <code>auditctl -a always,exit -F path=/etc/shadow -F perm=wa</code> - To watch a file for changes |
− | + | * <code>auditctl -w /etc/ -p wa</code> or <code>auditctl -a always,exit -F dir=/etc/ -F perm=wa</code> - To recursively watch a directory for changes | |
− | * <code>auditctl -w /etc/ -p wa</code> or <code>auditctl -a always,exit -F dir=/etc/ -F perm=wa</code> | + | * <code>auditctl -a always,exit -F dir=/home/ -F uid=0 -C auid!=obj_uid</code> - To see if an admin is accessing other user's files |
− | |||
− | * <code>auditctl -a always,exit -F dir=/home/ -F uid=0 -C auid!=obj_uid</code> | ||
− |
Latest revision as of 16:36, 28 July 2020
Contents
Background
- Security Enhanced Linux
- SELinux answers the question "May {subject} do {action} to {object}?"
- Steps beyond traditional UNIX file permissions
- A.k.a., Discretionary Access Control (DAC) - The standard access policy based on user, group and other permissions
- Does not enable fine-grained security policies
- SELinux implements Mandatory Access Control (MAC)
- MAC rules are checked only after DAC!!!! This is why a denial might not show up in the audit!!!!!
- Every process and system label has a special security label called an SELinux context.
References
- SELinux Users and Administrators Guide for RHEL 7
- CentOS6 SELinux troubleshooting
- "SELinux decisions, such as allowing or disallowing access, are cached. This cache is known as the Access Vector Cache (AVC). Denial messages are logged when SELinux denies access. These denials are also known as "AVC denials""
- CentOS7 SELinux troubleshooting
- Configuring SELinux for apache web servers
SELinux context fields
- Unconfined processes run in the unconfined_service_t domain
- Processes running in unconfined domains fall back to using DAC rules exclusively
- By default, newly-created files and directories inherit the SELinux type of their parent directories.
user
semanage login -l
to check how Linux users are mapped to SELinux users
role
- Part of the Role-Based Access Control (RBAC) security model
- SELinux users are authorized for roles
- Roles are authorized for domains
seinfo -r
- List available roles
type
- The most common policy rule which defines the allowed interactions between processes and system resources uses SELinux types and not the full SELinux context
- SELinux types usually end with _t
seinfo -t | sort | grep http
- e.g., show all types that have string "http" in them
security level
- Usually something like
s0
- Like levels of clearance
- Unclassified
- Confidential
- Secret
- Top Secret
Simple Commands and important files
- SE Control programs: getsebool, setsebool, booleans, togglesebool, semanage
man files
man selinux
man -k selinux | less
to see list of SELinux topics, of which there are MANY.
seinfo
- get statistics for policy file
sestatus
- Get status, e.g., whether in enforcing or not
- also setenforce and getenforce
sesearch
yum install setools-console
- SELinux policy query tool
chcon
- Temporarily changes the context for files
- label changes do not survive when the file system is relabeled OR when
restorecon
is run.- For permanent changes that survive a file system relabel, use the semanage utility
- options
- -v: verbose flag
- -R: recursive flag
- -u USER
- -r ROLE
- -l RANGE: as in security range
- -t TYPE
- --reference=RFILE
semodule
- Use to load modules created by audit2allow
Important files
- /etc/selinux/config - Main configuration file
- /sys/fs/selinux/policy - Policy file
- /etc/selinux/targeted/contexts/files/file_contexts.local - when you chcon or semanage fcontext, changes are listed in here.
- See changes with
semanage fcontext -C -l
- See changes with
See SELinux contexts
ls -Z
- List file contextsps aux -Z
- List process contextsid -Z
- What is my user context?- To list the available SELinux users -
seinfo -u
- To list the available SELinux users -
ss -x -a -Z
- List all unix sockets and their contexts- Preserving contexts on copy example:
cp --preserve=context file1 /var/www/html/
matchpathcon -V /var/www/html/*
- compares the current SELinux context to the correct, default context
semanage
- SELinux Policy Management tool
- subcommands
- import
- export
- login
- user
- port - manage network port type definitions
- interface
- module
- node
- fcontext - Manage file context mapping definitions
- boolean - Manage booleans to selectively enable functionality
- permissive - manage process type enforcement
- dontaudit - disable/enable dontaudit rules in policy
- ibpkey
- ibendport
semanage boolean
- boolean httpd_unified: when disabled, the webserver document directory becomes a read-only world (httpd_sys_content_t).
semanage boolean -l | sort | less
- list all SELinux booleans- Pre CentOS 6:
getsebool -a | grep httpd
- Pre CentOS 6:
semanage fcontext
- PERSISTENTLY change the SELinux context of files
- Adds an entry to file_contexts.local
- THEN have to run restorecon to actually change the type
- man 8 semanage-fcontext
- options
- -v: verbose
- -a: add a new record
- -d: delete an locally added context
- -t TYPE
- -e REFERENCEFILE
Examples
semanage fcontext -a -t httpd_sys_content_t "/var/www/lgorders/admin(/.*)?"
restorecon -R -v /var/www/lgorders/admin
[sudo] semanage fcontext -C -l
- show contexts to newly created files and directories
semanage port
semanage port -l
- List all the ports and contexts known to SELinux- e.g.
semanage port -l | grep http
- e.g.
restorecon
- Restores the default SELinux context for files
restorecon -Rv .
- -n: dry-run (passively check whether the file contexts are all set as specified by the active policy)
- -R: recursive
- -v: verbose
- When you cp files from one location to another, they keep their original context
- If you scp (from another machine?) directly into place, they get the context corresponding to the receiving location.
- Every time you copy (cp) new/modified files into /var/www/lgorders you’ll have to run
sudo restorecon -R /var/www/lgorders
to allow httpd to use them.
auditd
- If Linux audit daemon (see below) is turned on, SELinux problems should be written to file
/var/log/audit/audit.log
audit2allow
andaudit2why
- cat /var/log/audit/audit.log | audit2allow
man auditd
- /etc/audit/auditd.conf
service auditd status
- dumps infos to /var/log/audit/audit.log
aureport -a
ausearch -m avc -ts recent
- denials from the last 10 minutes
auditctl
- a utility to assist controlling the kernel's audit system
- To see unsuccessful open call's
auditctl -a exit,always -S open -F success!=0
- -a always,exit = append action always to syscall exit list
- -S open = any open call made by a program
- -F success!=0 = create a rule field evaluating on the exit value
- You may have to do a
service auditd restart
after, not sure.
examples
auditctl -l
- list all user defined audit hooksauditctl -D
- delete all user defined hooksauditctl -a always,exit -S all -F pid=1005
- To see all syscalls made by a specific programauditctl -a always,exit -S openat -F auid=510
- To see files opened by a specific userauditctl -a always,exit -S openat -F success=0
- To see unsuccessful openat callsauditctl -a exit,always -S open -F success=0
- To see unsuccessful open callsauditctl -w /etc/shadow -p wa
orauditctl -a always,exit -F path=/etc/shadow -F perm=wa
- To watch a file for changesauditctl -w /etc/ -p wa
orauditctl -a always,exit -F dir=/etc/ -F perm=wa
- To recursively watch a directory for changesauditctl -a always,exit -F dir=/home/ -F uid=0 -C auid!=obj_uid
- To see if an admin is accessing other user's files