Skillnad mellan versioner av "SELinux"
Js146669 (Diskussion | bidrag) |
Js146669 (Diskussion | bidrag) (→Commands with SELinux support) |
||
(3 mellanliggande versioner av samma användare visas inte) | |||
Rad 1: | Rad 1: | ||
− | + | == Types of access control == | |
'''Discretionary Access Control''' = FACL, File perms, SUID/SGID, SU/Sudo | '''Discretionary Access Control''' = FACL, File perms, SUID/SGID, SU/Sudo | ||
'''Mandatory Access Control''' = OS controls access | '''Mandatory Access Control''' = OS controls access | ||
+ | '''Definitions''' | ||
*'''Subject'''| user or process that accesses an object. | *'''Subject'''| user or process that accesses an object. | ||
*'''Object''' | a resource e.g. file, dir, device or pipe | *'''Object''' | a resource e.g. file, dir, device or pipe | ||
Rad 13: | Rad 14: | ||
'''N.B!''' Permissive mode is good for troubleshooting SELINUX policy issues | '''N.B!''' Permissive mode is good for troubleshooting SELINUX policy issues | ||
− | + | == Enforcement Policies == | |
*'''Type enforcement''' | Default policy, what types can do to other types. | *'''Type enforcement''' | Default policy, what types can do to other types. | ||
Rad 39: | Rad 40: | ||
The “unconfined_t” column is the important one to check. | The “unconfined_t” column is the important one to check. | ||
− | To check this execute the following steps:- | + | To check this, execute the following steps:- |
$ ls -lZ /usr/bin/passwd | $ ls -lZ /usr/bin/passwd | ||
$ ls -lZ /etc/shadow | $ ls -lZ /etc/shadow | ||
Rad 49: | Rad 50: | ||
$ chcon -t etc_t <filename> | $ chcon -t etc_t <filename> | ||
$ restorecon <filename> | Resets the context to the value stored in the context database. | $ restorecon <filename> | Resets the context to the value stored in the context database. | ||
− | | So you don’t have to guess when restoring the file to | + | | So you don’t have to guess when restoring the file to its original setting. |
Restore all files back to original security context, create a file in root and reboot:- | Restore all files back to original security context, create a file in root and reboot:- | ||
$ touch /.autorelabel | $ touch /.autorelabel | ||
− | If you don’t want autorelabel och restorecon to work on a file | + | If you don’t want autorelabel och restorecon to work on a file execute the following to edit the security context database:- |
$ semanage fcontext -a -t <type> <filename> | $ semanage fcontext -a -t <type> <filename> | ||
Rad 62: | Rad 63: | ||
'''N.B!''' It’s best to change the policy and then use $ restorecon to set the context, rather than use $ chcon. Only use chcon to troubleshoot. | '''N.B!''' It’s best to change the policy and then use $ restorecon to set the context, rather than use $ chcon. Only use chcon to troubleshoot. | ||
− | + | == SELINUX Boleans == | |
To Display the booleans use the following cmds:- | To Display the booleans use the following cmds:- | ||
Rad 70: | Rad 71: | ||
$ semanage boolean -l | This also displays a short description of the boolean | $ semanage boolean -l | This also displays a short description of the boolean | ||
To set a boolean:- | To set a boolean:- | ||
− | $ setsebool mozilla_plugin_use_gps on |Only | + | $ setsebool mozilla_plugin_use_gps on |Only temporary until a reboot |
Add to policy to make changes persistent. | Add to policy to make changes persistent. | ||
$ setsebool -P mozilla_plugin_use_gps on | Persistent i.e survives a reboot | $ setsebool -P mozilla_plugin_use_gps on | Persistent i.e survives a reboot | ||
Rad 76: | Rad 77: | ||
$ semanage boolean -l | egrep ‘SELinux|mozilla_plugin_use_gps’ | $ semanage boolean -l | egrep ‘SELinux|mozilla_plugin_use_gps’ | ||
− | + | == SELinux logging == | |
If auditd is running the logs are stored in:- | If auditd is running the logs are stored in:- | ||
Rad 99: | Rad 100: | ||
tcontext = object context | tcontext = object context | ||
− | + | == Possible solutions to SELinux errors == | |
Change a Boolean to allow the action | Change a Boolean to allow the action | ||
Rad 110: | Rad 111: | ||
$ audit2allow | $ audit2allow | ||
− | + | == Troubleshooting actions/steps == | |
*Put SELinux in permissive mode | *Put SELinux in permissive mode | ||
*Run the application that was denied | *Run the application that was denied | ||
Rad 117: | Rad 118: | ||
*Follow instructions in SELinux alert browser | *Follow instructions in SELinux alert browser | ||
− | + | == Commands with SELinux support == | |
$ cp -a | preserves SELinux contexts | $ cp -a | preserves SELinux contexts | ||
$ mv | preserves by default is keeps file metadata unchanged | $ mv | preserves by default is keeps file metadata unchanged | ||
Rad 123: | Rad 124: | ||
$ rsync -a X | copy between hosts retaining security context | $ rsync -a X | copy between hosts retaining security context | ||
'''N.B!''' The preferred alternative is to copy/mv files and then perform $ restorecon to reapply security context. | '''N.B!''' The preferred alternative is to copy/mv files and then perform $ restorecon to reapply security context. | ||
+ | |||
+ | == URLS == | ||
+ | [https://wiki.centos.org/HowTos/SELinux#Customizing_SELinux_Policies CentOS Creating Custom SELinux Policy Modules with audit2allow] |
Nuvarande version från 26 maj 2021 kl. 17.38
Innehåll
Types of access control
Discretionary Access Control = FACL, File perms, SUID/SGID, SU/Sudo
Mandatory Access Control = OS controls access
Definitions
- Subject| user or process that accesses an object.
- Object | a resource e.g. file, dir, device or pipe
- Access | An action performed by Subject on Object.
- Rule | Allow/Deny access to an object
- Security Policy | System-wide set of rules
- Context | File metadata to store SELINUX attributes for subjects and objects.
N.B! Permissive mode is good for troubleshooting SELINUX policy issues
Enforcement Policies
- Type enforcement | Default policy, what types can do to other types.
- RBAC | Access control based on users in roles.
- Multi-Level (MLS) / Multi-Catagory (MCS) | Access based on security levels. A containerisation of processes.
Commands to use
$ sestatus $ getenforce $ setenforce $ vim /etc/selinux/config
Display the security context of a user
$ id -Z
- unconfined_u | is the user
- unconfined_r | is the role
- unconfined_t | is the type enforcement
- Last section | is MLS/MCS security
Display processes and security context
$ ps -eZ
Display file security context
$ ls -lZ
SELinux supports domain transitioning which means subjects can move from one type to another, if allowed in the security policy.
The “unconfined_t” column is the important one to check.
To check this, execute the following steps:-
$ ls -lZ /usr/bin/passwd $ ls -lZ /etc/shadow
Open a new tab in terminal an exec $passwd and leave it running $ ps -eZ | this will show the context of the $passwd command.
To change the context of a file:- $ chcon -t etc_t <filename> $ restorecon <filename> | Resets the context to the value stored in the context database. | So you don’t have to guess when restoring the file to its original setting.
Restore all files back to original security context, create a file in root and reboot:-
$ touch /.autorelabel
If you don’t want autorelabel och restorecon to work on a file execute the following to edit the security context database:-
$ semanage fcontext -a -t <type> <filename> t.ex the following will add the row to the database with that info for the testfile.txt file. $ semanage fcontext -a -t etc_t /home/user1/testfile.txt
Display file info from the context database:-
$ semanage fcontext -l | grep <filename> N.B! It’s best to change the policy and then use $ restorecon to set the context, rather than use $ chcon. Only use chcon to troubleshoot.
SELINUX Boleans
To Display the booleans use the following cmds:-
$ getsebool -a $ getsebool mozilla_plugin_use_gps $ setatus -b $ semanage boolean -l | This also displays a short description of the boolean
To set a boolean:-
$ setsebool mozilla_plugin_use_gps on |Only temporary until a reboot
Add to policy to make changes persistent.
$ setsebool -P mozilla_plugin_use_gps on | Persistent i.e survives a reboot
To verify changes
$ semanage boolean -l | egrep ‘SELinux|mozilla_plugin_use_gps’
SELinux logging
If auditd is running the logs are stored in:-
/var/log/audit/audit.log
If not then the logs are stored in:-
/var/log/messages
If you have access to a desktop, use the SELinux browser to search/troubleshoot SELinux logs. Terminal cli commands to use are:-
$ ausearch $ audit2allow $ semodule $ sealert N.B! run sealert from the cli, each report will describe each issue and explain how to resolve them. The most important part of the report is found at the end of each alert. This is where it explains how to resolve the problem. $ yum install setroubleshoot setools $ sealert -a /var/log/audit/audit.log
Lines in logfiles to search for
type=AVC | identifies problem as SELinux error. “Access Vector Cache” scontext = subject context tcontext = object context
Possible solutions to SELinux errors
Change a Boolean to allow the action
$ semanage boolean -l $ setsebool -P <boolean> on
Change a file or dir type
$ chcon | Temporarily changes, reversed with restorecon OR autorelabel $ semanage | Persistent changes
Create a new security policy module although it’s better to fault/fix rather than using this.
$ audit2allow
Troubleshooting actions/steps
- Put SELinux in permissive mode
- Run the application that was denied
- Search through the audit logs
- Look for SELinux desktop notifications (if possible)
- Follow instructions in SELinux alert browser
Commands with SELinux support
$ cp -a | preserves SELinux contexts $ mv | preserves by default is keeps file metadata unchanged $ tar --selinux | include sec context info $ rsync -a X | copy between hosts retaining security context N.B! The preferred alternative is to copy/mv files and then perform $ restorecon to reapply security context.
URLS
CentOS Creating Custom SELinux Policy Modules with audit2allow