Skillnad mellan versioner av "SELinux"

Från wiki.soltec.se
Hoppa till: navigering, sök
(Commands with SELinux support)
 
(2 mellanliggande versioner av samma användare visas inte)
Rad 1: Rad 1:
'''Types of access control'''
+
== Types of access control ==
 
  '''Discretionary Access Control''' = FACL, File perms, SUID/SGID, SU/Sudo
 
  '''Discretionary Access Control''' = FACL, File perms, SUID/SGID, SU/Sudo
  
 
  '''Mandatory Access Control''' = OS controls access
 
  '''Mandatory Access Control''' = OS controls access
 +
'''Definitions'''
 
*'''Subject'''| user or process that accesses an object.
 
*'''Subject'''| user or process that accesses an object.
 
*'''Object''' | a resource e.g. file, dir, device or pipe
 
*'''Object''' | a resource e.g. file, dir, device or pipe
Rad 13: Rad 14:
 
  '''N.B!''' Permissive mode is good for troubleshooting SELINUX policy issues
 
  '''N.B!''' Permissive mode is good for troubleshooting SELINUX policy issues
  
'''Enforcement Policies'''
+
== Enforcement Policies ==
  
 
*'''Type enforcement''' | Default policy, what types can do to other types.
 
*'''Type enforcement''' | Default policy, what types can do to other types.
Rad 49: Rad 50:
 
  $ chcon -t etc_t <filename>
 
  $ chcon -t etc_t <filename>
 
  $ restorecon <filename>  | Resets the context to the value stored in the context database.  
 
  $ restorecon <filename>  | Resets the context to the value stored in the context database.  
                           | So you don’t have to guess when restoring the file to it’s original setting.
+
                           | So you don’t have to guess when restoring the file to its original setting.
  
 
Restore all files back to original security context, create a file in root and reboot:-
 
Restore all files back to original security context, create a file in root and reboot:-
 
  $ touch /.autorelabel
 
  $ touch /.autorelabel
If you don’t want autorelabel och restorecon to work on a file exec to edit the security context database:-
+
If you don’t want autorelabel och restorecon to work on a file execute the following to edit the security context database:-
 
  $ semanage fcontext -a -t <type> <filename>
 
  $ semanage fcontext -a -t <type> <filename>
 
   
 
   
Rad 62: Rad 63:
 
  '''N.B!''' It’s best to change the policy and then use $ restorecon to set the context, rather than use $ chcon. Only use chcon to troubleshoot.
 
  '''N.B!''' It’s best to change the policy and then use $ restorecon to set the context, rather than use $ chcon. Only use chcon to troubleshoot.
  
'''SELINUX Boleans'''
+
== SELINUX Boleans ==
  
 
To Display the booleans use the following cmds:-
 
To Display the booleans use the following cmds:-
Rad 70: Rad 71:
 
  $ semanage boolean -l      | This also displays a short description of the boolean
 
  $ semanage boolean -l      | This also displays a short description of the boolean
 
To set a boolean:-
 
To set a boolean:-
  $ setsebool mozilla_plugin_use_gps on  |Only temp until reboot
+
  $ setsebool mozilla_plugin_use_gps on  |Only temporary until a reboot
 
Add to policy to make changes persistent.
 
Add to policy to make changes persistent.
 
  $ setsebool -P mozilla_plugin_use_gps on  | Persistent i.e survives a reboot
 
  $ setsebool -P mozilla_plugin_use_gps on  | Persistent i.e survives a reboot
Rad 76: Rad 77:
 
  $ semanage boolean -l | egrep ‘SELinux|mozilla_plugin_use_gps’
 
  $ semanage boolean -l | egrep ‘SELinux|mozilla_plugin_use_gps’
  
'''SELinux logging'''
+
== SELinux logging ==
  
 
If auditd is running the logs are stored in:-
 
If auditd is running the logs are stored in:-
Rad 99: Rad 100:
 
  tcontext = object context
 
  tcontext = object context
  
'''Possible solutions to SELinux errors'''
+
== Possible solutions to SELinux errors ==
  
 
Change a Boolean to allow the action
 
Change a Boolean to allow the action
Rad 110: Rad 111:
 
  $ audit2allow
 
  $ audit2allow
  
'''Troubleshooting actions/steps'''
+
== Troubleshooting actions/steps ==
 
*Put SELinux in permissive mode
 
*Put SELinux in permissive mode
 
*Run the application that was denied
 
*Run the application that was denied
Rad 117: Rad 118:
 
*Follow instructions in SELinux alert browser
 
*Follow instructions in SELinux alert browser
  
'''Commands with SELinux support'''
+
== Commands with SELinux support ==
 
  $ cp -a          | preserves SELinux contexts
 
  $ cp -a          | preserves SELinux contexts
 
  $ mv            | preserves by default is keeps file metadata unchanged
 
  $ mv            | preserves by default is keeps file metadata unchanged
Rad 123: Rad 124:
 
  $ rsync -a X    | copy between hosts retaining security context
 
  $ rsync -a X    | copy between hosts retaining security context
 
  '''N.B!''' The preferred alternative is to copy/mv files and then perform $ restorecon to reapply security context.
 
  '''N.B!''' The preferred alternative is to copy/mv files and then perform $ restorecon to reapply security context.
 +
 +
== URLS ==
 +
[https://wiki.centos.org/HowTos/SELinux#Customizing_SELinux_Policies CentOS Creating Custom SELinux Policy Modules with audit2allow]

Nuvarande version från 26 maj 2021 kl. 17.38

Types of access control

Discretionary Access Control = FACL, File perms, SUID/SGID, SU/Sudo
Mandatory Access Control = OS controls access

Definitions

  • Subject| user or process that accesses an object.
  • Object | a resource e.g. file, dir, device or pipe
  • Access | An action performed by Subject on Object.
  • Rule | Allow/Deny access to an object
  • Security Policy | System-wide set of rules
  • Context | File metadata to store SELINUX attributes for subjects and objects.
N.B! Permissive mode is good for troubleshooting SELINUX policy issues

Enforcement Policies

  • Type enforcement | Default policy, what types can do to other types.
  • RBAC | Access control based on users in roles.
  • Multi-Level (MLS) / Multi-Catagory (MCS) | Access based on security levels. A containerisation of processes.

Commands to use

$ sestatus
$ getenforce
$ setenforce
$ vim /etc/selinux/config

Display the security context of a user

$ id -Z
  • unconfined_u | is the user
  • unconfined_r | is the role
  • unconfined_t | is the type enforcement
  • Last section | is MLS/MCS security

Display processes and security context

$ ps -eZ

Display file security context

$ ls -lZ

SELinux supports domain transitioning which means subjects can move from one type to another, if allowed in the security policy.

The “unconfined_t” column is the important one to check.

To check this, execute the following steps:-

$ ls -lZ /usr/bin/passwd
$ ls -lZ /etc/shadow
Open a new tab in terminal an exec $passwd and leave it running
$ ps -eZ      | this will show the context of the $passwd command.
To change the context of a file:-
$ chcon -t etc_t <filename>
$ restorecon <filename>  | Resets the context to the value stored in the context database. 
                         | So you don’t have to guess when restoring the file to its original setting.

Restore all files back to original security context, create a file in root and reboot:-

$ touch /.autorelabel

If you don’t want autorelabel och restorecon to work on a file execute the following to edit the security context database:-

$ semanage fcontext -a -t <type> <filename>

t.ex the following will add the row to the database with that info for the testfile.txt file.
$ semanage fcontext -a -t etc_t /home/user1/testfile.txt

Display file info from the context database:-

$ semanage fcontext -l | grep <filename>
N.B! It’s best to change the policy and then use $ restorecon to set the context, rather than use $ chcon. Only use chcon to troubleshoot.

SELINUX Boleans

To Display the booleans use the following cmds:-

$ getsebool -a
$ getsebool mozilla_plugin_use_gps
$ setatus -b
$ semanage boolean -l      | This also displays a short description of the boolean

To set a boolean:-

$ setsebool mozilla_plugin_use_gps on   |Only temporary until a reboot

Add to policy to make changes persistent.

$ setsebool -P mozilla_plugin_use_gps on  | Persistent i.e survives a reboot

To verify changes

$ semanage boolean -l | egrep ‘SELinux|mozilla_plugin_use_gps’

SELinux logging

If auditd is running the logs are stored in:-

/var/log/audit/audit.log

If not then the logs are stored in:-

/var/log/messages

If you have access to a desktop, use the SELinux browser to search/troubleshoot SELinux logs. Terminal cli commands to use are:-

$ ausearch
$ audit2allow
$ semodule
$ sealert
  N.B! run sealert from the cli, each report will describe each issue and explain how to resolve them.
           The most important part of the report is found at the end of each alert.
           This is where it explains how to resolve the problem.
           $ yum install setroubleshoot setools
           $ sealert -a /var/log/audit/audit.log

Lines in logfiles to search for

type=AVC      | identifies problem as SELinux error. “Access Vector Cache”
scontext = subject context
tcontext = object context

Possible solutions to SELinux errors

Change a Boolean to allow the action

$ semanage boolean -l
$ setsebool -P <boolean> on

Change a file or dir type

$ chcon    | Temporarily changes, reversed with restorecon OR autorelabel
$ semanage | Persistent changes

Create a new security policy module although it’s better to fault/fix rather than using this.

$ audit2allow

Troubleshooting actions/steps

  • Put SELinux in permissive mode
  • Run the application that was denied
  • Search through the audit logs
  • Look for SELinux desktop notifications (if possible)
  • Follow instructions in SELinux alert browser

Commands with SELinux support

$ cp -a          | preserves SELinux contexts
$ mv             | preserves by default is keeps file metadata unchanged
$ tar --selinux  | include sec context info
$ rsync -a X     | copy between hosts retaining security context
N.B! The preferred alternative is to copy/mv files and then perform $ restorecon to reapply security context.

URLS

CentOS Creating Custom SELinux Policy Modules with audit2allow