7.2.3. Example: Security Enhanced Linux

7.2.3. Example: Security Enhanced Linux
Prev	7.2. Authorization	Next

The framework introduces policies that tell how subjects (processes) can manipulate objects (devices, files, sockets ...). Subjects and objects have types, which are stored in a security context in the form of a triplet of user, role, type. Security context of files is stored in extended attributes.

To be done.

> ls -Z /
       system_u:object_r:bin_t:s0 bin
      system_u:object_r:boot_t:s0 boot
    system_u:object_r:device_t:s0 dev
       system_u:object_r:etc_t:s0 etc
 system_u:object_r:home_root_t:s0 home
       system_u:object_r:lib_t:s0 lib
       system_u:object_r:lib_t:s0 lib64
       system_u:object_r:mnt_t:s0 media
       system_u:object_r:mnt_t:s0 mnt
       system_u:object_r:usr_t:s0 opt
      system_u:object_r:proc_t:s0 proc
system_u:object_r:admin_home_t:s0 root
   system_u:object_r:var_run_t:s0 run
       system_u:object_r:bin_t:s0 sbin
       system_u:object_r:var_t:s0 srv
     system_u:object_r:sysfs_t:s0 sys
...
> semanage fcontext -l
SELinux fcontext        type               Context
/                       directory          system_u:object_r:root_t:s0
/.*                     all files          system_u:object_r:default_t:s0
/bin                    all files          system_u:object_r:bin_t:s0
/bin/.*                 all files          system_u:object_r:bin_t:s0
/bin/bash               regular file       system_u:object_r:shell_exec_t:s0
/bin/dmesg              regular file       system_u:object_r:dmesg_exec_t:s0
/bin/ip                 regular file       system_u:object_r:ifconfig_exec_t:s0
...
/dev                    directory          system_u:object_r:device_t:s0
/dev/.*                 all files          system_u:object_r:device_t:s0
/dev/.*mouse.*          character device   system_u:object_r:mouse_device_t:s0
/dev/[0-9].*            character device   system_u:object_r:usb_device_t:s0
/dev/[shmxv]d[^/]*      block device       system_u:object_r:fixed_disk_device_t:s0
...
/home                   directory          system_u:object_r:home_root_t:s0
/home/[^/]+             directory          unconfined_u:object_r:user_home_dir_t:s0
/home/[^/]+/www(/.+)?   all files          unconfined_u:object_r:httpd_user_content_t:s0
...

> ps -Z
LABEL                             PID TTY          TIME CMD
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 4891 pts/0 00:00:00 ps
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5124 pts/0 00:00:00 bash
> id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

> semanage module -l
Module Name               Priority  Language
abrt                      100       pp
accountsd                 100       pp
acct                      100       pp
afs                       100       pp
aiccu                     100       pp
aide                      100       pp
ajaxterm                  100       pp
alsa                      100       pp
amanda                    100       pp
...
> sesearch -A -t sshd_key_t -p write
allow ssh_keygen_t sshd_key_t:file { append create getattr ioctl link lock open read rename setattr unlink write };
allow sshd_keygen_t sshd_key_t:file { append create getattr ioctl link lock open read rename setattr unlink write };
...
allow files_unconfined_type file_type:file { append audit_access create execute execute_no_trans getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write };
...
allow ftpd_t non_security_file_type:file { append create getattr ioctl link lock open read rename setattr unlink write }; [ ftpd_full_access ]:True
allow kernel_t non_security_file_type:file { append create getattr ioctl link lock open read rename setattr unlink write }; [ nfs_export_all_rw ]:True
...
allow sysadm_t non_security_file_type:file { append create getattr ioctl link lock open read relabelfrom relabelto rename setattr unlink write };
...

> getsebool -a
antivirus_can_scan_system --> off
antivirus_use_jit --> off
...
daemons_dump_core --> off
daemons_enable_cluster_mode --> off
daemons_use_tcp_wrapper --> off
daemons_use_tty --> off
...
ftpd_anon_write --> off
ftpd_full_access --> off
ftpd_use_nfs --> off
...
git_cgi_enable_homedirs --> off
git_cgi_use_nfs --> off
...
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_network_connect --> off
httpd_can_network_memcache --> off
httpd_can_sendmail --> off
httpd_enable_cgi --> on
httpd_enable_homedirs --> off
httpd_use_nfs --> off
...

> tail /var/log/audit/audit.log
type=AVC msg=audit(1515657259.550:620585): avc:  denied  { open } for  pid=8358 comm="sudo" path="/run/utmp" dev="tmpfs" ino=11643 scontext=system_u:system_r:nagios_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1
...
> audit2allow < /var/log/audit/audit.log
#============= nagios_t ==============
allow nagios_t initrc_var_run_t:file open;
...
> ls -Z /run/utmp
system_u:object_r:initrc_var_run_t:s0 /run/utmp

policy_module(ssh, 2.4.2)

gen_tunable(allow_ssh_keysign, false)
gen_tunable(ssh_sysadm_login, false)

attribute ssh_server;
attribute ssh_agent_type;

type ssh_t;
type ssh_exec_t;
type ssh_home_t;
type sshd_exec_t;
...

allow ssh_t self:capability { setuid setgid ... };
allow ssh_t self:tcp_socket create_stream_socket_perms;
allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
...

allow ssh_t sshd_key_t:file read_file_perms;
allow ssh_t sshd_tmp_t:dir manage_dir_perms;
allow ssh_t sshd_tmp_t:file manage_file_perms;
...

tunable_policy (`allow_ssh_keysign',`
    domain_auto_trans (ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
    allow ssh_keysign_t ssh_t:fd use;
    allow ssh_keysign_t ssh_t:process sigchld;
    allow ssh_keysign_t ssh_t:fifo_file rw_file_perms;
')
...

Prev	Up	Next
7.2.2. Levels delimit Security and Integrity	Home	7.2.4. Rehearsal