Selinux

De WikiMar
Dreceres ràpides: navegació, cerca


Tutorial


An SELinux policy defines user access to roles, role access to domains, and domain access to types.

SELinux Users are suffixed by "u", roles are suffixed by "r" and types (for files) or domains (for processes) are suffixed by "_t".



Users

SELinux has a set of pre-built users. Every regular Linux user account is mapped to one or more SELinux users.

In Linux, a user runs a process. This can be as simple as the user jo opening a document in the vi editor (it will be jo's account running the vi process) or a service account running the httpd daemon. In the SELinux world, a process (a daemon or a running program) is called a subject.

Roles

A role is like a gateway that sits between a user and a process. A role defines which users can access that process. Roles are not like groups, but more like filters: a user may enter or assume a role at any time provided the role grants it. The definition of a role in SELinux policy defines which users have access to that role. It also defines what process domains the role itself has access to. Roles come into play because part of SELinux implements what's known as Role Based Access Control (RBAC).

Subjects and Objects

A subject is a process and can potentially affect an object.

An object in SELinux is anything that can be acted upon. This can be a file, a directory, a port, a tcp socket, the cursor, or perhaps an X server. The actions that a subject can perform on an object are the subject's permissions.

Domains are for Subjects

A domain is the context within which an SELinux subject (process) can run. That context is like a wrapper around the subject. It tells the process what it can and can't do. For example, the domain will define what files, directories, links, devices, or ports are accessible to the subject.

Types are for Objects

A type is the context for a file's context that stipulates the file's purpose. For example, the context of a file may dictate that it's a web page, or that the file belongs to the /etc directory, or that the file's owner is a specific SELinux user. A file's context is called its type in SELinux lingo.

Troubleshooting

List blocked things from SElinux

grep AVC /var/log/audit/audit.log


List problems that can be solved using booleans

audit2allow -w -a |grep -C 10 setsebool

Examples applied:

setsebool -P httpd_builtin_scripting=1
setsebool -P httpd_enable_cgi=1
setsebool -P httpd_can_network_memcache 1
setsebool -P named_write_master_zones 1
setsebool -P nis_enabled 1
setsebool -P httpd_can_network_connect 1
setsebool -P httpd_setrlimit 1
setsebool -P httpd_unified 1

List the boolean list:

getsebool -a


List problems

Explain the problems:

audit2allow -w -a

Show the policy list required to correct the problems:

audit2allow -a

It may be that a policy is already added and the problem is already solved. In this case a message similar to

#!!!! This avc is allowed in the current policy

will be displayed.


List the problems for only ssh:

grep ssh /var/log/audit/audit.log.* | audit2allow -a

Generate policy list:

grep ssh /var/log/audit/audit.log.* | audit2allow -a -M selinux-marti-ssh

Add the generated policy list:

semodule -i selinux-marti-ssh.pp

Add new port to service

List ports assigned

semanage port -l | grep ssh 


Add a new port that is already used

semanage port -a -t ssh_port_t -p tcp 2222


Add a port that is already used

(m=modify)

semanage port -m -t ssh_port_t -p tcp 23


Files contexts

List contexts:

ls -Z
cp adopts the destination context
mv keeps the original context

Change context of file:

chcon -t named_conf_t named.conf

Display only if any file has been changed from the default:

restorecon -Rv -n /etc/httpd

Actually change to the default context:

restorecon -Rv  /etc/httpd

To define default contextes for files, take a look at "Changing and Restoring SELinux File Contexts" https://www.digitalocean.com/community/tutorials/an-introduction-to-selinux-on-centos-7-part-2-files-and-processes

semanage fcontext --add --type httpd_sys_content_t "/www(/.*)?"