BLUG July 19 Meeting Report

Another good meeting with 14 present. As planned, Founder Clint Tinsley, presented on SELinux. Delivering from prepared slides and demo scripts, Clint spent 90 minutes "demystifying SELinux" in the words of one of those present.  What follows here is the outline from his slides and includes the demonstration scripts.

SELinux Usage
Major Distributions support it!
In kernel since 2002
Fedora since Core 2 (2004)
RHEL since version 4 (2005)
Debian since Etch (2007)
Ubuntu since Hardy Heron 8.04 (2008)

What is SELinux?

An application firewall the prevents unauthorized access to system files, folders, by exploited processes and services.

What Does SELinux Do?
Restricts System Processes
Policies in most distributions are applied only to system processes, not user processes.
Policies limit what a process can access and how.
Prevents a process from a compromise affecting other files / users / ports / etc.

Operates at the kernel layer
LSM – Linux Security Module
Enforces MAC based on access requests
Context based enforcement
Boolean based enforcement

Access models
DAC - Discreationary Access Control
Standard Linux Permissions - read, write, execute (rwx)
Managed by file owners (root,users)
MAC - Mandatory Access Control
SELinux restricted access based on context type
All files, folders, processes, and ports have a context type
All have to have the correct context for the process before access is allowed.

SELinux MAC Controls
context  type – assigned files, folders, processes, ports
booleans - features such as enable public_html, ftp_anon_write
SELinux Decision Flowchart

Application Example
Webserver without SELinux
An exploit can write the Document root, tmp directory and other files and folders.
An exploit can elevate its privileges (become root) via the unrestricted access.

Webserver with SELinux

An exploit cannot write files outside of the Document root.
Files cannot be accessed unless they have the correct context.

SELinux Key Concepts

SELinux is a set of security rules for processes

Every file, process, directory and port have SELinux label context

SELinux security policy checks the context to see if the process can access the file, directory, or port.

-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html
There are four security contexts on this file (index.html):
unconfined_u:object_r:httpd_sys_content_t:s0  -  user:role:type:level(range)
We are only concerned with the third entry which is the context type: httpd_sys_content_t
-  context types usally end in '_t'
-  The other security contexts of user, role, & level are beyond the scope of this presentation
-  Note: s0 is the default level, used for multi-level (MCS/MLS) security.

Viewing Context
ls -Z  file
ls -lZ file long listing
ls -ldZ directory context
ps axZ
ps -ZC httpd
The context type_t is what is governs!
===================================================
Demo Script:

File Contexts:
ls -lZ /var/www/html  <= display index.html
ls -ldZ /var/www/html <= display directory context
ls -lZ /home/student  <= home directories contexts
lx -lZ (root homedir) <= admin_t

Process:

ps axZ |grep httpd
ps -ZC httpd 
===================================================
SELinux Modes

Enforcing
Policies are enforced – Access Denied
Violations logged

Permissive (Testing Mode!)
Unrestricted Access Allowed
Violations logged

Disabled (Requires Reboot to Apply) 
Unrestricted Access Allowed
Not Recommended!

Setting SELinux Mode

Command Line - 
getenforce <=returns current selinux mode
setenforce permissive | enforcing | 0 | 1 
0 is permissive, 1 is enforcing

Persistently – default selinux mode on boot.
RHEL 6: /etc/sysconfig/selinux
RHEL 7: /etc/selinux/config

Setting SELinux Mode
At boot time via Grub edit menu - 
grub directives (kernel paramters)
These overide /etc/selinux/config settings!
selinux=0      <== disables selinux completely 
enforcing=0  <== sets permissive mode
enforcing=1  <== set enforcing mode
===================================================
Demo Script Setting SELinux Mode:
getenforce
setenforce permissive (case insensitive P)
getenforce
setenforce 1set
getenforce

Default SELinux Settings:
ls -l /etc/sysconfig/selinux <= display symbolic link
vim /etc/sysconfig/selinux (link to /etc/selinux/config)
=> go over settings <=
=> reboot required  <=

SELINUXTYPE=
targeted     <=default
minimum        <=selected processes
mls            <=MCS/MLS Mult-Lever Security

Grub linux16 line:
grub directives (kernel paramters)
These overide /etc/selinux/config settings!
vim /boot/grub2/grub.cfg

linux16 line:
selinux=0   <== disables selinux completely (not wise)
enforcing=0 <== sets permissive mode
enforcing=1 <== set enforcing mode

Make persistent in grub:
/etc/default/grub and add selinux=0 to command line.
grub2-mkconfig > /boot/grub2/grub.cfg
=====================================================

Setting SELinux Context

Default context (file creation) 

Copying versus Moving (Always copy!)

chcon (temporary, not persistent)
Friends don't let friends use chcon

restorecon – Apply default context
Restores the default SELinux context of a file
Looks up the database of rules and finds the correct context for that directory or file
=====================================================
Demo Script Setting SELinux Context
Default context
touch /var/www/html/page1.html
ls -lZ /var/www/html/page1.html

touch /tmp/file1 /tmp/file2
ls -Zl /tmp/file?    <= user_tmp_t
mv /tmp/file1 /var/www/html
cp /tmp/file2 /var/www/html
ls -Zl /var/www/html/file?

=> file1, moved, is still user_tmp_t

mkdir /virtual1
ls -ldZ /virtual1  <= default_t
chcon -t httpd_sys_content_t /virtual1
ls -ldZ /virtual1  <= httpd_sys_content_t
restorecon -v /virtual1
ls -ldZ /virtual1  <= default_t
=====================================================

Using SELinux Policies

semanage fcontext command 

recursion operator (into directory) (/.*)?

view/list:  semanage fcontext -l | grep '/var/www(/.*)?'

create policy:
semanage fcontext -a -t httpd_sys_content_t '/directory(/.*)?'

apply to directory/files: (policy is not applied by default!)
restorecon -RFvv /directory
=====================================================
Demo Creating SELinux Policy
view/list:  semanage fcontext -l | grep '/var/www(/.*)?'
create policy:

semanage fcontext -a -t httpd_sys_content_t '/virtual1(/.*)?'
mkdir /virtual1/html
touch /virtual1/html/index.html
ls -Zl /virtual1/html/    <=note policy has not been applied!
restorecon -RFvv /virtual1
ls -LZ /virtual1/html
touch /virtual1/html/page2.html
ls -LZ /virtual1/html   <=policy is now applied
touch /virtual/html/page1.html
ls -LZ /virtual1/html   <=policy is now applied by default
restorecon -RFvv /virtual1
=====================================================

Using SELinux Booleans
Switches turn groups of rules on or off
getsebool -a | grep [service]
setsebool boolean_name (from list) on 
setsebool http_enable_homedirs on (current session on)
setsebool -P http_enable_homedirs on (persistent)
View: semanage boolean -l | grep boolean_name
Changed: semanage boolean -l -C
=====================================================
Demo Script Booleans
getsebool -a | grep httpd
getsebool httpd_enable_home_dirs <= View is off
sesetsebool http_enable_homedirs on (current session on)
getsebool httpd_enable_home_dirs <= View is on
View policy status: semanage boolean -l | grep httpd_enable_homedirs
current is on, default is off
setsebool -P http_enable_homedirs on (persistent)
View policy status: semanage boolean -l | grep httpd_enable_homedirs
current is on, default is now on

Changed: semanage boolean -l -C

Notes:
create public_html folder in users home directory
chmod 711 ~/public_html as user
=====================================================

SELinux – Troubleshooting

Setenforce 0 – toggle enforcing off
Verify that SELinux is preventing access! 

Ls -lZ on file location – view permissions and context

restorecon -v /path/to/file (set default context)

setroubleshoot-server – generates avc and sealerts

Logs:  /var/log/audit/audit.log (raw message)
           /var/log/messsages | grep sealert (list/view alerts)

sealert -l UUID (UUID from message log) – Read & Analyze

setroubleshoot-server

yum info setroubleshoot-server  <= verify installed
Generates sealert messages in /var/log/messages

Raw message: /var/log/audit/audit.log

Sealert message: /var/log/messages 

cat /var/log/messages |grep sealert
copy "sealert -l UUID" from /var/log/message file
paste to command line
analyze report (same as found in SELinux Troubleshooter detail window on Desktop.) Determine steps to fix.
=====================================================
Demo Script Troubleshooting
yum info setroubleshoot-server
mv /root/file3 /var/www/html
curl http://localhost/file3
AVC message is generated (violation recorded)
/var/log/audit/audit.log is updated
/var/log/messages SEALERT message is added for violation 
View Applications | Sundry | SELinux Troubleshooter
Review Details Window
Commnand line
tail -n 10 /var/log/audit/audit.log <= type=AVC avc:denied
cat /var/log/messages | grep sealert
copy "sealert -l UUID"
paste to commmand line
Analyse report (same as found in SELinux Troubleshooter detail window)
=====================================================

Resources

Security-Enhanced Linux - Wikipedia, the Free Encyclopedia
https://en.wikipedia.org/wiki/Security-Enhanced_Linux

SELinux Wiki
http://selinuxproject.org/page/Main_Page
Your visual how-to guide SELinux policy enforcement

https://opensource.com/business/13/11/selinux-policy-guide
14.04 - SELinux Implementation in Ubuntu
http://askubuntu.com/questions/481293/selinux-implementation-in-ubuntu

Books

Free:

The SELinux Notebook – Richard Hains 4th Ed. (2014)
http://freecomputerbooks.com/books/The_SELinux_Notebook-4th_Edition.pdf

Red Hat Enterprise Linux 7 SELinux User's and Administrator's Guide
https://access.redhat.com/documentation/en/red-hat-enterprise-linux/   
Select RHEL 7 and scroll down.

Questions?

Next month, we planning on showing both Ubuntu's Firewall Builder and Firewalld.  Hope to see you all next month.