Zum Inhalt springen

Diskussion:SELinux/03 Targeted Policy

Aus Foxwiki

SELinux/03 Targeted Policy

Beschreibung

Targeted policy is the default SELinux policy used in Red Hat Enterprise Linux

  • When using targeted policy, processes that are targeted

run in a confined domain, and processes that are not targeted run in an unconfined domain

  • For example, by default, logged-in users run in the unconfined_t domain, and system processes started by init run in the unconfined_service_t domain; both of these domains are unconfined

Executable and writable memory checks may apply to both confined and unconfined domains

  • However, by default, subjects running in an unconfined domain can allocate writable memory and execute it
  • These memory checks can be enabled by setting Booleans, which allow the SELinux policy to be modified at runtime
  • Boolean configuration is discussed later

Confined Processes

Almost every service that listens on a network, such as sshd or httpd, is confined in Red Hat Enterprise Linux

  • Also, most processes that run as the root user and perform tasks for users, such as the passwd utility, are confined
  • When a process is confined, it runs in its own domain, such as the httpd process running in the httpd_t domain
  • If a confined process is compromised by an attacker, depending on SELinux policy configuration, an attacker's access to resources and the possible damage they can do is limited

Complete this procedure to ensure that SELinux is enabled and the system is prepared to perform the following example:

Procedure 3.1. How to Verify SELinux Status

  1. Confirm that SELinux is enabled, is running in enforcing mode, and that targeted policy is being used

The correct output should look similar to the output below: 

$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 30

See Section 4.4, “Permanent Changes in SELinux States and Modes” for detailed information about changing SELinux modes

  1. As root, create a file in the /var/www/html/ directory: # touch /var/www/html/testfile
  2. Enter the following command to view the SELinux context of the newly created file: $ ls -Z /var/www/html/testfile -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/testfile By default, Linux users run unconfined in Red Hat Enterprise Linux, which is why the testfile file is labeled with the SELinux unconfined_u user
  • RBAC is used for processes, not files
  • Roles do not have a meaning for files; the object_r role is a generic role used for files (on persistent storage and network file systems)
  • Under the /proc directory, files related to processes may use the system_r role
  • The httpd_sys_content_t type allows the httpd process to access this file

The following example demonstrates how SELinux prevents the Apache HTTP Server (httpd) from reading files that are not correctly labeled, such as files intended for use by Samba

  • This is an example, and should not be used in production
  • It assumes that the httpd and wget packages are installed, the SELinux targeted policy is used, and that SELinux is running in enforcing mode

Procedure 3.2. An Example of Confined Process# As root, start the httpd daemon: 

# systemctl start httpd.service

Confirm that the service is running

  • The output should include the information below (only the time stamp will differ):
$ systemctl status httpd.service

httpd.service - The Apache HTTP Server

Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)

Active: active (running) since Mon 2013-08-05 14:00:55 CEST; 8s ago
  1. Change into a directory where your Linux user has write access to, and enter the following command
  • Unless there are changes to the default configuration, this command succeeds: $ wget http://localhost/testfile --2009-11-06 17:43:01-- http://localhost/testfile Resolving localhost... 127.0.0.1 Connecting to localhost|127.0.0.1|:80...connected
  • HTTP request sent, awaiting response... 200 OK Length: 0 [text/plain] Saving to: `testfile'
[ <=> ] 0 --.-K/s in 0s
2009-11-06 17:43:01 (0.00 B/s) - `testfile' saved [0/0]
  1. The chcon command relabels files; however, such label changes do not survive when the file system is relabeled
  • For permanent changes that survive a file system relabel, use the semanage utility, which is discussed later
  • As root, enter the following command to change the type to a type used by Samba: # chcon -t samba_share_t /var/www/html/testfile Enter the following command to view the changes: $ ls -Z /var/www/html/testfile -rw-r--r-- root root unconfined_u:object_r:samba_share_t:s0 /var/www/html/testfile
  1. Note that the current DAC permissions allow the httpd process access to testfile
  • Change into a directory where your user has write access to, and enter the following command
  • Unless there are changes to the default configuration, this command fails: $ wget http://localhost/testfile --2009-11-06 14:11:23-- http://localhost/testfile Resolving localhost... 127.0.0.1 Connecting to localhost|127.0.0.1|:80..
  • connected
  • HTTP request sent, awaiting response... 403 Forbidden 2009-11-06 14:11:23 ERROR 403: Forbidden
  1. As root, remove testfile: # rm -i /var/www/html/testfile
  2. If you do not require httpd to be running, as root, enter the following command to stop it: # systemctl stop httpd.service

This example demonstrates the additional security added by SELinux

  • Although DAC rules allowed the httpd process access to testfile in step 2, because the file was labeled with a type that the httpd process does not have access to, SELinux denied access

If the auditd daemon is running, an error similar to the following is logged to /var/log/audit/audit.log: 

type=AVC msg=audit(1220706212.937:70): avc: denied { getattr } for pid=1904 comm="httpd" path="/var/www/html/testfile" dev=sda5 ino=247576 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file

type=SYSCALL msg=audit(1220706212.937:70): arch=40000003 syscall=196 success=no exit=-13 a0=b9e21da0 a1=bf9581dc a2=555ff4 a3=2008171 items=0 ppid=1902 pid=1904 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

Also, an error similar to the following is logged to /var/log/httpd/error_log: 

[Wed May 06 23:00:54 2009] [error] [client 127.0.0.1] (13)Permission denied: access to /testfile denied

Unconfined Processes

Unconfined processes run in unconfined domains, for example, unconfined services executed by init end up running in the unconfined_service_t domain, unconfined services executed by kernel end up running in the kernel_t domain, and unconfined services executed by unconfined Linux users end up running in the unconfined_t domain

  • For unconfined processes, SELinux policy rules are applied, but policy rules exist that allow processes running in unconfined domains almost all access
  • Processes running in unconfined domains fall back to using DAC rules exclusively
  • If an unconfined process is compromised, SELinux does not prevent an attacker from gaining access to system resources and data, but of course, DAC rules are still used
  • SELinux is a security enhancement on top of DAC rules – it does not replace them

To ensure that SELinux is enabled and the system is prepared to perform the following example, complete the Procedure 3.1, “How to Verify SELinux Status” described in Section 3.1, “Confined Processes”

The following example demonstrates how the Apache HTTP Server (httpd) can access data intended for use by Samba, when running unconfined

  • Note that in Red Hat Enterprise Linux, the httpd process runs in the confined httpd_t domain by default
  • This is an example, and should not be used in production
  • It assumes that the httpd, wget, dbus and audit packages are installed, that the SELinux targeted policy is used, and that SELinux is running in enforcing mode

Procedure 3.3. An Example of Unconfined Process# The chcon command relabels files; however, such label changes do not survive when the file system is relabeled

  • For permanent changes that survive a file system relabel, use the semanage utility, which is discussed later
  • As the root user, enter the following command to change the type to a type used by Samba:
# chcon -t samba_share_t /var/www/html/testfile

View the changes: 

$ ls -Z /var/www/html/testfile
-rw-r--r-- root root unconfined_u:object_r:samba_share_t:s0 /var/www/html/testfile
  1. Enter the following command to confirm that the httpd process is not running: $ systemctl status httpd.service httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled) Active: inactive (dead) If the output differs, enter the following command as root to stop the httpd process: # systemctl stop httpd.service
  2. To make the httpd process run unconfined, enter the following command as root to change the type of the /usr/sbin/httpd file, to a type that does not transition to a confined domain: # chcon -t bin_t /usr/sbin/httpd
  3. Confirm that /usr/sbin/httpd is labeled with the bin_t type: $ ls -Z /usr/sbin/httpd -rwxr-xr-x
  • root root system_u:object_r:bin_t:s0 /usr/sbin/httpd
  1. As root, start the httpd process and confirm, that it started successfully: # systemctl start httpd.service # systemctl status httpd.service httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled) Active: active (running) since Thu 2013-08-15 11:17:01 CEST; 5s ago
  1. Enter the following command to view httpd running in the unconfined_service_t domain: $ ps -eZ | grep httpd system_u:system_r:unconfined_service_t:s0 11884 ? 00:00:00 httpd system_u:system_r:unconfined_service_t:s0 11885 ? 00:00:00 httpd system_u:system_r:unconfined_service_t:s0 11886 ? 00:00:00 httpd system_u:system_r:unconfined_service_t:s0 11887 ? 00:00:00 httpd system_u:system_r:unconfined_service_t:s0 11888 ? 00:00:00 httpd system_u:system_r:unconfined_service_t:s0 11889 ? 00:00:00 httpd
  1. Change into a directory where your Linux user has write access to, and enter the following command
  • Unless there are changes to the default configuration, this command succeeds: $ wget http://localhost/testfile --2009-05-07 01:41:10-- http://localhost/testfile Resolving localhost... 127.0.0.1 Connecting to localhost|127.0.0.1|:80..
  • connected
  • HTTP request sent, awaiting response... 200 OK Length: 0 [text/plain] Saving to: `testfile'
[ <=> ]--.-K/s in 0s

2009-05-07 01:41:10 (0.00 B/s) - `testfile' saved [0/0]

Although the httpd process does not have access to files labeled with the samba_share_t type, httpd is running in the unconfined unconfined_service_t domain, and falls back to using DAC rules, and as such, the wget command succeeds

  • Had httpd been running in the confined httpd_t domain, the wget command would have failed
  1. The restorecon utility restores the default SELinux context for files
  • As root, enter the following command to restore the default SELinux context for /usr/sbin/httpd: # restorecon -v /usr/sbin/httpd restorecon reset /usr/sbin/httpd context system_u:object_r:unconfined_exec_t:s0->system_u:object_r:httpd_exec_t:s0

Confirm that /usr/sbin/httpd is labeled with the httpd_exec_t type: 

$ ls -Z /usr/sbin/httpd -rwxr-xr-x root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd
  1. As root, enter the following command to restart httpd
  • After restarting, confirm that httpd is running in the confined httpd_t domain: # systemctl restart httpd.service $ ps -eZ | grep httpd system_u:system_r:httpd_t:s0 8883 ? 00:00:00 httpd system_u:system_r:httpd_t:s0 8884 ? 00:00:00 httpd system_u:system_r:httpd_t:s0 8885 ? 00:00:00 httpd system_u:system_r:httpd_t:s0 8886 ? 00:00:00 httpd system_u:system_r:httpd_t:s0 8887 ? 00:00:00 httpd system_u:system_r:httpd_t:s0 8888 ? 00:00:00 httpd system_u:system_r:httpd_t:s0 8889 ? 00:00:00 httpd
  1. As root, remove testfile: # rm -i /var/www/html/testfile rm: remove regular empty file `/var/www/html/testfile'? y
  2. If you do not require httpd to be running, as root, enter the following command to stop httpd: # systemctl stop httpd.service

The examples in these sections demonstrate how data can be protected from a compromised confined-process (protected by SELinux), as well as how data is more accessible to an attacker from a compromised unconfined-process (not protected by SELinux)

Confined and Unconfined Users

Each Linux user is mapped to an SELinux user using SELinux policy

  • This allows Linux users to inherit the restrictions on SELinux users
  • This Linux user mapping is seen by running the semanage login -l command as root:
# semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 * root unconfined_u s0-s0:c0.c1023 * system_u system_u s0-s0:c0.c1023 *

In Red Hat Enterprise Linux, Linux users are mapped to the SELinux __default__ login by default, which is mapped to the SELinux unconfined_u user

  • The following line defines the default mapping:
__default__ unconfined_u s0-s0:c0.c1023

The following procedure demonstrates how to add a new Linux user to the system and how to map that user to the SELinux unconfined_u user

  • It assumes that the root user is running unconfined, as it does by default in Red Hat Enterprise Linux:

Procedure 3.4. Mapping a New Linux User to the SELinux unconfined_u User# As root, enter the following command to create a new Linux user named newuser: 

# useradd newuser
  1. To assign a password to the Linux newuser user
  • Enter the following command as root: # passwd newuser Changing password for user newuser
  • New UNIX password: Enter a password Retype new UNIX password: Enter the same password again passwd: all authentication tokens updated successfully
  1. Log out of your current session, and log in as the Linux newuser user
  • When you log in, the pam_selinux PAM module automatically maps the Linux user to an SELinux user (in this case, unconfined_u), and sets up the resulting SELinux context
  • The Linux user's shell is then launched with this context
  • Enter the following command to view the context of a Linux user: [newuser@localhost $ id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Note If you no longer need the newuser user on your system, log out of the Linux newuser's session, log in with your account, and run the userdel -r newuser command as root
  • It will remove newuser along with their home directory

Confined and unconfined Linux users are subject to executable and writable memory checks, and are also restricted by MCS or MLS

To list the available SELinux users, enter the following command: 

$seinfo -u Users: 8
sysadm_u
system_u
xguest_u
root
guest_u
staff_u
user_u
unconfined_u

Note that the seinfo command is provided by the setools-console package, which is not installed by default

If an unconfined Linux user executes an application that SELinux policy defines as one that can transition from the unconfined_t domain to its own confined domain, the unconfined Linux user is still subject to the restrictions of that confined domain

  • The security benefit of this is that, even though a Linux user is running unconfined, the application remains confined
  • Therefore, the exploitation of a flaw in the application can be limited by the policy

Similarly, we can apply these checks to confined users

  • Each confined Linux user is restricted by a confined user domain
  • The SELinux policy can also define a transition from a confined user domain to its own target confined domain
  • In such a case, confined Linux users are subject to the restrictions of that target confined domain
  • The main point is that special privileges are associated with the confined users according to their role
  • In the table below, you can see examples of basic confined domains for Linux users in Red Hat Enterprise Linux:

Table 3.1. SELinux User Capabilities

User Role Domain X Window System su or sudo Execute in home directory and /tmp (default) Networking
sysadm_u sysadm_r sysadm_t yes su and sudo yes yes
staff_u staff_r staff_t yes only sudo yes yes
user_u user_r user_t yes no yes yes
guest_u guest_r guest_t no no yes no
xguest_u xguest_r xguest_t yes no yes Firefox only
  • Linux users in the user_t, guest_t, and xguest_t domains can only run set user ID (setuid) applications if SELinux policy permits it (for example, passwd)
  • These users cannot run the su and sudo setuid applications, and therefore cannot use these applications to become root
  • Linux users in the sysadm_t, staff_t, user_t, and xguest_t domains can log in using the X Window System and a terminal
  • By default, Linux users in the staff_t, user_t, guest_t, and xguest_t domains can execute applications in their home directories and /tmp
  • To prevent them from executing applications, which inherit users' permissions, in directories they have write access to, set the guest_exec_content and xguest_exec_contentbooleans to off
  • This helps prevent flawed or malicious applications from modifying users' files
  • See Section 6.6, “Booleans for Users Executing Applications” for information about allowing and preventing users from executing applications in their home directories and /tmp
  • The only network access Linux users in the xguest_t domain have is Firefox connecting to web pages

Note that system_u is a special user identity for system processes and objects

  • It must never be associated to a Linux user
  • Also, unconfined_u and root are unconfined users
  • For these reasons, they are not included in the aforementioned table of SELinux user capabilities

Alongside with the already mentioned SELinux users, there are special roles, that can be mapped to those users

  • These roles determine what SELinux allows the user to do: * webadm_r can only administrate SELinux types related to the Apache HTTP Server
  • See Section 13.2, “Types” for further information
  • dbadm_r can only administrate SELinux types related to the MariaDB database and the PostgreSQL database management system
  • See Section 20.2, “Types” and Section 21.2, “Types” for further information
  • logadm_r can only administrate SELinux types related to the syslog and auditlog processes
  • secadm_r can only administrate SELinux
  • auditadm_r can only administrate processes related to the audit subsystem

To list all available roles, enter the following command: 

$ seinfo -r

As mentioned before, the seinfo command is provided by the setools-console package, which is not installed by default

The sudo Transition and SELinux Roles

In certain cases, confined users need to perform an administrative task that require root privileges

  • To do so, such a confined user has to gain a confined administrator SELinux role using the sudo command
  • The sudo command is used to give trusted users administrative access
  • When users precede an administrative command with sudo, they are prompted for their own password
  • Then, when they have been authenticated and assuming that the command is permitted, the administrative command is executed as if they were the root user

As shown in Table 3.1, “SELinux User Capabilities”, only the staff_u and sysadm_u SELinux confined users are permitted to use sudo by default

  • When such users execute a command with sudo, their role can be changed based on the rules specified in the /etc/sudoers configuration file or in a respective file in the /etc/sudoers.d/ directory if such a file exists

For more information about sudo, see the Gaining Privileges section in the Red Hat Enterprise Linux 7 System Administrator's Guide

Procedure 3.5. Configuring the sudo Transition

This procedure shows how to set up sudo to transition a newly-created SELinux_user_u confined user from a default_role_r to an administrator_r administrator role

Note
To configure a confined administrator role for an already existing SELinux user, skip the first two steps
  1. Create a new SELinux user and specify the default SELinux role and a supplementary confined administrator role for this user:
# semanage user -a -r s0-s0:c0.c1023 -R "default_role_r administrator_r" SELinux_user_u
  1. Set up the default SElinux policy context file
  • For example, to have the same SELinux rules as the staff_u SELinux user, copy the staff_u context file: # cp /etc/selinux/targeted/contexts/users/staff_u /etc/selinux/targeted/contexts/users/SELinux_user_u
  1. Map the newly-created SELinux user to an existing Linux user: semanage login -a -s SELinux_user_u -rs0:c0.c1023 linux_user
  2. Create a new configuration file with the same name as your Linux user in the /etc/sudoers.d/ directory and add the following string to it: # echo "linux_user ALL=(ALL) TYPE=administrator_t ROLE=administrator_r /bin/bash " > /etc/sudoers.d/linux_user
  3. Use the restorecon utility to relabel the linux_user home directory: # restorecon -FR -v /home/linux_user
  4. Log in to the system as the newly-created Linux user and check that the user is labeled with the default SELinux role: $ id -Z SELinux_user_u:default_role_r:SELinux_user_t:s0:c0.c1023
  5. Run sudo to change the user's SELinux context to the supplementary SELinux role as specified in /etc/sudoers.d/linux_user
  • The -i option used with sudo causes that an interactive shell is executed:
$ sudo -i # id -Z SELinux_user_u:administrator_r:administrator_t:s0:c0.c1023

To better understand the placeholders, such as default_role_r or administrator_r, see the following example

Example 3.1. Configuring the sudo Transition

This example creates a new SELinux user confined_u with default assigned role staff_r and with sudo configured to change the role of confined_u from staff_r to webadm_r

Enter all the following commands as the root user in the sysadm_r or unconfined_r role 

# semanage user -a -r s0-s0:c0.c1023 -R "staff_r webadm_r" confined_u
# cp /etc/selinux/targeted/contexts/users/staff_u /etc/selinux/targeted/contexts/users/confined_u
# semanage login -a -s confined_u -rs0:c0.c1023 linux_user
# restorecon -FR -v /home/linux_user
# echo "linux_user ALL=(ALL) ROLE=webadm_r TYPE=webadm_t /bin/bash " > /etc/sudoers.d/linux_user
  • Log in to the system as the newly-created Linux user and check that the user is labeled with the default SELinux role: $ id -Z confined_u:staff_r:staff_t:s0:c0.c1023 $ sudo -i # id -Z confined_u:webadm_r:webadm_t:s0:c0.c1023
Abgerufen von „https://wiki.foxtom.de/index.php?title=Diskussion:SELinux/03_Targeted_Policy&oldid=163071