Diskussion:SELinux/06 Benutzer einschränken

In Linux users are mapped to the SELinux unconfined_u user by default. All processes run by unconfined_u are in the unconfined_t domain. This means that users can access across the system within the limits of the standard Linux DAC policy. However, a number of confined SELinux users are available in Red Hat Enterprise Linux. This means that users can be restricted to limited set of capabilities. Each Linux user is mapped to an SELinux user using SELinux policy, allowing Linux users to inherit the restrictions placed on SELinux users, for example (depending on the user), not being able to:

• run the X Window System
• use networking
• run setuid applications (unless SELinux policy permits it)
• or run the su and sudo commands.

For example, processes run by the SELinux user_u user are in the user_t domain. Such processes can connect to network, but cannot run the su or sudo commands. This helps protect the system from the user. See Section 3.3, “Confined and Unconfined Users”, Table 3.1, “SELinux User Capabilities” for further information about confined users and their capabilities.

As root, enter the following command to view the mapping between Linux users and SELinux users:

sudo semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *

In Red Hat Enterprise Linux, Linux users are mapped to the SELinux __default__ login by default (which is in turn mapped to the SELinux unconfined_u user). When a Linux user is created with the useradd command, if no options are specified, they are mapped to the SELinux unconfined_u user.

The following defines the default-mapping:

__default__          unconfined_u         s0-s0:c0.c1023       *

Linux users mapped to the SELinux unconfined_u user run in the unconfined_t domain.

This is seen by running the id -Z command while logged-in as a Linux user mapped to unconfined_u:

id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

When Linux users run in the unconfined_t domain, SELinux policy rules are applied, but policy rules exist that allow Linux users running in the unconfined_t domain almost all access. If unconfined Linux users execute an application that SELinux policy defines can transition from the unconfined_t domain to its own confined domain, unconfined Linux users are still subject to the restrictions of that confined domain. The security benefit of this is that, even though a Linux user is running unconfined, the application remains confined, and therefore, the exploitation of a flaw in the application can be limited by policy.

Note

This does not protect the system from the user. Instead, the user and the system are being protected from possible damage caused by a flaw in the application.

When creating Linux users with the useradd command, use the -Z option to specify which SELinux user they are mapped to. The following example creates a new Linux user, useruuser, and maps that user to the SELinux user_u user. Linux users mapped to the SELinux user_u user run in the user_t domain. In this domain, Linux users are unable to run setuid applications unless SELinux policy permits it (such as passwd), and cannot run the su or sudo command, preventing them from becoming the root user with these commands.

Confining a New Linux User to user_u SELinux User

1. As root, create a new Linux user (useruuser) that is mapped to the SELinux user_u user.

sudo useradd -Z user_u useruuser

1. To view the mapping between useruuser and user_u, enter the following command as root:

sudo semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *
useruuser            user_u               s0                   *

1. As root, assign a password to the Linux useruuser user:

sudo passwd useruuser
Changing password for user useruuser.
New password: Enter a password
Retype new password: Enter the same password again
passwd: all authentication tokens updated successfully.

1. Log out of your current session, and log in as the Linux useruuser user. When you log in, the pam_selinux module maps the Linux user to an SELinux user (in this case, user_u), and sets up the resulting SELinux context. The Linux user's shell is then launched with this context. Enter the following command to view the context of a Linux user:

~]$ id -Z
user_u:user_r:user_t:s0
# Log out of the Linux useruuser's session, and log back in with your account. If you do not want the Linux useruuser user, enter the following command as root to remove it, along with its home directory: 
sudo userdel -Z -r useruuser

If a Linux user is mapped to the SELinux unconfined_u user (the default behavior), and you would like to change which SELinux user they are mapped to, use the semanage login command. The following example creates a new Linux user named newuser, then maps that Linux user to the SELinux user_u user:

Mapping Linux Users to the SELinux Users

1. As root, create a new Linux user (newuser). Since this user uses the default mapping, it does not appear in the semanage login -l output:

sudo useradd newuser
sudo semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *

1. To map the Linux newuser user to the SELinux user_u user, enter the following command as root:

sudo semanage login -a -s user_u newuser

The -a option adds a new record, and the -s option specifies the SELinux user to map a Linux user to. The last argument, newuser, is the Linux user you want mapped to the specified SELinux user.

1. To view the mapping between the Linux newuser user and user_u, use the semanage utility again:

sudo semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
newuser              user_u               s0                   *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *

1. As root, assign a password to the Linux newuser user:

sudo passwd newuser
Changing password for user newuser.
New password: Enter a password
Retype new password: Enter the same password again
passwd: all authentication tokens updated successfully.

1. Log out of your current session, and log in as the Linux newuser user. Enter the following command to view the newuser's SELinux context:

~]$ id -Z
user_u:user_r:user_t:s0

1. Log out of the Linux newuser's session, and log back in with your account. If you do not want the Linux newuser user, enter the following command as root to remove it, along with its home directory:

sudo userdel -r newuser

As root, remove the mapping between the Linux newuser user and user_u:

sudo semanage login -d newuser
sudo semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *

In Linux users are mapped to the SELinux __default__ login by default (which is in turn mapped to the SELinux unconfined_u user). If you would like new Linux users, and Linux users not specifically mapped to an SELinux user to be confined by default, change the default mapping with the semanage login command.

For example, enter the following command as root to change the default mapping from unconfined_u to user_u:

sudo semanage login -m -S targeted -s "user_u" -r s0 __default__

Verify the __default__ login is mapped to user_u:

sudo semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          user_u               s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *

If a new Linux user is created and an SELinux user is not specified, or if an existing Linux user logs in and does not match a specific entry from the semanage login -l output, they are mapped to user_u, as per the __default__ login.

To change back to the default behavior, enter the following command as root to map the __default__ login to the SELinux unconfined_u user:

sudo semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 __default__

The xguest package provides a kiosk user account. This account is used to secure machines that people walk up to and use, such as those at libraries, banks, airports, information kiosks, and coffee shops. The kiosk user account is very limited: essentially, it only allows a user to log in and use Firefox to browse Internet websites. Guest user is assigned to xguest_u, see Table 3.1, “SELinux User Capabilities”. Any changes made while logged in with this account, such as creating files or changing settings, are lost when you log out.

To set up the kiosk account:

1. As root, install the xguest package. Install dependencies as required:

sudo yum install xguest

1. In order to allow the kiosk account to be used by a variety of people, the account is not password-protected, and as such, the account can only be protected if SELinux is running in enforcing mode. Before logging in with this account, use the getenforce utility to confirm that SELinux is running in enforcing mode:

~]$ getenforce
Enforcing

If this is not the case, see Section 4.4, “Permanent Changes in SELinux States and Modes” for information about changing to enforcing mode. It is not possible to log in with this account if SELinux is in permissive mode or disabled.

1. You can only log in to this account using the GNOME Display Manager (GDM). Once the xguest package is installed, a Guest account is added to the GDM login screen.

Not allowing Linux users to execute applications (which inherit users' permissions) in their home directories and the /tmp directory, which they have write access to, helps prevent flawed or malicious applications from modifying files that users own.

Booleans are available to change this behavior, and are configured with the setsebool utility, which must be run as root. The setsebool -P command makes persistent changes. Do not use the -P option if you do not want changes to persist across reboots:

To prevent Linux users in the guest_t domain from executing applications in their home directories and /tmp:

sudo setsebool -P guest_exec_content off

To prevent Linux users in the xguest_t domain from executing applications in their home directories and /tmp:

sudo setsebool -P xguest_exec_content off

To prevent Linux users in the user_t domain from executing applications in their home directories and /tmp:

sudo setsebool -P user_exec_content off

To prevent Linux users in the staff_t domain from executing applications in their home directories and /tmp:

sudo setsebool -P staff_exec_content off

To turn the staff_exec_content boolean on and to allow Linux users in the staff_t domain to execute applications in their home directories and /tmp:

sudo setsebool -P staff_exec_content on