Slug 2009 06 SELinux For Sysadmins

SELinux for Sysadmins

SELinux for Sysadmins Beyond 'restorecon'

Principles for using SELinux

Through real world examples

Real world example 1
Share home directories through NFS

[server]# cat /etc/exports /home 192.168.0.0/24(rw,soft)
[client]# cat /etc/fstab ... server:/home /home nfs soft 1 2 ...

[server]# cat /etc/exports /home 192.168.0.0/24(rw,soft)
[client]# cat /etc/fstab ... server:/home /home nfs soft 1 2 ...
[client]# mount /home Permission denied

Is this a SELinux problem?

Check /var/log/audit/audit.log

Check /var/log/audit/audit.log grep mount /var/log/audit/audit.log

If it is a SELinux problem:
getsebool -a | grep home ftp_home_dir --> off httpd_enable_homedirs --> on openvpn_enable_homedirs --> off samba_create_home_dirs --> off samba_enable_home_dirs --> off spamd_enable_home_dirs --> on use_nfs_home_dirs --> off use_samba_home_dirs --> off

setsebool use_nfs_home_dirs on

setsebool -P use_nfs_home_dirs on

Share home directories through SaMBa

setsebool -P use_samba_home_dirs on

setsebool -P samba_enable_home_dirs on

Mount SaMBa home dirs on client
Share home dirs on SaMBa server

Share ~/public_html through Apache
setsebool -P apache_enable_homedirs on

Use booleans where possible

Sharing /data through SaMBa

getsebool -a | grep samba samba_create_home_dirs --> off samba_domain_controller --> off samba_enable_home_dirs --> off samba_export_all_ro --> off samba_export_all_rw --> off samba_run_unconfined --> on samba_share_fusefs --> off samba_share_nfs --> off use_samba_home_dirs --> off virt_use_samba --> off

File contexts

File contexts
[root@tachyon ~]# ls -laZ /var drwxr-xr-x root root system_u:object_r:var_t:s0 . drwxr-xr-x root root system_u:object_r:root_t:s0 .. drwxr-xr-x root root system_u:object_r:acct_data_t:s0 account drwxr-xr-x root root system_u:object_r:var_t:s0 cache drwxr-xr-x root root system_u:object_r:cvs_data_t:s0 cvs drwxr-xr-x root root system_u:object_r:var_t:s0 db drwxr-xr-x root root system_u:object_r:var_t:s0 empty drwxr-xr-x root root system_u:object_r:games_data_t:s0 games drwxrwx--T root gdm system_u:object_r:xserver_log_t:s0 gdm drwxr-xr-x root root system_u:object_r:var_lib_t:s0 lib drwxr-xr-x root root system_u:object_r:var_t:s0 local drwxrwxr-x root lock system_u:object_r:var_lock_t:s0 lock drwxr-xr-x root root system_u:object_r:var_log_t:s0 log lrwxrwxrwx root root system_u:object_r:mail_spool_t:s0 mail drwxr-xr-x root root system_u:object_r:var_t:s0 nis drwxr-xr-x root root system_u:object_r:var_t:s0 opt drwxr-xr-x root root system_u:object_r:var_t:s0 preserve ...

File contexts
Specify the context in which it is to be used

File contexts
Specify the context in which it is to be used
Inherited like permissions

[root@tachyon ~]# mkdir /data [root@tachyon ~]# ls -laZ /data drwxr-xr-x root root unconfined_u:object_r:default_t:s0 . drwxr-xr-x root root system_u:object_r:root_t:s0 ..

[root@tachyon ~]# mkdir /data [root@tachyon ~]# ls -laZ /data drwxr-xr-x root root unconfined_u:object_r:default_t:s0 . drwxr-xr-x root root system_u:object_r:root_t:s0 .. [root@tachyon ~]# chcon -R -t samba_share_t /data [root@tachyon ~]# ls -laZ /data drwxr-xr-x root root unconfined_u:object_r: samba_share_t :s0 . drwxr-xr-x root root system_u:object_r:root_t:s0 ..

Use the right file context
man {ftpd,named,rsync,httpd,nfs,samba, kerberos,nis,ypbind}_selinux is your friend!

Sharing /data with SaMBa and VSFTPD

Gotcha!

Files can only have one security context!

getsebool -a | grep ftp allow_ftpd_anon_write --> off allow_ftpd_full_access --> off allow_ftpd_use_cifs --> off allow_ftpd_use_nfs --> off ftp_home_dir --> off ftpd_connect_db --> off httpd_enable_ftp_server --> off tftp_anon_write --> off

allow_ftpd_use_cifs is written to allow (vs)ftpd to share a directory that is mounted from a CIFS server!

allow_ftpd_use_cifs is written to allow (vs)ftpd to share a directory that is mounted from a CIFS server!
What to do?

# setenforce off

# setenforce off
# selinuxenabled && echo yes
#

# setenforce off
# run service, exercise functionality

# setenforce off
# setenforce on

# setenforce off
# setenforce on
# grep vsftpd /var/log/audit/audit.log | audit2allow -M -m vsftpd

# setenforce off
# setenforce on
# ls vsftpd.* vsftpd.pp vsftpd.te

cat vsftpd.te module vsftpd 1.0; require { type samba_share_t; type vsftpd_t; class dir { rename write search read remove_name getattr add_name }; class file { rename setattr read lock create write getattr unlink }; } #============= smbd_t ============== allow vsftpd_t samba_share_t:dir { rename write search read remove_name getattr add_name }; allow vsftpd_t samba_share_t:file { rename setattr read lock create write getattr unlink };

# setenforce off
# setenforce on
# semodule -i vsftpd.pp

Create policy where necessary

Policy must be conservative

Policy must be conservative
system-config-selinux

Questions?

http://www.securitytube.net	1923
http://www.ossblog.it	678
http://securitytube.net	124
http://www.slideshare.net	38
http://blog.dgrossato.com	31
http://hackingeeks.com	12
http://translate.googleusercontent.com	5
http://static.slidesharecdn.com	2
http://webcache.googleusercontent.com	2

Slug 2009 06 SELinux For Sysadmins

by PaulWay on Jun 29, 2009

Accessibility

Categories

Upload Details

Usage Rights

9 Embeds 2,815

Statistics

Slug 2009 06 SELinux For Sysadmins Presentation Transcript