SELinux Workshop Redux Jamie Duncan, Red Hat RVaLUG 19 April 2014

Transcription

1 SELinux Workshop Redux Jamie Duncan, Red Hat RVaLUG 19 April 2014 Introduction The expectation is that you will either have a virtual machine to use, or that you will revert any changes made to your machine in this lab. Instructions will be given for reverting any changes. Lab 1 Log in as a regular (non-root) user. Determine the SELinux mode by issuing the command: getenforce Determine your SELinux context by running the command: id Z What is your SELinux user? Role? Type? Check the SELinux context of /sbin/mingetty. Issue the command: ls Z /sbin/mingetty What is it's context? Determine the SELinux context of /etc/init/tty.conf by issuing the command: ls Z /etc/init/tty.conf What is it's context? Determine the SELinux context of the mingetty process by running the command: ps axz grep mingetty What is it's context?

2 What is the the context for /usr/sbin/httpd? (Hint: yum y install httpd if needed) Make sure httpd starts at boot time. (Hint: chkconfig httpd on) How about for the httpd process? (Hint: service httpd start if needed) Install the setroubleshoot and setroubleshoot-server RPMs and reboot: yum y install setroubleshoot setroubleshoot server && init 6 What is the label for tcp port 80? Issue the command: semanage port l grep 80 Lab 2 As root, open a terminal and make sure Apache httpd is not running: service httpd stop As root, start netcat listening on port 80: nc l 80 What is the context of this listening service? ps axz grep nc Quit nc (ctrl+c). Now start up httpd: service httpd start What is the context of httpd? _ Is the context of nc listening on port 80 the same as httpd listening on port 80? What do think that does to security?

3 Lab 3 What is the label for files in /sbin? (Hint: look in /etc/selinux/targeted/contexts/files/file_contexts). What is the label for /sbin/fsck? Lab 4 As root, create root.html file in your home directory. echo This is my root.html > /root/root.html What is the label for this root.html file? ls lz root.html As root, either stop iptables or allow http traffic to your system: service iptables stop or iptables I INPUT p tcp dport 80 j ACCEPT As root, move (don't copy) the root.html file to /var/www/html. Open a web browser and access the web site running on your machine (e.g. Can you see the web page? What does the apache log file say? (Hint: look at /var/log/httpd/error_log) What are the permissions on /var/www/html/root.html? Are permissions blocking the file? What is the label for /var/www/html? How would you set /var/www/html/root.html with the same label?

4 Once you correct the context on /var/www/html/root.html, can you see the page in your web browser? Lab 5 If you don't have a regular user account for this lab, create one. (Hint: useradd [username] and then passwd [username]). As root, enable Apache to access users' home directories. Change UserDir disabled to UserDir public_html in /etc/httpd/conf/httpd.conf. Restart the web server: service httpd restart As the user, create a directory called /home/[username]/public_html Allow access to the httpd executable for that home directory: chmod o+x /home/[username] Create an index.html file: echo This is my home page > /home/[username]/public_html/index.html Open the user's page with your web browser. Something similar to: firefox Can you see the page with your web browser? What does /var/log/httpd/error_log show you? What does /var/log/audit/audit.log show you? What does /var/log/messages show you?

5 Run the command you see in /var/log/messages. It should be similar to: sealert l ada a53 43cc a57a 7e3d8398ffda What does it tell you to do to allow access? Run that command. Try to access the web page again: firefox What happened? _ Lab 6 You'll create a virtual web site called dummy-host.example.com in /foo/bar/ First, create the directory /foo/bar. As root: mkdir p /foo/bar Add a stanza to /etc/httpd/conf/httpd for the dummy-host.com site: <VirtualHost *:80> ServerAdmin webmaster@dummy host.example.com DocumentRoot /foo/bar ServerName dummy host.example.com ErrorLog logs/dummy host.example.com error_log CustomLog logs/dummy host.example.com access_log common </VirtualHost> Create an index.html file: echo dummy host > /foo/bar/index.html Add dummy-host.example.com to the /etc/hosts file. It will look something like this: dummy host.example.com dummy host Restart httpd: service httpd restart

6 What was the result? What do you see in /var/log/messages? What does sealert -l tell you? What label should you apply to /foo/bar so Apache will start? Where might you look for a good example? Where would you look to see the syntax for the regular expression we need to use? Use semanage to set the correct context for /foo and everything under it: semanage fcontext a t httpd_sys_content_t /foo(/.*)? Try to start the web server again: service httpd restart Did it work? Why or why not? Set the correct context on /foo: restorecon vr /foo/ Restart the web server. What was the result? Open Can you see the contents of index.html? What files would you look for to see what SELinux changes have been made on a system via booleans or semanage? Remove the semanage fcontext rule: semanage fcontext d t httpd_sys_content_t "/foo(/.*)?" Set the /foo directory back to default context:

7 restorecon vr /foo/ Lab 7 As root, create a directory into which we'll write policy files. mkdir /root/selinux Restart the httpd server. It should fail. Use audit2why to see why the web server won't serve up content from /foo grep foo /var/log/audit/audit.log audit2why What is missing? _ Change directories into /root/selinux. Use audit2allow to create a policy to allow httpd to access /foo grep foo /var/log/audit/audit.log audit2allow al M foolocal Look at the contents of foolocal.te. It is allowing processes labeled with the httpd_t type search access to all directories with the default_t type. What are the security implications of this? Install the policy by running: semodule i foolocal.pp Restart httpd. Does it see /foo? Why or why not? _ Create a second policy foo2 by running: audit2allow al M foo2local Inspect the foo2local.te file. This time, httpd_t processes can get all attributes of all directories with the default_t label. Is this a good idea? Install the policy by typing: semodule i foo2local.pp Restart httpd. Does it start?

8 _ Does the web page splash screen say dummy-host? If not, there is still a problem. Remove the two foo policies, they're incomplete: semodule r foo2local semodule r foolocal Lab 8 Temporarily put SELinux into permissive mode from the command line: setenforce 0 Restart httpd: service httpd restart Did it start? Can you see dummy-host when you open the page with a web browser? Use audit2allow to generate a final policy, and install it with semodule: audit2allow al M foolocal3 semodule i foolocal3.pp Look at the foolocal3.te file. What access is granted to processes with the httpd_t type to directories labeled with the default_t type? What access is granted to processes with the httpd_t type to files labeled with the default_t type? What are the security implications of this? Was using audit2allow a good idea for overcoming this SELinux problem? _ If you are connecting to your VM via ssh, install the xorg-x11-xauth RPM. yum y install xorg x11 xauth Install the policycoreutils-gui package:

9 yum y install policycoreutils gui Launch system-config-selinux and change the current enforcing mode from permissive to enforcing. Exit the tool. Verify the current level from the command line: getenforce If it is not enforcing, go back and fix it. Restart the web server, and verify that you can still see the dummy-host splash page. Launch system-config-selinux and select Policy Module from the left pane. Scroll down to foolocal3 and remove it. Choose Booleans in the left pane. In the search bar in the right pane, type in home and hit enter. Observe that the httpd is allowed to read home directories that's there from Lab 5. Remove the entries from the /etc/httpd/conf/httpd.conf for the dummy-host site