Update selinux_lab.md

This commit is contained in:
Omar Santos 2023-01-08 15:21:06 -05:00 committed by GitHub
parent f7b6297047
commit 4a3e0e05ae
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -10,19 +10,18 @@ SELinux defaults to denying anything that is not explicitly allowed. SELinux has
## Before You Begin
1. Ensure that you have followed the [Getting Started](/docs/guides/getting-started/) and [Securing Your Server](/docs/guides/set-up-and-secure/) guides.
{{< note respectIndent=false >}}
This guide is written for a non-root user. Commands that require elevated privileges are prefixed with `sudo`. If you're not familiar with the `sudo` command, you can check our [Users and Groups](/docs/guides/linux-users-and-groups/) guide.
1. This guide is written for a non-root user. Commands that require elevated privileges are prefixed with `sudo`. If you're not familiar with the `sudo` command, you can check our [Users and Groups](/docs/guides/linux-users-and-groups/) guide.
{{< /note >}}
1. Update your system:
2. Update your system:
```
sudo yum update
{{< note respectIndent=false >}}
The Linode kernel does not support SELinux by default. However, all new Linodes running CentOS 8 use the distribution provided kernel, which has **SELinux enabled by default**.
```
If your system is running a Linode kernel, you will need to change to an upstream kernel in order to use SELinux. See the [How to Change Your Linode's Kernel](/docs/guides/managing-the-kernel-on-a-linode/) for more steps. Once you're kernel is set to the upstream kernel, continue on with the steps in this guide.
{{< /note >}}
## Install Supporting SELinux Packages
@ -30,27 +29,31 @@ In this section, you will install various SELinux packages that will help you wh
1. Verify which SELinux packages are installed on your system:
sudo rpm -aq | grep selinux
```
sudo rpm -aq | grep selinux
```
A newly deployed CentOS 8 Linode should have the following packages installed:
```output
```
output
libselinux-2.5-14.1.el7.x86_64
selinux-policy-3.13.1-252.el7_7.6.noarch
selinux-policy-targeted-3.13.1-252.el7_7.6.noarch
libselinux-utils-2.5-14.1.el7.x86_64
libselinux-python-2.5-14.1.el7.x86_64
```
```
1. Install the following packages and their associated dependencies:
sudo yum install policycoreutils policycoreutils-python setools setools-console setroubleshoot
```
sudo yum install policycoreutils policycoreutils-python setools setools-console setroubleshoot
```
- `policycoreuitls` and `policyoreutils-python` contain several management tools to administer your SELinux environment and policies.
- `setools` provides command line tools for working with SELinux policies. Some of these tools include, `sediff` which you can use to view differences between policies, `seinfo` a tool to view information about the components that make up SELinux policies, and `sesearch` used to search through your SELinux policies. `setools-console` consists of `sediff`, `seinfo`, and `sesearch`. You can issue the `--help` option after any of the listed tools in order to view more information about each one.
- `setroubleshoot` suite of tools help you determine why a script or file may be blocked by SELinux.
Optionally, install `setroubleshoot-server` and `mctrans`. The `setroubleshoot-server` allows, among many other things, for email notifications to be sent from the server to notify you of any policy violations. The `mctrans` daemon translates SELinux's output to human readable text.
Optionally, install `setroubleshoot-server` and `mctrans`. The `setroubleshoot-server` allows, among many other things, for email notifications to be sent from the server to notify you of any policy violations. The `mctrans` daemon translates SELinux's output to human readable text.
## SELinux States and Modes
@ -60,7 +63,8 @@ When SELinux is installed on your system, it can be either *enabled* or *disable
- To disable SELinux, update your SELinux configuration file using the text editor of your choice. Set the `SELINUX` directive to `disabled` as shown in the example.
```file {title="/etc/selinux/config"}
```
file {title="/etc/selinux/config"}
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
@ -72,68 +76,75 @@ When SELinux is installed on your system, it can be either *enabled* or *disable
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
```
```
{{< note respectIndent=false >}}
You can update the `SELINUX` directive with any of the available SELinux [states](#selinux-states) or [modes](#selinux-modes).
{{< /note >}}
- Reboot your system for the changes to take effect:
- Reboot your Linode for the changes to take effect:
```
sudo reboot
```
sudo reboot
- Connect to your host via SSH (replace `10.1.2.3` with your own address and verify your SELinux installation's status:
```
ssh omar@10.1.2.3
sudo sestatus
```
- Connect to your Linode via SSH (replace `192.0.2.0` with your own [Linode's IP address](/docs/guides/find-your-linodes-ip-address/)) and verify your SELinux installation's status:
Its output should display `disabled`
ssh example_user@192.0.2.0
sudo sestatus
Its output should display `disabled`
{{< output >}}
```
SELinux status: disabled
{{</ output >}}
```
### SELinux Modes
When SELinux is enabled, it can run in either *enforcing* or *permissive* modes.
{{< note respectIndent=false >}}
If SELinux is currently disabled, update your SELinux configuration file with the `SELINUX` directive set to `enabled`, then reboot your system, and SSH back into your Linode. These steps are outlined in the [SELinux States](#selinux-states) section of the guide.
{{< /note >}}
- In enforcing mode, SELinux enforces its policies on your system and denies access based on those policies. Use the following command to view SELinux policy modules currently loaded into memory:
sudo semodule -l
```
sudo semodule -l
```
- Permissive mode does not enforce any of your SELinux policies, instead, it logs any actions that would have been denied to your `/var/log/audit/audit.log` file.
- Permissive mode does not enforce any of your SELinux policies, instead, it logs any actions that would have been denied to your `/var/log/audit/audit.log` file.
- You can check which mode your system is running by issuing the following command:
sudo getenforce
```
sudo getenforce
```
- To place SELinux in permissive mode, use the following command:
sudo setenforce 0
Permissive mode is useful when configuring your system, because you and your system's components can interact with your files, scripts, and programs without restriction. However, you can use audit logs and system messages to understand what would be restricted in enforcing mode. This will help you better construct the necessary policies for your system's user's and programs.
```
sudo setenforce 0
```
Permissive mode is useful when configuring your system, because you and your system's components can interact with your files, scripts, and programs without restriction. However, you can use audit logs and system messages to understand what would be restricted in enforcing mode. This will help you better construct the necessary policies for your system's user's and programs.
- Use the `sealert` utility to generate a report from your audit log. The log will include information about what SELinux is preventing and how to allow the action, if desired.
sudo sealert -a /var/log/audit/audit.log
```
sudo sealert -a /var/log/audit/audit.log
```
The output will resemble the example, however, it varies depending on the programs and configurations on your system. The example was generated using a [Linode running the Apache webserver](/docs/guides/how-to-install-a-lamp-stack-on-centos-7/#apache) with a virtual hosts configuration.
The output will resemble the example, however, it varies depending on the programs and configurations on your system.
{{< output >}}
SELinux is preventing /usr/sbin/httpd from write access on the directory logs.
```
SELinux is preventing `/usr/sbin/httpd` from write access on the directory logs.
```
***** Plugin httpd_write_content (92.2 confidence) suggests ***************
If you want to allow httpd to have write access on the logs directory
Then you need to change the label on 'logs'
Do
```
# semanage fcontext -a -t httpd_sys_rw_content_t 'logs'
# restorecon -v 'logs'
{{</ output >}}
```
- To allow `/usr/sbin/httpd` write access to the directory logs, as shown by the output, you can execute the suggested commands, `semanage fcontext -a -t httpd_sys_rw_content_t 'logs'` and `restorecon -v 'logs'`.
@ -143,19 +154,21 @@ SELinux marks every single object on a machine with a *context*. Every file, use
1. Create a directory in your home folder:
mkdir ~/example_dir
```
mkdir ~/example_dir
```
1. Print the SELinux security context of your home folder's directories and files :
ls -Z ~/
```
ls -Z ~/
```
The output is similar to:
{{< output >}}
```
drwxrwxr-x. example_user example_user unconfined_u:object_r:user_home_t:s0 example_dir
{{</ output >}}
```
The SELinux specific information is contained in the `unconfined_u:object_r:user_home_t:s0` portion, which follows the following syntax: `user:role:type:level`. To learn more about users, roles, and related access control, see the [CentOS SELinux documentation](https://wiki.centos.org/HowTos/SELinux).
The SELinux specific information is contained in the `unconfined_u:object_r:user_home_t:s0` portion, which follows the following syntax: `user:role:type:level`. To learn more about users, roles, and related access control, see the [CentOS SELinux documentation](https://wiki.centos.org/HowTos/SELinux).
## SELinux Boolean
@ -163,11 +176,12 @@ An SELinux Boolean is a variable that can be toggled on and off without needing
1. You can view the list of Boolean variables using the `getsebool -a` command. Pipe the command through `grep` to narrow down your results.
sudo getsebool -a | grep "httpd_can"
```
sudo getsebool -a | grep "httpd_can"
```
You will see a similar output:
{{< output >}}
```
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
@ -179,17 +193,22 @@ httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
{{</ output >}}
```
You can change the value of any variable using the `setsebool` command. If you set the `-P` flag, the setting will persist through reboots. If, for example, you want to allow HTTPD scripts and modules to connect to the network, update the corresponding boolean variable
You can change the value of any variable using the `setsebool` command. If you set the `-P` flag, the setting will persist through reboots. If, for example, you want to allow HTTPD scripts and modules to connect to the network, update the corresponding boolean variable
sudo setsebool -P httpd_can_network_connect ON
```
sudo setsebool -P httpd_can_network_connect ON
```
When viewing a list of your boolean variables, you should now see that it is set to `ON`.
When viewing a list of your boolean variables, you should now see that it is set to `ON`.
sudo getsebool -a | grep "httpd_can"
```
sudo getsebool -a | grep "httpd_can"
```
```output
Output similar to:
```
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
@ -201,7 +220,7 @@ httpd_can_sendmail --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
```
```
### Additional References