P a g e | 1

Introduction to SELinux

Date Assigned: mm/dd/yyyyTime Due: mm/dd/yyyy by hh:mm

Educational Objectives

This lab is designed to give an introduction to SELinux. After completion of this lab, you will learn how to

Discover the current SELinux status Use basic SELinux command Understand targeted policy

Lab Environment

One Fedora 18 VM is needed for this lab.

All of the tasks for this lab will be performed on this Fedora 18 machine. If you conduct this lab on a different version or different distribution of Linux system, some files may be located in different folders.

References

Here are the references that are used to construct this lab:

SELinux documentation (NSA)http://www.nsa.gov/research/selinux/docs.shtml

SELinux Wikihttp://www.selinuxproject.org/page/Main_Page

SELinux (Fedora Project)http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/

Section 1 Environment Preparation

Please run the following command as a root to install current SELinux packages on Fedora 18:

yum install *selinux* --skip-broken

All SELinux policies are located in the following folder:

/etc/selinux/<policy_name>

P a g e | 2

Where, <policy_name> is the name of the policy. Now, the policies minimum, targeted and mls should be installed.

Section 2 SELinux modes and global configuration files

2.1 SELinux modes

SELinux has three major operation modes:

Enforcing - SELinux is enforcing the loaded policy. Permissive - SELinux has loaded the policy, however it is not enforcing the policy. This

is generally used for testing as the audit log will contain the AVC (access vector cache) denied messages.

Disabled - The SELinux infrastructure (in the kernel) is not loaded.

Run the following command to learn the current SELinux operation mode on your system:

sestatus

SELinux operation mode and policy are defined in the following file:

/etc/selinux/config

The value for SELINUX determines the SELinux operation mode. It can be set to three values as follows:

SELINUX=enforcing | permissive | disabled

In order to change the SELinux operation mode in a system, you need perform the following:

Assign the right value to SELINUX in the /etc/selinux/config file. Reboot the system

Please perform the following:

Check the current SELinux operation mode. If it is disabled, change it to enforcing mode. Please use targeted policy.

2.2 The sestatus.conf file

The /etc/sestatus.conf file is used by sestatus command to list files and processes whose security context should be displayed (sestatus -v). This file has the following parameters:

[files]

P a g e | 3

List of files to display context

[process]List of processes to display context

Please perform the following tasks:

View the /etc/sestatus.conf file. Run sestatus –v. Compare the output of sestatus -v command with the contents of the sestatus.conf file. Comment out some of the entries of your choice in the /etc/sestatus.conf file and repeat

steps 2 and 3. Add more entries of your choice to the /etc/sestatus.conf file and repeat steps 2 and 3.

Question 1: How would the use of sestatus -v command benefit your everyday administration work on SELinux? Please explain your answer.

2.3 Changing current running mode

The setenforce command allows you to modify the mode SELinux is currently running in without confirmation and rebooting. It has the following format:

setenforce [ Enforcing | Permissive | 1 | 0 ]

Use Enforcing or 1 to put SELinux in enforcing mode. Use Permissive or 0 to put SELinux in permissive mode. However, you cannot use this command to put SELinux in disabled mode.

Please run the following commands as a root:

setenforce 0getenforcesetenforce 1getenforce

Question 2: How would the setenforce command be useful? Please explain your answer.

When you use the setenforce command to change the SELinux operation mode, will this change stay when the system is rebooted? Test it to confirm your conclusion.

Section 3 SELinux security contexts and modified Linux commands

P a g e | 4

SELinux requires a security context, also known as a “security label” or just “label”, to be asso-ciated with every process (or subject) and object that are used by the security server to decide whether access is allowed or not as defined in the policy. Many standard Linux commands must be modified for being used in a SELinux system. Some commonly used Linux commands with SELinux modification are introduced in this section.

3.1 Displaying security contexts

Please use the man page for ls command to study SELinux options. (Scroll down and look for SELinux options)

Question 3: What option would you use with the ls command if you want to display only secu-rity context and file name?

Please use the command options you just learned to study security contexts under your current directory and some other directories, such as /bin, /etc/selinux, /var/log, etc.

3.2 Modified Linux commands

GNU standard Linux commands need to be modified in order to work with SELinux. These com-mands include cp, mv, id, ls, ps and others.

The ps command accepts a -Z flag to display the security context of each running process along with standard Linux information.

Run ps -Z or ps -aux -Z to learn the process’s domains.

The cp command accepts a -Z flag to set a security context of a newly created file. If not speci-fied, the security context of the new file will default to that of the destination directory.

Create a file in your home directory, such as /root/test.txt. Execute cp /root/test.txt /tmp/test.txt Study the security contexts associated with /root/test.txt and /tmp/test.txt to understand

the difference.

Please use the man page for cp to learn how to copy a file from one place to another with the same security context as the source file. Test what you learned on your computer.

The id command displays current user’s security context information along with the user and group information. It will also accept a -Z flag to display only security context of current user. Please perform the following to learn the effects.

id

P a g e | 5

id -Z

An important note when using the mv command is that the new file will retain its security con-text when it is moved by using the mv command. For example, moving a file from a user home directory to an http served directory will result in a file retaining its user_home_t type, which, under normal policy, is not readable by httpd daemon. Please perform the following to learn the effects.

Create a file in your home director, such as /root/test.html Execute ls -Z /root/test.html Execute mv /root/test.html /tmp/test.html Execute ls -Z /tmp/test.html

Did you see any difference between the security context of the /root/test.html file and that of the /tmp/test.html file? Now you have learned how cp and mv works in the SELinux environment.

Scenario 1Assume that you have a directory /var/www/html that is used to hold html and related files for a web page. The system runs SELinux enforcing mode with targeted policy. Apache HTTP service (httpd) has read permission to those files. You have been writing a web page and testing it in another directory, which is not accessible by httpd. This is usually how it works since you don’t want anybody to access the page until your writing and editing are finished and the page is in a good shape. Now the contents of the page and its appearance have been approved by your manager and you want to move those files to the /var/www/html directory.

Question 4: Would you use the command cp or mv to achieve the goal specified in Scenario 1? Please explain your solution.

Please test your solution on your computer to ensure that it works correctly.

There are some other commands that must be modified in order to work with SELinux. You need to be aware of this while using them.

Section 4 Introduction to Targeted Policy and Type Enforcement

Targeted policy is the default SELinux policy used in Fedora 18. Under this policy, processes that are targeted run in a confined domain. Processes that are not targeted run in an unconfined domain. For example, by default, login users run in the unconfined_t domain, and system processes started by init run in the initrc_t domain. Both of them are unconfined. In this section, you will gain experience with confined processes and unconfined processes.

4.1 Relabeling a file system

P a g e | 6

In SELinux systems, files are labeled with security contexts corresponding to the policy. These security contexts can be changed at run time using various commands such as chcon for testing and debugging purposes. Then, you want to set those contexts back to what are defined in the policy. Relabeling a file system is to set the security contexts of the files in the system back to what are defined in the policy.

4.1.1 Relabeling a file system using init

Relabeling a file system is the process to reset the security contexts of the files in the file system. The recommended method for relabeling a file system is to reboot the machine. This allows init process to perform the relabeling. The following procedure will re-label a file system using init process:

touch /.autorelabelreboot

This command is rarely used because you rarely need to re-label a whole file system. 4.1.2 Relabeling a file system using fixfiles

It is possible to re-label a file system using the fixfiles command.

fixfiles –F –f relabel

However, using this command to re-label a file system is not recommended.

4.2 Changing the type associated with a file

One way to test the effects of or modify the SELinux policy is to change the type associated with a file. This file can represent either a subject (a process) or an object (a data file). The type can be changed permanently or temporarily in the current running mode.

4.2.1 The chcon command

The chcon command can be used to change the SELinux security context of a file, but the changes will not stay when the file system is relabeled, such as after reboot. Please use man page to learn how to use this command. The format for changing type of a file is as follows:

chcon -t type_t file_name

This command will change the type of the file_name file to the type type_t. A full path for file_name may be needed on some systems. Otherwise, the command won’t work as specified.

Please perform the following as a root user.

P a g e | 7

Create a file in your home directory, such as /root/test.txt. Execute ls -Z /root/test.txt, watch the type associated with this file. Execute chcon -t httpd_sys_content_t /root/test.txt Execute ls -Z /root/test.txt. Study the type associated with test.txt file.

Can you learn the effects of the chcon operation? However, this change will not stay when the file system is relabeled.

Please remove the test.txt file when you have done the above practice.

4.2.2 The semanage command

In order to change the type permanently, you need to use the semanage command. Please use the man page to study the semanage command. The semanage fcontext command is used for manipulating file security contexts.

Please perform the following practices as a root user:

Create a file in /etc/ directory, such as /etc/test1 Execute ls -Z /etc/test1, watch the type of this file. Execute /usr/sbin/semanage fcontext -a -t httpd_sys_content_t /etc/test1 (Note that

the full path must be used. It may not work correctly if the full path is not used.) Execute ls -Z /etc/test1, watch the type of this file.

Did you notice the type change? No, the displayed type is still the same. The effect of /usr/sbin/semanage fcontext -a -t httpd_sys_content_t /etc/test1 operation is simply to “add an OBJECT record NAME”. What does it mean? An entry about the /etc/test1 file is recorded in the following file:

/etc/selinux/targeted/contexts/files/file_contexts.local

View the above file and see what you can find. There should be an entry similar to the following:

The first part identifies the file with a full path name. The second part specifies the security context associated with the file.

Please perform the following to actually see the effects:

/sbin/restorecon -v /etc/test1ls -Z /etc/test1, watch the type associated with this file.

Did you notice the type change? You should be able to see the type change if the policy is not changed. In addition, this type change will survive system reboot or file system relabeling.

P a g e | 8

Question 5: Why would you want to use the chcon command to make type changes? Why would you want to use the semanage/restorecon commands to make type changes? Please try to explain the real world situations where chcon and semanage/restorecon can fit in.

Please delete the /etc/test1 file when you finished the practice.

4.3 Confined processes

Almost every service that listens on a network is confined in Fedora 18 that enforces a SELinux targeted policy. Most processes that run as the root user and perform tasks for users, such as the passwd application, are confined under targeted policy. When a process is confined, it runs in its own domain, such as the httpd process running in the httpd_t domain. If a confined process is compromised by an attacker, depending on SELinux policy configuration, an attacker's access to resources and the possible damage they can make are limited.

The following example demonstrates how SELinux prevents the Apache HTTP Server (httpd) from reading files that are not allowed by the SELinux policy.

Please perform the following as a root user on the Fedora 18 computer:

Create a file in the /var/www/html directory, such as /var/www/html/index.html. Put the message “This is just a test” in the file.

Execute ls -Z /var/www/html/index.html, study and understand the security context of this file. Especially, the SELinux type of the file.

The index.html file is labeled with the SELinux unconfined_u user because a Linux user that is mapped to the unconfined_u SELinux user created the file. Role-Based Access Control (RBAC) is used for processes, not files. Roles do not have a meaning for data files - the object_r role is a generic role used for data files (on persistent storage and network file systems). Under the /proc/ directory, files related to processes may use the system_r role. The httpd_sys_content_t type allows the httpd process to access this file.

Please continue your practice by performing the following:

Stop HTTP server (httpd) if it is on (systemctl stop httpd.service) Open file /etc/httpd/conf/httpd.conf and comment out the following line at

the bottom of the file:o Include Optional conf.d/*.conf

Start the Apache HTTP server (httpd) (systemctl start httpd.service) Go to a directory where your Linux user has write access to. Run wget http://localhost/index.html command

P a g e | 9

Question 6: Were you able to get the index.html file? Why or Why not?

Then, continue to conduct the following tasks:

Use chcon command to change the type of index.html to samba_share_t by running the following command: (Note: Under the targeted policy, httpd does not have permission to access files of samba_share_t type)

chcon -t samba_share_t /var/www/html/index.html

Run the ls -Z /var/www/html/index.html command to confirm the type change. Run the wget http://localhost/index.html command again.

Were you able to get the file index.htmle? The access should be denied (403 Forbidden). This is because httpd does not have permission to access files of samba_share_t type.

Please stop the Apache HTTP service:

systemctl stop httpd.service

The error of running the wget http://localhost/index.html command is logged in the log file /var/log/messages. View this file using a text viewer of your choice. Scroll down to the bottom of the file. You will see an entry similar to the following:

In addition, an error similar to the following is logged to /var/log/httpd/error_log:

4.4 Unconfined processes

Unconfined processes run in unconfined domains. For example, init programs run in the unconfined initrc_t domain, unconfined kernel processes run in the kernel_t domain, and unconfined Linux users run in the unconfined_t domain. For unconfined processes, SELinux policy rules are applied, but policy rules allow unconfined processes access to almost everything. Processes running in unconfined domains fall back to using DAC rules exclusively. If an

P a g e | 10

unconfined process is compromised, SELinux does not prevent an attacker from gaining access to system resources and data, but, of course, the DAC rules are still applied. SELinux is a security enhancement on top of DAC rules - it does not replace them.

Can we change the domain of a process to allow it access more resources or run in unconfined domain? The answer is yes. Man-made rules can always be changed.

The following example demonstrates how the Apache HTTP Server (httpd) can access data intended for use by Samba, while running in an unconfined domain.

Create a file in the /var/www/html directory, such as /var/www/html/index2.html. Run the ls -Z /var/www/html/index2.html command to view and study the SELinux

security context of this file. The httpd_sys_context_t type should be associated with the file. The type allows the Apache HTTP service (httpd) to read this file.

Use chcon command to change the type of the index2.html file to the samba_share_t type.

Run ls -Z /var/www/html/index2.html command to confirm the type change. From what you have learned from the previous section, you know that httpd has no access to the index2.html file after the type change. This can be changed by changing the domain of httpd.

Stop Apache HTTP service (httpd) if it is on. (systemctl start httpd.service). Run chcon -t unconfined_exec_t /usr/sbin/httpd to change the type of httpd to the

unconfined_exec_t type. Run systemctl start httpd.service to start the Apache HTTP service. Run ps -eZ | grep httpd to confirm that the httpd is in the unconfined_t domain. Change into a directory where your Linux user has write access to, and run the following

command:

wget http://localhost/index2.html

Question 7: Were you able to get the index2.html file? Why or Why not?

How to change the httpd back into a confined process? Well you have learned how to do it. Change its type back to a confined domain or restore the original domain for the process.

Please perform the following:

Stop httpd Run the restorecon -v /usr/sbin/httpd command Run the ls -Z /usr/sbin/httpd command to confirm the restoration. It is now associated

with httpd_exec_t type. Start httpd Run the wget http://localhost/index2.html command

P a g e | 11

Now the access to index2.html by httpd is forbidden. Please stop httpd and delete the index2.html file from the system.

Section 5 Confined and unconfined SELinux users

Each standard Linux user is mapped to a SELinux user via SELinux policy. This mapping allows Linux users to inherit the restrictions on SELinux users. This Linux and SELinux user mapping can be viewed by running the following command:

semanage login -l 5.1 Unconfined SELinux users

In a Fedora 18 system, Linux users are mapped to the SELinux __default__ login by default, which is mapped to the SELinux unconfined_u user. In other words, when you create a standard Linux user, this user is mapped to __default__ login, which is mapped to an unconfined SELinux user (unconfined_u).

Please perform the following to verify this:

Create a Linux user, such as joe. (useradd joe) Set password for this user. (passwd joe) Log in as the newly created user. Run id -Z

You will see that joe is an unconfined user (unconfined_u); plays the unconfined role (unconfined_r); and runs in the unconfined domain (unconfined_t).

You can remove this user from your system by running the command userdel -r joe if you don’t want to keep the data in your system

5.2 Confined SELinux users

Depending on the SELinux policy, different confined SELinux users may be defined. Table 1 gives some of them along with restrictions and permissions for each of them.

Table 1 Common confined SELinux users and their capabilities

User Domain X Window System

su and sudo Execute in home directory and /tmp/

networking

guest_u guest_t no no optional no

P a g e | 12

xguest_u xguest_t yes no optional Firefox only

user_u user_t yes no optional yes

staff_u staff_t yes sudo only optional yes

SELinux users defined in a policy can be viewed by running the following command:

semanage user -l

How can you confine a user? Well, you are getting there.

5.3 Confining users

It could be useful to confine a user and restrict its access to the system resources. This can be done when a Linux user is created. This can also be done on existing users.

5.3.1 Confining new Linux users.

When creating Linux users with useradd, the -Z option can be used to specify which SELinux user they are mapped to. For example, the following command will create the user tom and maps it to the SELinux staff_u user:

useradd -Z staff_u tom

Please perform the following to understand the effects of confined users.

Create a user, such as tom and map this Linux user to the SELinux user_u user. (useradd –Z user_u tom)

Set password for user tom. Log on the computer as user tom. Run the su root command.

Question 8: What happened when you tried to run the su command as user tom? Take a screenshot of the results and attach it here. Explain the result.

5.3.2 Confining existing Linux users

In order to confine an existing Linux user, the semanage login command can be used to map the user to a SELinux confined user. For example, the following command will map user

P a g e | 13

currentUser, which is a standard Linux user, to a SELinux user_u user, which is a SELinux confined user.

semanage login -a -s user_u currentUser

The -a option adds a new record, and the -s option specifies the SELinux user. The last argument, currentUser, is the normal Linux user.

Please perform the following tasks as a Linux root user to understand the effects:

Create a Linux user, such as current. Set password for this user. Run the su current command to be as user current. Run id -Z, check the security context of user current. Run the su command to switch back to root. Map user current to a SELinux staff_u user Log out and log back in as user current. Try to run the commands su and sudo as user current. Record what you see.

Question 9: What did you see when you tried the commands su and sudo root as user current (which is an SELinux staff_u user). Explain the results. Please pay attention to the reasons why user current cannot run the command.

Question 10: Why would you confine Linux users in practice? Explain your answer.

You are encouraged to practice the effects of confining users with more examples. Technically, every Linux users can be remapped. However, please be careful and understand what you are doing and its effects before you actually do it. You don’t want to lock yourself out. It could happen.

Section 6 Bonus (4%)

What you need to do for the bonus is not restricted, but has to be related to SELinux.

Please do the following to earn the bonus of this lab. More extra points may be given if you can convince your instructor that you have done a significant amount of work on SELinux.

Work out a mini project of your choice based on what you have learned on SELinux Describe your mini project: motivation, design and technical contents. Implement your mini project.

P a g e | 14

Question B1: What is your mini project about? Give a description of your project, including motivation, design and technical details.

Question B2: Implement your mini project. Please use screenshots, descriptions and answers to questions to show your implementation.

Survey Questions

Questions in this section will not be graded, but will make your suggestions and voice heard by your instructor.

GQ 1. What changes would you like to make to this lab?

GQ 2. How much time did you spend to finish this lab?

GQ 3. Do you learn anything new or gain a better understanding of class lecture by finishing this lab?

Well, you have completed another lab for this class. Hope you enjoyed doing this lab. Please let your instructor know if you have any comments.

P a g e | 15

Answer Sheet

============================ Required Questions =========================

Question 1: How would the use of sestatus -v command benefit your everyday administration work on SELinux? Please explain your answer.

Question 2: How would the setenforce command be useful? Please explain your answer.

Question 3: What option would you use with the ls command if you want to display only secu-rity context and file name?

Question 4: Would you use the command cp or mv to achieve the goal specified in Scenario 1? Please explain your solution.

Question 5: Why would you want to use the chcon command to make type changes? Why would you want to use the semanage/restorecon commands to make type changes? Please try to explain the real world situations where chcon and semanage/restorecon can fit in.

Question 6: Were you able to get the index.html file? Why or Why not?

Question 7: Were you able to get the index2.html file? Why or Why not?

Question 8: What happened when you tried to run the su command as user tom? Take a screenshot of the results and attach it here. Explain the result.

Question 9: What did you see when you tried the commands su and sudo root as user current (which is an SELinux staff_u user). Explain the results. Please pay attention to the reasons why user current cannot run the command.

P a g e | 16

Question 10: Why would you confine Linux users in practice? Explain your answer.

========================== Bonus Part (4%) =============================

Question B1: What is your mini project about? Give a description of your project, including motivation, design and technical details.

Question B2: Implement your mini project. Please use screenshots, descriptions and answers to questions to show your implementation.

=========================== Survey Questions ============================

GQ1. Would you like to make any changes to this lab?

GQ2. How long did it take you to complete this lab?

GQ3. Do you learn anything new or gain a better understanding of class lecture by finishing this lab?