slug 2009 06 selinux for sysadmins

Default

SELinux for Sysadmins


Beyond 'restorecon'


Principles for using SELinux


Principles for using SELinux

Through real world examples

Real world example 1

Share home directories through NFS


Share home directories through NFS[server]# cat /etc/exports
/home192.168.0.0/24(rw,soft)

[client]# cat /etc/fstab
...
server:/home/homenfssoft1 2
...


Share home directories through NFS[server]# cat /etc/exports
/home192.168.0.0/24(rw,soft)

[client]# cat /etc/fstab
...
server:/home/homenfssoft1 2
...

[client]# mount /home
Permission denied



Is this a SELinux problem?



Is this a SELinux problem?Check /var/log/audit/audit.log



Is this a SELinux problem?Check /var/log/audit/audit.log

grep mount /var/log/audit/audit.log



If it is a SELinux problem:getsebool -a | grep home
ftp_home_dir --> off
httpd_enable_homedirs --> on
openvpn_enable_homedirs --> off
samba_create_home_dirs --> off
samba_enable_home_dirs --> off
spamd_enable_home_dirs --> on
use_nfs_home_dirs --> off
use_samba_home_dirs --> off



If it is a SELinux problem:getsebool -a | grep home
httpd_enable_homedirs --> on
openvpn_enable_homedirs --> off
spamd_enable_home_dirs --> on
use_nfs_home_dirs --> off



If it is a SELinux problem:setsebool use_nfs_home_dirs on



If it is a SELinux problem:setsebool -P use_nfs_home_dirs on


Share home directories through NFSsetsebool -P use_nfs_home_dirs on



Share home directories through SaMBa



Share home directories through SaMBasetsebool -P use_samba_home_dirs on




setsebool -P samba_enable_home_dirs on



Share home directories through SaMBasetsebool -P use_samba_home_dirs onMount SaMBa home dirs on client

setsebool -P samba_enable_home_dirs onShare home dirs on SaMBa server




setsebool -P samba_enable_home_dirs on

Share ~/public_html through Apachesetsebool -P apache_enable_homedirs on


Principles for using SELinuxUse booleans where possible


Sharing /data through SaMBa


Sharing /data through SaMBagetsebool -a | grep samba
samba_domain_controller --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_run_unconfined --> on
samba_share_fusefs --> off
samba_share_nfs --> off
virt_use_samba --> off


File contexts


File contexts

[root@tachyon ~]# ls -laZ /var
drwxr-xr-x root root system_u:object_r:var_t:s0 .
drwxr-xr-x root root system_u:object_r:root_t:s0 ..
drwxr-xr-x root root system_u:object_r:acct_data_t:s0 account
drwxr-xr-x root root system_u:object_r:var_t:s0 cache
drwxr-xr-x root root system_u:object_r:cvs_data_t:s0 cvs
drwxr-xr-x root root system_u:object_r:var_t:s0 db
drwxr-xr-x root root system_u:object_r:var_t:s0 empty
drwxr-xr-x root root system_u:object_r:games_data_t:s0 games
drwxrwx--T root gdm system_u:object_r:xserver_log_t:s0 gdm
drwxr-xr-x root root system_u:object_r:var_lib_t:s0 lib
drwxr-xr-x root root system_u:object_r:var_t:s0 local
drwxrwxr-x root lock system_u:object_r:var_lock_t:s0 lock
drwxr-xr-x root root system_u:object_r:var_log_t:s0 log
lrwxrwxrwx root root system_u:object_r:mail_spool_t:s0 mail
drwxr-xr-x root root system_u:object_r:var_t:s0 nis
drwxr-xr-x root root system_u:object_r:var_t:s0 opt
drwxr-xr-x root root system_u:object_r:var_t:s0 preserve
...


File contextsSpecify the context in which it is to be used


File contextsSpecify the context in which it is to be used

Inherited like permissions



[root@tachyon ~]# mkdir /data[root@tachyon ~]# ls -laZ /data
drwxr-xr-x root root unconfined_u:object_r:default_t:s0 .



[root@tachyon ~]# mkdir /data[root@tachyon ~]# ls -laZ /data
drwxr-xr-x root root unconfined_u:object_r:default_t:s0 .
drwxr-xr-x root root system_u:object_r:root_t:s0 ..[root@tachyon ~]# chcon -R -t samba_share_t /data[root@tachyon ~]# ls -laZ /data
drwxr-xr-x root root unconfined_u:object_r:samba_share_t:s0 .



Use the right file context

man {ftpd,named,rsync,httpd,nfs,samba, kerberos,nis,ypbind}_selinux is your friend!


Sharing /data with SaMBa and VSFTPD


Sharing /data with SaMBa and VSFTPDGotcha!


Sharing /data with SaMBa and VSFTPDFiles can only have one security context!



getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftpd_connect_db --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off



allow_ftpd_use_cifs is written to allow (vs)ftpd to share a directory that is mounted from a CIFS server!



allow_ftpd_use_cifs is written to allow (vs)ftpd to share a directory that is mounted from a CIFS server!

What to do?


# setenforce off


# setenforce off

# selinuxenabled && echo yes

#


# setenforce off

# run service, exercise functionality


# setenforce off


# setenforce on


# setenforce off


# setenforce on

# grep vsftpd /var/log/audit/audit.log
| audit2allow -M -m vsftpd


# setenforce off


# setenforce on


# ls vsftpd.*
vsftpd.ppvsftpd.te


cat vsftpd.te
module vsftpd 1.0;

require {
type samba_share_t;
type vsftpd_t;
class dir { rename write search read remove_name getattr add_name };
class file { rename setattr read lock create write getattr unlink };
}

#============= smbd_t ==============
allow vsftpd_t samba_share_t:dir {
rename write search read remove_name getattr add_name
};
allow vsftpd_t samba_share_t:file {
rename setattr read lock create write getattr unlink
};


# setenforce off


# setenforce on


# semodule -i vsftpd.pp





Create policy where necessary






Policy must be conservative













system-config-selinux

Questions?

Click to edit the title

Click to edit the outline text formatSecond Outline LevelThird Outline LevelFourth Outline LevelFifth Outline LevelSixth Outline LevelSeventh Outline LevelEighth Outline LevelNinth Outline Level

SLUG 2009-06


Click to edit the title text format


SLUG 2009-06


Click to edit the title


SLUG 2009-06

SELinux for everyday users

slug 2009 06 selinux for sysadmins

Technology