If you can't read please download the document
Upload
paulway
View
16.437
Download
1
Embed Size (px)
Citation preview
Default
SELinux for Sysadmins
SELinux for Sysadmins
Beyond 'restorecon'
SELinux for Sysadmins
Principles for using SELinux
SELinux for Sysadmins
Principles for using SELinux
Through real world examples
Real world example 1
Share home directories through NFS
Real world example 1
Share home directories through NFS[server]# cat
/etc/exports
/home192.168.0.0/24(rw,soft)
[client]# cat /etc/fstab
...
server:/home/homenfssoft1 2
...
Real world example 1
Share home directories through NFS[server]# cat
/etc/exports
/home192.168.0.0/24(rw,soft)
[client]# cat /etc/fstab
...
server:/home/homenfssoft1 2
...
[client]# mount /home
Permission denied
SELinux for Sysadmins
Share home directories through NFS
Is this a SELinux problem?
SELinux for Sysadmins
Share home directories through NFS
Is this a SELinux problem?Check /var/log/audit/audit.log
SELinux for Sysadmins
Share home directories through NFS
Is this a SELinux problem?Check /var/log/audit/audit.log
grep mount /var/log/audit/audit.log
SELinux for Sysadmins
Share home directories through NFS
If it is a SELinux problem:getsebool -a | grep home
ftp_home_dir --> off
httpd_enable_homedirs --> on
openvpn_enable_homedirs --> off
samba_create_home_dirs --> off
samba_enable_home_dirs --> off
spamd_enable_home_dirs --> on
use_nfs_home_dirs --> off
use_samba_home_dirs --> off
SELinux for Sysadmins
Share home directories through NFS
If it is a SELinux problem:getsebool -a | grep home
ftp_home_dir --> off
httpd_enable_homedirs --> on
openvpn_enable_homedirs --> off
samba_create_home_dirs --> off
samba_enable_home_dirs --> off
spamd_enable_home_dirs --> on
use_nfs_home_dirs --> off
use_samba_home_dirs --> off
SELinux for Sysadmins
Share home directories through NFS
If it is a SELinux problem:setsebool use_nfs_home_dirs on
SELinux for Sysadmins
Share home directories through NFS
If it is a SELinux problem:setsebool -P use_nfs_home_dirs on
Real world example 1
Share home directories through NFSsetsebool -P use_nfs_home_dirs on
Real world example 1
Share home directories through NFSsetsebool -P use_nfs_home_dirs on
Share home directories through SaMBa
Real world example 1
Share home directories through NFSsetsebool -P use_nfs_home_dirs on
Share home directories through SaMBasetsebool -P use_samba_home_dirs on
Real world example 1
Share home directories through NFSsetsebool -P use_nfs_home_dirs on
Share home directories through SaMBasetsebool -P use_samba_home_dirs on
setsebool -P samba_enable_home_dirs on
Real world example 1
Share home directories through NFSsetsebool -P use_nfs_home_dirs on
Share home directories through SaMBasetsebool -P use_samba_home_dirs onMount SaMBa home dirs on client
setsebool -P samba_enable_home_dirs onShare home dirs on SaMBa server
Real world example 1
Share home directories through NFSsetsebool -P use_nfs_home_dirs on
Share home directories through SaMBasetsebool -P use_samba_home_dirs on
setsebool -P samba_enable_home_dirs on
Share ~/public_html through Apachesetsebool -P apache_enable_homedirs on
SELinux for Sysadmins
Principles for using SELinuxUse booleans where possible
Real world example 2
Sharing /data through SaMBa
Real world example 2
Sharing /data through SaMBagetsebool -a | grep samba
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_run_unconfined --> on
samba_share_fusefs --> off
samba_share_nfs --> off
use_samba_home_dirs --> off
virt_use_samba --> off
SELinux for Sysadmins
File contexts
SELinux for Sysadmins
File contexts
[root@tachyon ~]# ls -laZ /var
drwxr-xr-x root root system_u:object_r:var_t:s0 .
drwxr-xr-x root root system_u:object_r:root_t:s0 ..
drwxr-xr-x root root system_u:object_r:acct_data_t:s0 account
drwxr-xr-x root root system_u:object_r:var_t:s0 cache
drwxr-xr-x root root system_u:object_r:cvs_data_t:s0 cvs
drwxr-xr-x root root system_u:object_r:var_t:s0 db
drwxr-xr-x root root system_u:object_r:var_t:s0 empty
drwxr-xr-x root root system_u:object_r:games_data_t:s0 games
drwxrwx--T root gdm system_u:object_r:xserver_log_t:s0 gdm
drwxr-xr-x root root system_u:object_r:var_lib_t:s0 lib
drwxr-xr-x root root system_u:object_r:var_t:s0 local
drwxrwxr-x root lock system_u:object_r:var_lock_t:s0 lock
drwxr-xr-x root root system_u:object_r:var_log_t:s0 log
lrwxrwxrwx root root system_u:object_r:mail_spool_t:s0 mail
drwxr-xr-x root root system_u:object_r:var_t:s0 nis
drwxr-xr-x root root system_u:object_r:var_t:s0 opt
drwxr-xr-x root root system_u:object_r:var_t:s0 preserve
...
SELinux for Sysadmins
File contextsSpecify the context in which it is to be used
SELinux for Sysadmins
File contextsSpecify the context in which it is to be used
Inherited like permissions
Real world example 2
Sharing /data through SaMBa
[root@tachyon ~]# mkdir /data[root@tachyon ~]# ls -laZ
/data
drwxr-xr-x root root unconfined_u:object_r:default_t:s0 .
drwxr-xr-x root root system_u:object_r:root_t:s0 ..
Real world example 2
Sharing /data through SaMBa
[root@tachyon ~]# mkdir /data[root@tachyon ~]# ls -laZ
/data
drwxr-xr-x root root unconfined_u:object_r:default_t:s0 .
drwxr-xr-x root root system_u:object_r:root_t:s0 ..[root@tachyon
~]# chcon -R -t samba_share_t /data[root@tachyon ~]# ls -laZ
/data
drwxr-xr-x root root unconfined_u:object_r:samba_share_t:s0 .
drwxr-xr-x root root system_u:object_r:root_t:s0 ..
SELinux for Sysadmins
Principles for using SELinuxUse booleans where possible
Use the right file context
man {ftpd,named,rsync,httpd,nfs,samba, kerberos,nis,ypbind}_selinux is your friend!
Real world example 3
Sharing /data with SaMBa and VSFTPD
Real world example 3
Sharing /data with SaMBa and VSFTPDGotcha!
Real world example 3
Sharing /data with SaMBa and VSFTPDFiles can only have one security context!
Real world example 3
Sharing /data with SaMBa and VSFTPDFiles can only have one security context!
getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
ftpd_connect_db --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
Real world example 3
Sharing /data with SaMBa and VSFTPDFiles can only have one security context!
allow_ftpd_use_cifs is written to allow (vs)ftpd to share a directory that is mounted from a CIFS server!
Real world example 3
Sharing /data with SaMBa and VSFTPDFiles can only have one security context!
allow_ftpd_use_cifs is written to allow (vs)ftpd to share a directory that is mounted from a CIFS server!
What to do?
Real world example 3
# setenforce off
Real world example 3
# setenforce off
# selinuxenabled && echo yes
#
Real world example 3
# setenforce off
# run service, exercise functionality
Real world example 3
# setenforce off
# run service, exercise functionality
# setenforce on
Real world example 3
# setenforce off
# run service, exercise functionality
# setenforce on
# grep vsftpd /var/log/audit/audit.log
| audit2allow -M -m vsftpd
Real world example 3
# setenforce off
# run service, exercise functionality
# setenforce on
# grep vsftpd /var/log/audit/audit.log
| audit2allow -M -m vsftpd
# ls vsftpd.*
vsftpd.ppvsftpd.te
Real world example 3
cat vsftpd.te
module vsftpd 1.0;
require {
type samba_share_t;
type vsftpd_t;
class dir { rename write search read remove_name getattr add_name
};
class file { rename setattr read lock create write getattr unlink
};
}
#============= smbd_t ==============
allow vsftpd_t samba_share_t:dir {
rename write search read remove_name getattr add_name
};
allow vsftpd_t samba_share_t:file {
rename setattr read lock create write getattr unlink
};
Real world example 3
# setenforce off
# run service, exercise functionality
# setenforce on
# grep vsftpd /var/log/audit/audit.log
| audit2allow -M -m vsftpd
# semodule -i vsftpd.pp
SELinux for Sysadmins
Principles for using SELinuxUse booleans where possible
Use the right file context
man {ftpd,named,rsync,httpd,nfs,samba, kerberos,nis,ypbind}_selinux is your friend!
Create policy where necessary
SELinux for Sysadmins
Principles for using SELinuxUse booleans where possible
Use the right file context
man {ftpd,named,rsync,httpd,nfs,samba, kerberos,nis,ypbind}_selinux is your friend!
Create policy where necessary
Policy must be conservative
SELinux for Sysadmins
Principles for using SELinuxUse booleans where possible
Use the right file context
man {ftpd,named,rsync,httpd,nfs,samba, kerberos,nis,ypbind}_selinux is your friend!
Create policy where necessary
Policy must be conservative
SELinux for Sysadmins
Principles for using SELinuxUse booleans where possible
Use the right file context
man {ftpd,named,rsync,httpd,nfs,samba, kerberos,nis,ypbind}_selinux is your friend!
Create policy where necessary
Policy must be conservative
system-config-selinux
Questions?
Click to edit the title
Click to edit the outline text formatSecond Outline LevelThird Outline LevelFourth Outline LevelFifth Outline LevelSixth Outline LevelSeventh Outline LevelEighth Outline LevelNinth Outline Level
SLUG 2009-06
SELinux for Sysadmins
Click to edit the title text format
Click to edit the outline text formatSecond Outline LevelThird Outline LevelFourth Outline LevelFifth Outline LevelSixth Outline LevelSeventh Outline LevelEighth Outline LevelNinth Outline Level
SLUG 2009-06
SELinux for Sysadmins
Click to edit the title
Click to edit the outline text formatSecond Outline LevelThird Outline LevelFourth Outline LevelFifth Outline LevelSixth Outline LevelSeventh Outline LevelEighth Outline LevelNinth Outline Level
SLUG 2009-06
SELinux for everyday users