SELinux complete Flashcards
What’s the main thing that selinux does?
Type enforcement:
This type/domain has access to this type/domain for this class to do this action.
This goes beyond DAC or UBAC, Even if you have every right to think of outside selinux, inside it you can only do what your role and type dictates.
Define:
domain
type
class
permissions
domain - type of requester
type - type of object acted upon
class - file/directory/whatever
permission - rwx
Break down what everything is in this SELinux statement:
allow auditd_t auditd_log_t:file { write };
allow <domain> <type>:<class> { <permissions> };</permissions></class></type></domain>
if the process runs within the auditd_t domain (and thus has a security context with auditd_t in its third position)
and if the target has the type auditd_log_t set,
and the target is a file
then the permission write is granted
How would you search if this rule is enabled?
allow auditd_t auditd_log_t:file { write };
sesearch –allow –source auditd_t –target auditd_log_t –class file –perm write
Where are the audit logs? How would you know a log item is related to SELinux?
/var/log/audit/audit.log
Not all of SELinux denials are logged, how would disable that to see them?
Afterword, re-enable
semodule –disable_dontaudit –build (semodule -DB
semodule –build (semodule -B)
What command would you use to search audit.log for SELinux logs within the last 10 mins?
auserach -m avc –start recent
What’s the SELinux command to search logs?
sealert -l “*”
How would you relabel context for /this directory recursively?
Then delete it.
semanage fcontext -at httpd_sys_content_t “/this(/.*)?”
semanage fcontext -dt httpd_sys_content_t “/this(/.*)?”
Look at the policy for auditd_t in terms of what it’s allowed to do to var_t
sesearch -s auditd_t -t var_t -SA
What is a domain transisiton:
type_transition init_t initrc_exec_t : process initrc_t;
[kernel_t] –(execute init_exec_t)–> [init_t]
[init_t] –(execute initrc_exec_t)–> [initrc_t]
[initrc_t] –(execute sshd_exec_t)–> [sshd_t]
sepolicy transition -s kernel_t -t init_t
For the below domain transition, define what is the entrypoint and what is the transition point:
[initrc_t] –(execute sshd_exec_t)–> [sshd_t]
sshd_exec_t is an entrypoint for sshd_t
sshd_t is a transition point for sshd_exec_t
What are the rules for Domain transitions to happen?
1) The domain has execute permission on a file.
2) The file context is identified as an entrypoint for the target domain.
3) The origin domain is allowed to transition to the target domain.
Let’s troubleshoot the domain transition below via the three rules we learned about.
[initrc_t] –(execute sshd_exec_t)–> [sshd_t]
The domain has execute permissions on a file
The file context is identified as an entrypoint for the target domain
The origin domain is allowed to transition to the target domain.
sesearch -s initrc_t -t sshd_exec_t -c file -p execute -Ad
sesearch -s sshd_t -t sshd_exec_t -c file -p entrypoint -Ad
sesearch -s initrc_t -t sshd_t -c process -p transition -Ad
What are booleans used for?
Some activities on SElinux are denied when it would only make sense that they should be allowed, these are normally left up to choice, therefore we have booleans.
Let’s say we turn on the boolean abrt_anon_write, do that and then check what policies have changed
setsebool -P abrt_anon_write on
sesearch -b abrt_anon_write -AC
sesearch –bool abrt_anon_write –show_cond –allow
Here is the output of the boolean sesearch, what does it mean?
DT allow abrt_t public_content_rw_t : file { ioctl read write … } ; [ abrt_anon_write ]
DT allow abrt_t public_content_rw_t : file { ioctl read write … } ; [ abrt_anon_write ]
D - disabled
T - but if true it is active
if F was there instead of T
F - if False then it’s active
C - shows the DT Condition
Let’s say you are showing a denial in your logs:
mozilla_t is denied read access on usera_home_t file.
Instead of changing a policy, let’s see if there’s a boolean for that.
sesearch -s mozilla_t -t user_home_t -AC
Use this option minus the C. if there’s a boolean it will look like this [ mozilla_read_content ]:True
What are customizable types and where are they located?
Customizable types are for files with no predetermined location.
/etc/selinux/targeted/contexts/customizable_types
Can users change file context in their home files? How would we know if they can or not?
Yes, with chcon, they won’t persist though, unless customizable types are used.
users are part of the user_t, to relabel the permission is called RELABELFROM and RELABELTO. Let’s search it!
sesearch -s user_t -t home_bin_t -c file -p relabelto -A
How do you know if your system can go into permissive mode?
How do you know if you can disable selinux on boot
/boot/config
Systems that can go into permissive mode have this set to “y”
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_BOOTPARAM is enabled then you can disable on boot.
What boolean would you turn on to make sure selinux can’t be set to permissive unless a reload is performed?
setsebool -P secure_mode_policyload
Restore everything back to the context mapping definition
restorecon -RF /
The force part is interesting here, this will relabel all contexts regardless if needed. So if we changed a new dir /http to the httpd_sys_content_t and did a simple restorecon, the only bit that would change is the type.
If we performed the restorecon -RF, it would also change the user from unconfined_u to system_u, because that is the whole policy for httpd_sys_content_t
Some processes are selinux aware, and may act weird if it’s disabled, how do we check if a process is selinux aware?
ldd /sbin/sshd | grep selinux
Allow sshd_t to be permissive then check out all processes under permissive
semanage permissive -a sshd_t
semanage permissive -l
What bad thing will happen if you disable selinux?
All files will not generate contexts, if you turn it back on they get default_t which isn’t great.
What are attributes?
Groups several domains together to have the same policy. For instance, let’s say you have a domain under the attribute “this_attribute”, that domain and everything else associated with it will get the same permission and policy like the one below:
allow this_attribute etc_t:file read
Normally if you see something without a _t it’s an attribute
See what types are a part of the userdomain attribute.
Se attributes assigned to a domain
seinfo -auserdomain -x
seinfo -tuser_t -x
What domains are a part of the unconfined_domain_type?
check if the unconfined type is available.
seinfo -aunconfined_domain_type -x
seinfo -tunconfined_t
if this shows unconfined_t, then it’s on.
What are modules?
Show all modules, show where they are located.
Show active policy
Module all you to add and remove them to change policy
semodule -l
/usr/share/selinux/targeted
(base is base policy)
sestatus | grep loaded
/etc/selinux/targeted/policy
What is the purpose of role? Show what domains are allowed for the user role.
It dictates what they can enter and what domains they fall under.
If you’re a user_r even if you’re granted sudo access, it won’t work because you don’t have access to the domains.
seinfo -ruser_r -x
if you try to access something that’s not attached to your role you’ll get this error:
invalid context: user_u:user_r:portage_t
Show what roles all users have access to and then change your role
semanage user -l
newrold -r sysadm_r
What is the purpose of SELinux users
Show all users
Show what users are mapped to what roles
Add modify and delete an SELinux user to a group
Now that you’ve changed the user, change their home directory to match
Users determine what roles you can have
semanage user -l
semanage login -l
semanage login -a -s staff_u %network
semanage login -d -s staff_u %network
semanage login -m -s staff_u %network
chcon -R -u staff_u -r staff_r /home/ben
or
restorecon -vF /home/ben
Add a new SELinux user named infra_u, give them both staff and sysadm roles
semanage user -a -R “staff_r sysadm_r” infra_u
Can one user access another users files?
if the files have ubac_constrained_type attached to them
Can you change users mid-session
No, but system_u can
What does a constraint do?
Whitelists, tells under what circumstances and operation is allowed. Constraints look at the ENTIRE context.
What does the below constraint mean?
constrain dir_file_class_set { create relabelto relabelfrom }
(
u1 == u2
or t1 == can_change_object_identity
);
See what the can_change_object_identity attribute can do
Show all constraints
a domain can only create or relabel(to and from) if the two contexts match
or
if the domain has the can_change_object_identity attribute assigned to it.
seinfo -acan_change_object_identity -x
seinfo –constrain
Describe Sensitivity levels and Categories in terms of MLS
Sensitivity levels mark things under a certain sensitivity. Highest is called clearance and lowest is current sensitivity.
If a user has public and internal sensitivity levels he won’t be able to access files even if an acl allows, type allows, or anything else.
Categories:
Label assigned to a resource like:
hr, sales, project1
If you want a user to access a sales category that is confidential:
confidential:sales
If you only have this you don’t have access to confidential:hr or anything else.
Explain categories and sensitivtity levels in terms of how they are assigned
Now that we know the two factors that play into MLS, let’s see it in terms of a board/example:
Example Current sensitivity level Clearance sensitivity level Category set
user_u:user_r:user_t:s0 s0 (lowest sensitivity level) s0 (lowest sensitivity level) c0 (a default category, gets translated to “”)
user_u:user_r:user_t:s0-s0:c0.c15 s0 (lowest sensitivity level) s0 (lowest sensitivity level) c0.c15 (range of c0 to c15)
user_u:user_r:user_t:s0-s2:c1,c4.c8 s0 (lowest sensitivity level) s2 c1,c4.c8 (c1 plus c4 to c8)
What is the audit log used for?
kernel feature (paired with userspace tools) that can log system calls. For example, opening a file, killing a process or creating a network connection. These audit logs can be used to monitor systems for suspicious activity
Create a user, give them the staff_u selinux option.
Make it to where when they login as root it gives them the sysadm_r and sysadm_t
useradd -G wheel -Z staff_u user1
visudo -f /etc/sudoers.d/user1 (-f option create an alternate sudoers file location)
user1 ALL=(ALL:ALL) TYPE=sysadm_t ROLE=sysadm_r ALL
login as user then login as root under user
sudo -i
try an admin task like restarting sshd
What steps should you take troubleshooting SELinux?
Check the audit log.
The message type can be any of the below
ausearch -m avc,user_avc,selinux_err,user_selinux_err -ts recent
(-ts = time start, you might also need to capitalize the message types)
Not seeing any matches? Check that the audit log is running.
systemctl status auditd
Still nothing? Check messages provided by the systemd journal
journalctl -t settroubleshoot
Look for messages in dmesg
dmesg | grep -i -e type=1300 -e type=1400
(displays local time and delta in human readable format)
Still nothing? Maybe the audits are being silenced
semodule -DB
Perhaps this isn’t SELinux if it hasn’t popped up, enable don’t audit again and set selinux to permissive
setenforce 0
semodule -B
Study 5.2
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/using_selinux/troubleshooting-problems-related-to-selinux_using-selinux#analyzing-an-already-found-selinux-denial_troubleshooting-problems-related-to-selinux
