SELinux complete

Question 1

What’s the main thing that selinux does?

Answer 1

Type enforcement:
This type/domain has access to this type/domain for this class to do this action.

This goes beyond DAC or UBAC, Even if you have every right to think of outside selinux, inside it you can only do what your role and type dictates.

Question 2

Define:
domain
type
class
permissions

Answer 2

domain - type of requester
type - type of object acted upon
class - file/directory/whatever
permission - rwx

Question 3

Break down what everything is in this SELinux statement:
allow auditd_t auditd_log_t:file { write };

Answer 3

allow <domain> <type>:<class> { <permissions> };</permissions></class></type></domain>

if the process runs within the auditd_t domain (and thus has a security context with auditd_t in its third position)
and if the target has the type auditd_log_t set,
and the target is a file
then the permission write is granted

Question 4

How would you search if this rule is enabled?

allow auditd_t auditd_log_t:file { write };

Answer 4

sesearch –allow –source auditd_t –target auditd_log_t –class file –perm write

Question 5

Where are the audit logs? How would you know a log item is related to SELinux?

Answer 5

/var/log/audit/audit.log

Question 6

Not all of SELinux denials are logged, how would disable that to see them?
Afterword, re-enable

Answer 6

semodule –disable_dontaudit –build (semodule -DB

semodule –build (semodule -B)

Question 7

What command would you use to search audit.log for SELinux logs within the last 10 mins?

Answer 7

auserach -m avc –start recent

Question 8

What’s the SELinux command to search logs?

Answer 8

sealert -l “*”

Question 9

How would you relabel context for /this directory recursively?
Then delete it.

Answer 9

semanage fcontext -at httpd_sys_content_t “/this(/.*)?”

semanage fcontext -dt httpd_sys_content_t “/this(/.*)?”

Question 10

Look at the policy for auditd_t in terms of what it’s allowed to do to var_t

Answer 10

sesearch -s auditd_t -t var_t -SA

Question 11

What is a domain transisiton:

Answer 11

type_transition init_t initrc_exec_t : process initrc_t;

[kernel_t] –(execute init_exec_t)–> [init_t]
[init_t] –(execute initrc_exec_t)–> [initrc_t]
[initrc_t] –(execute sshd_exec_t)–> [sshd_t]

sepolicy transition -s kernel_t -t init_t

Question 12

For the below domain transition, define what is the entrypoint and what is the transition point:

[initrc_t] –(execute sshd_exec_t)–> [sshd_t]

Answer 12

sshd_exec_t is an entrypoint for sshd_t

sshd_t is a transition point for sshd_exec_t

Question 13

What are the rules for Domain transitions to happen?

Answer 13

1) The domain has execute permission on a file.

2) The file context is identified as an entrypoint for the target domain.

3) The origin domain is allowed to transition to the target domain.

Question 14

Let’s troubleshoot the domain transition below via the three rules we learned about.

[initrc_t] –(execute sshd_exec_t)–> [sshd_t]

The domain has execute permissions on a file

The file context is identified as an entrypoint for the target domain

The origin domain is allowed to transition to the target domain.

Answer 14

sesearch -s initrc_t -t sshd_exec_t -c file -p execute -Ad

sesearch -s sshd_t -t sshd_exec_t -c file -p entrypoint -Ad

sesearch -s initrc_t -t sshd_t -c process -p transition -Ad

Question 15

What are booleans used for?

Answer 15

Some activities on SElinux are denied when it would only make sense that they should be allowed, these are normally left up to choice, therefore we have booleans.

Question 16

Let’s say we turn on the boolean abrt_anon_write, do that and then check what policies have changed

Answer 16

setsebool -P abrt_anon_write on

sesearch -b abrt_anon_write -AC
sesearch –bool abrt_anon_write –show_cond –allow

Question 17

Here is the output of the boolean sesearch, what does it mean?

DT allow abrt_t public_content_rw_t : file { ioctl read write … } ; [ abrt_anon_write ]

Answer 17

DT allow abrt_t public_content_rw_t : file { ioctl read write … } ; [ abrt_anon_write ]

D - disabled
T - but if true it is active
if F was there instead of T
F - if False then it’s active
C - shows the DT Condition

Question 18

Let’s say you are showing a denial in your logs:
mozilla_t is denied read access on usera_home_t file.
Instead of changing a policy, let’s see if there’s a boolean for that.

Answer 18

sesearch -s mozilla_t -t user_home_t -AC
Use this option minus the C. if there’s a boolean it will look like this [ mozilla_read_content ]:True

Question 19

What are customizable types and where are they located?

Answer 19

Customizable types are for files with no predetermined location.

/etc/selinux/targeted/contexts/customizable_types

Question 20

Can users change file context in their home files? How would we know if they can or not?

Answer 20

Yes, with chcon, they won’t persist though, unless customizable types are used.

users are part of the user_t, to relabel the permission is called RELABELFROM and RELABELTO. Let’s search it!

sesearch -s user_t -t home_bin_t -c file -p relabelto -A

Question 21

How do you know if your system can go into permissive mode?

How do you know if you can disable selinux on boot

Answer 21

/boot/config

Systems that can go into permissive mode have this set to “y”
CONFIG_SECURITY_SELINUX_DEVELOP=y

CONFIG_SECURITY_SELINUX_BOOTPARAM is enabled then you can disable on boot.

Question 22

What boolean would you turn on to make sure selinux can’t be set to permissive unless a reload is performed?

Answer 22

setsebool -P secure_mode_policyload

Question 23

Restore everything back to the context mapping definition

Answer 23

restorecon -RF /

The force part is interesting here, this will relabel all contexts regardless if needed. So if we changed a new dir /http to the httpd_sys_content_t and did a simple restorecon, the only bit that would change is the type.
If we performed the restorecon -RF, it would also change the user from unconfined_u to system_u, because that is the whole policy for httpd_sys_content_t

Question 24

Some processes are selinux aware, and may act weird if it’s disabled, how do we check if a process is selinux aware?

Answer 24

ldd /sbin/sshd | grep selinux

Question 25

Allow sshd_t to be permissive then check out all processes under permissive

Answer 25

semanage permissive -a sshd_t
semanage permissive -l

Question 26

What bad thing will happen if you disable selinux?

Answer 26

All files will not generate contexts, if you turn it back on they get default_t which isn’t great.

Question 27

What are attributes?

Answer 27

Groups several domains together to have the same policy. For instance, let’s say you have a domain under the attribute “this_attribute”, that domain and everything else associated with it will get the same permission and policy like the one below:

allow this_attribute etc_t:file read

Normally if you see something without a _t it’s an attribute

Question 28

See what types are a part of the userdomain attribute.

Se attributes assigned to a domain

Answer 28

seinfo -auserdomain -x

seinfo -tuser_t -x

Question 29

What domains are a part of the unconfined_domain_type?

check if the unconfined type is available.

Answer 29

seinfo -aunconfined_domain_type -x

seinfo -tunconfined_t
if this shows unconfined_t, then it’s on.

Question 30

What are modules?

Show all modules, show where they are located.

Show active policy

Answer 30

Module all you to add and remove them to change policy

semodule -l

/usr/share/selinux/targeted
(base is base policy)

sestatus | grep loaded

/etc/selinux/targeted/policy

Question 31

What is the purpose of role? Show what domains are allowed for the user role.

Answer 31

It dictates what they can enter and what domains they fall under.

If you’re a user_r even if you’re granted sudo access, it won’t work because you don’t have access to the domains.

seinfo -ruser_r -x

if you try to access something that’s not attached to your role you’ll get this error:
invalid context: user_u:user_r:portage_t

Question 32

Show what roles all users have access to and then change your role

Answer 32

semanage user -l

newrold -r sysadm_r

Question 33

What is the purpose of SELinux users

Show all users

Show what users are mapped to what roles

Add modify and delete an SELinux user to a group

Now that you’ve changed the user, change their home directory to match

Answer 33

Users determine what roles you can have

semanage user -l

semanage login -l

semanage login -a -s staff_u %network
semanage login -d -s staff_u %network
semanage login -m -s staff_u %network

chcon -R -u staff_u -r staff_r /home/ben
or
restorecon -vF /home/ben

Question 34

Add a new SELinux user named infra_u, give them both staff and sysadm roles

Answer 34

semanage user -a -R “staff_r sysadm_r” infra_u

Question 35

Can one user access another users files?

Answer 35

if the files have ubac_constrained_type attached to them

Question 36

Can you change users mid-session

Answer 36

No, but system_u can

Question 37

What does a constraint do?

Answer 37

Whitelists, tells under what circumstances and operation is allowed. Constraints look at the ENTIRE context.

Question 38

What does the below constraint mean?

constrain dir_file_class_set { create relabelto relabelfrom }
(
u1 == u2
or t1 == can_change_object_identity
);

See what the can_change_object_identity attribute can do

Show all constraints

Answer 38

a domain can only create or relabel(to and from) if the two contexts match
or
if the domain has the can_change_object_identity attribute assigned to it.

seinfo -acan_change_object_identity -x

seinfo –constrain

Question 39

Describe Sensitivity levels and Categories in terms of MLS

Answer 39

Sensitivity levels mark things under a certain sensitivity. Highest is called clearance and lowest is current sensitivity.

If a user has public and internal sensitivity levels he won’t be able to access files even if an acl allows, type allows, or anything else.

Categories:
Label assigned to a resource like:
hr, sales, project1

If you want a user to access a sales category that is confidential:
confidential:sales
If you only have this you don’t have access to confidential:hr or anything else.

Question 40

Explain categories and sensitivtity levels in terms of how they are assigned

Answer 40

Now that we know the two factors that play into MLS, let’s see it in terms of a board/example:
Example Current sensitivity level Clearance sensitivity level Category set
user_u:user_r:user_t:s0 s0 (lowest sensitivity level) s0 (lowest sensitivity level) c0 (a default category, gets translated to “”)
user_u:user_r:user_t:s0-s0:c0.c15 s0 (lowest sensitivity level) s0 (lowest sensitivity level) c0.c15 (range of c0 to c15)
user_u:user_r:user_t:s0-s2:c1,c4.c8 s0 (lowest sensitivity level) s2 c1,c4.c8 (c1 plus c4 to c8)

Question 41

What is the audit log used for?

Answer 41

kernel feature (paired with userspace tools) that can log system calls. For example, opening a file, killing a process or creating a network connection. These audit logs can be used to monitor systems for suspicious activity

Question 42

Create a user, give them the staff_u selinux option.
Make it to where when they login as root it gives them the sysadm_r and sysadm_t

Answer 42

useradd -G wheel -Z staff_u user1
visudo -f /etc/sudoers.d/user1 (-f option create an alternate sudoers file location)
user1 ALL=(ALL:ALL) TYPE=sysadm_t ROLE=sysadm_r ALL

login as user then login as root under user
sudo -i
try an admin task like restarting sshd

Question 43

What steps should you take troubleshooting SELinux?

Answer 43

Check the audit log.
The message type can be any of the below
ausearch -m avc,user_avc,selinux_err,user_selinux_err -ts recent
(-ts = time start, you might also need to capitalize the message types)

Not seeing any matches? Check that the audit log is running.
systemctl status auditd

Still nothing? Check messages provided by the systemd journal
journalctl -t settroubleshoot

Look for messages in dmesg
dmesg | grep -i -e type=1300 -e type=1400
(displays local time and delta in human readable format)

Still nothing? Maybe the audits are being silenced
semodule -DB

Perhaps this isn’t SELinux if it hasn’t popped up, enable don’t audit again and set selinux to permissive
setenforce 0
semodule -B

Question 44

Study 5.2

https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/using_selinux/troubleshooting-problems-related-to-selinux_using-selinux#analyzing-an-already-found-selinux-denial_troubleshooting-problems-related-to-selinux