SELinux complete Flashcards
What’s the main thing that selinux does?
Type enforcement:
This type/domain has access to this type/domain for this class to do this action.
This goes beyond DAC or UBAC, Even if you have every right to think of outside selinux, inside it you can only do what your role and type dictates.
Define:
domain
type
class
permissions
domain - type of requester
type - type of object acted upon
class - file/directory/whatever
permission - rwx
Break down what everything is in this SELinux statement:
allow auditd_t auditd_log_t:file { write };
allow <domain> <type>:<class> { <permissions> };</permissions></class></type></domain>
if the process runs within the auditd_t domain (and thus has a security context with auditd_t in its third position)
and if the target has the type auditd_log_t set,
and the target is a file
then the permission write is granted
How would you search if this rule is enabled?
allow auditd_t auditd_log_t:file { write };
sesearch –allow –source auditd_t –target auditd_log_t –class file –perm write
Where are the audit logs? How would you know a log item is related to SELinux?
/var/log/audit/audit.log
Not all of SELinux denials are logged, how would disable that to see them?
Afterword, re-enable
semodule –disable_dontaudit –build (semodule -DB
semodule –build (semodule -B)
What command would you use to search audit.log for SELinux logs within the last 10 mins?
auserach -m avc –start recent
What’s the SELinux command to search logs?
sealert -l “*”
How would you relabel context for /this directory recursively?
Then delete it.
semanage fcontext -at httpd_sys_content_t “/this(/.*)?”
semanage fcontext -dt httpd_sys_content_t “/this(/.*)?”
Look at the policy for auditd_t in terms of what it’s allowed to do to var_t
sesearch -s auditd_t -t var_t -SA
What is a domain transisiton:
type_transition init_t initrc_exec_t : process initrc_t;
[kernel_t] –(execute init_exec_t)–> [init_t]
[init_t] –(execute initrc_exec_t)–> [initrc_t]
[initrc_t] –(execute sshd_exec_t)–> [sshd_t]
sepolicy transition -s kernel_t -t init_t
For the below domain transition, define what is the entrypoint and what is the transition point:
[initrc_t] –(execute sshd_exec_t)–> [sshd_t]
sshd_exec_t is an entrypoint for sshd_t
sshd_t is a transition point for sshd_exec_t
What are the rules for Domain transitions to happen?
1) The domain has execute permission on a file.
2) The file context is identified as an entrypoint for the target domain.
3) The origin domain is allowed to transition to the target domain.
Let’s troubleshoot the domain transition below via the three rules we learned about.
[initrc_t] –(execute sshd_exec_t)–> [sshd_t]
The domain has execute permissions on a file
The file context is identified as an entrypoint for the target domain
The origin domain is allowed to transition to the target domain.
sesearch -s initrc_t -t sshd_exec_t -c file -p execute -Ad
sesearch -s sshd_t -t sshd_exec_t -c file -p entrypoint -Ad
sesearch -s initrc_t -t sshd_t -c process -p transition -Ad
What are booleans used for?
Some activities on SElinux are denied when it would only make sense that they should be allowed, these are normally left up to choice, therefore we have booleans.
Let’s say we turn on the boolean abrt_anon_write, do that and then check what policies have changed
setsebool -P abrt_anon_write on
sesearch -b abrt_anon_write -AC
sesearch –bool abrt_anon_write –show_cond –allow
Here is the output of the boolean sesearch, what does it mean?
DT allow abrt_t public_content_rw_t : file { ioctl read write … } ; [ abrt_anon_write ]
DT allow abrt_t public_content_rw_t : file { ioctl read write … } ; [ abrt_anon_write ]
D - disabled
T - but if true it is active
if F was there instead of T
F - if False then it’s active
C - shows the DT Condition
Let’s say you are showing a denial in your logs:
mozilla_t is denied read access on usera_home_t file.
Instead of changing a policy, let’s see if there’s a boolean for that.
sesearch -s mozilla_t -t user_home_t -AC
Use this option minus the C. if there’s a boolean it will look like this [ mozilla_read_content ]:True
What are customizable types and where are they located?
Customizable types are for files with no predetermined location.
/etc/selinux/targeted/contexts/customizable_types
Can users change file context in their home files? How would we know if they can or not?
Yes, with chcon, they won’t persist though, unless customizable types are used.
users are part of the user_t, to relabel the permission is called RELABELFROM and RELABELTO. Let’s search it!
sesearch -s user_t -t home_bin_t -c file -p relabelto -A
How do you know if your system can go into permissive mode?
How do you know if you can disable selinux on boot
/boot/config
Systems that can go into permissive mode have this set to “y”
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_BOOTPARAM is enabled then you can disable on boot.
What boolean would you turn on to make sure selinux can’t be set to permissive unless a reload is performed?
setsebool -P secure_mode_policyload
Restore everything back to the context mapping definition
restorecon -RF /
The force part is interesting here, this will relabel all contexts regardless if needed. So if we changed a new dir /http to the httpd_sys_content_t and did a simple restorecon, the only bit that would change is the type.
If we performed the restorecon -RF, it would also change the user from unconfined_u to system_u, because that is the whole policy for httpd_sys_content_t
Some processes are selinux aware, and may act weird if it’s disabled, how do we check if a process is selinux aware?
ldd /sbin/sshd | grep selinux
