Differences

This shows you the differences between two versions of the page.

--- cn:ccr:formazione:centos7:2018-11:selinux-soluzioni [2018/11/28 19:58] – brunengo@infn.it
+++ cn:ccr:formazione:centos7:2018-11:selinux-soluzioni [2018/11/29 14:04] (current) – brunengo@infn.it
@@ Line 1: / Line 1: @@
+====== SELinux - soluzioni ======
+==== Esercitazione 1 ====
+  - Visualizzazione dello stato di SELinux<code>
+  - Visualizzazione dello stato di SELinux <code>
+[root@statichostname ~]# sestatus
+SELinux status:                 enabled
+SELinuxfs mount:                /sys/fs/selinux
+SELinux root directory:         /etc/selinux
+Loaded policy name:             targeted
+Current mode:                   enforcing
+Mode from config file:          enforcing
+Policy MLS status:              enabled
+Policy deny_unknown status:     allowed
+Max kernel policy version:      31
+[root@statichostname ~]# getenforce
+Enforcing
+</code>
+  - Visualizzazione del context dei processi di systemd e cron<code>
+[root@statichostname ~]# ps -e -Z | grep -e systemd -e cron
+system_u:system_r:init_t:s0         1 ?        00:00:01 systemd
+system_u:system_r:udev_t:s0-s0:c0.c1023 496 ?  00:00:00 systemd-udevd
+system_u:system_r:systemd_logind_t:s0 768 ?    00:00:00 systemd-logind
+system_u:system_r:crond_t:s0-s0:c0.c1023 1285 ? 00:00:00 atd
+system_u:system_r:crond_t:s0-s0:c0.c1023 1287 ? 00:00:00 crond
+system_u:system_r:syslogd_t:s0   1928 ?        00:00:00 systemd-journal
+</code>
+  - Visualizzazione del context dei file /etc/passwd, /etc/shadow, /etc/cron.d (verificare la presenza degli extended attributes corrispondenti)<code>
+[root@statichostname ~]# ls -Z -d /etc/passwd /etc/shadow /etc/cron.d /etc/cron.d/sysstat
+drwxr-xr-x. root root system_u:object_r:system_cron_spool_t:s0 /etc/cron.d
+-rw-------. root root system_u:object_r:system_cron_spool_t:s0 /etc/cron.d/sysstat
+-rw-r--r--. root root system_u:object_r:passwd_file_t:s0 /etc/passwd
+----------. root root system_u:object_r:shadow_t:s0    /etc/shadow</code><code>
+[root@statichostname ~]# getfattr -d -m ".*" /etc/passwd /etc/shadow
+getfattr: Removing leading '/' from absolute path names
+# file: etc/passwd
+security.selinux="system_u:object_r:passwd_file_t:s0"
+# file: etc/shadow
+security.selinux="system_u:object_r:shadow_t:s0"
+</code>
+  - Visualizzazione degli SELinux user e associazione con role e level<code>
+[root@statichostname ~]# semanage user -l
+                Labeling   MLS/       MLS/
+SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles
+guest_u         user       s0         s0                             guest_r
+root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
+staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
+sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
+system_u        user       s0         s0-s0:c0.c1023                 system_r unconfined_r
+unconfined_u    user       s0         s0-s0:c0.c1023                 system_r unconfined_r
+user_u          user       s0         s0                             user_r
+xguest_u        user       s0         s0                             xguest_r
+</code>
+  - Visualizzazione della associazione degli user agli SELinux user<code>
+[root@statichostname ~]# semanage login -l
+Login Name           SELinux User         MLS/MCS Range        Service
+__default__          unconfined_u         s0-s0:c0.c1023       *
+root                 unconfined_u         s0-s0:c0.c1023       *
+system_u             system_u             s0-s0:c0.c1023       *
+</code>
+  - Visualizzare i context di httpd e della sua DocumentRoot ed identificare la rule che permette l'accesso\\ Utilizzare sesearch (man sesearch) per trovare la rule)<code>
+# Far partire httpd e visualizzare il context del processo
+[root@statichostname ~]# systemctl start httpd
+[root@statichostname ~]# ps -e -Z | grep httpd
+system_u:system_r:httpd_t:s0     4021 ?        00:00:00 httpd
+system_u:system_r:httpd_t:s0     4022 ?        00:00:00 httpd
+...
+# visualizzare il context della attuale document root (creare anche una index.html vuota)
+[root@statichostname ~]# ls -lZd /var/www/html/
+drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
+[root@statichostname ~]# touch /var/www/html/index.html
+[root@statichostname ~]# ls -lZd /var/www/html/index.html
+-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html
+# cercare con sesearch la regola che permette a httpd di leggere i file della DocumentRoot
+[root@statichostname ~]# sesearch --allow --source httpd_t --target httpd_sys_content_t --class file
+Found 5 semantic av rules:
+   allow httpd_t httpd_content_type : file { ioctl read getattr lock open } ;
+->   allow httpd_t httpd_sys_content_t : file { ioctl read getattr lock open } ;
+   allow httpd_t httpdcontent : file { ioctl read write create getattr setattr lock append unlink link rename open } ;
+   allow httpd_t httpdcontent : file { read getattr execute open } ;
+   allow httpd_t httpd_content_type : file { ioctl read getattr lock open } ;
+</code>
+  - Verificare che cambiando il context type di /var/www/html/index.html in var_t l'accesso a httpd e' negato, quindi restorare il context del file e verificare che l'accesso e' consentito<code>
+[root@statichostname ~]# chcon -t var_t /var/www/html/index.html
+[root@statichostname ~]# ls -Z /var/www/html/index.html
+-rw-r--r--. root root unconfined_u:object_r:var_t:s0   /var/www/html/index.html
+[root@statichostname ~]# wget http://127.0.0.1:80/index.html
+--2018-11-28 05:49:52--  http://127.0.0.1/index.html
+Connecting to 127.0.0.1:80... connected.
+HTTP request sent, awaiting response... 403 Forbidden
+-11-28 05:49:52 ERROR 403: Forbidden.
+[root@statichostname ~]# restorecon /var/www/html/index.html
+[root@statichostname ~]# ls -Z /var/www/html/index.html
+-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html
+[root@statichostname ~]# wget http://127.0.0.1:80/index.html
+--2018-11-28 06:00:52--  http://127.0.0.1/index.html
+Connecting to 127.0.0.1:80... connected.
+HTTP request sent, awaiting response... 200 OK
+Length: 0 [text/html]
+Saving to: ‘index.html’
+    [ <=>                                                                                                                                      ] 0           --.-K/s   in 0s
+-11-28 06:00:52 (0.00 B/s) - ‘index.html’ saved [0/0]
+</code>
+  - Spostare la DocumentRoot di httpd in /www/html\\ Per fare questo si deve: modificare la configurazione di httpd, creare la nuova document root, verificare che non funziona, assegnare il default context (semanage fcontext), e modificare il context (restorecon)<code>
+# creare le directory
+[root@statichostname ~]# mkdir -p /www/html
+[root@statichostname ~]# ls -lZd /www/html/
+drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /www/html/
+# default_t e' il default type se non ci sono configurazioni apposite
+[root@statichostname ~]# cp /var/www/html/index.html /www/html/
+[root@statichostname ~]# ls -Z /www/html/index.html
+-rw-r--r--. root root unconfined_u:object_r:default_t:s0 /www/html/index.html
+# modificare la configurazione di httpd
+[root@statichostname ~]# vi /etc/httpd/conf/httpd.conf
+[root@statichostname ~]# grep ^DocumentRoot -A15 /etc/httpd/conf/httpd.conf
+DocumentRoot "/www/html"
+#
+# Relax access to content within /var/www.
+#
+#<Directory "/var/www">
+#    AllowOverride None
+#    # Allow open access:
+#    Require all granted
+#</Directory>
+<Directory "/www">
+    AllowOverride None
+    # Allow open access:
+    Require all granted
+</Directory>
+[root@statichostname ~]# systemctl reload httpd
+# verificare che l'accesso e' negato
+[root@statichostname ~]# wget http://127.0.0.1:80/index.html
+--2018-11-28 06:14:37--  http://127.0.0.1/index.html
+Connecting to 127.0.0.1:80... connected.
+HTTP request sent, awaiting response... 403 Forbidden
+-11-28 06:14:37 ERROR 403: Forbidden.
+# identificare tramite matchpathconf quale type devono avere i file della DocumentRoot
+[root@statichostname ~]# matchpathcon -m file /var/www/html/x.html
+/var/www/html/x.html	system_u:object_r:httpd_sys_content_t:s0
+# utilizzare semanage per modificare il context di configurazione della nuova document root
+[root@statichostname ~]# semanage fcontext --add --type httpd_sys_content_t "/www(/.*)?"
+[root@statichostname ~]# semanage fcontext --add --type httpd_sys_content_t "/www/html(/.*)?"
+# verificare che le entry aggiunte compaiono nel file di configuraizone (locale) file_context.local
+[root@statichostname ~]# cat /etc/selinux/targeted/contexts/files/file_contexts.local
+# This file is auto-generated by libsemanage
+# Do not edit directly.
+/www(/.*)?    system_u:object_r:httpd_sys_content_t:s0
+/www/html(/.*)?    system_u:object_r:httpd_sys_content_t:s0
+# restorare il context della nuova documento root al type della configurazione
+[root@statichostname ~]# restorecon -Rv /www
+restorecon reset /www context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
+restorecon reset /www/html context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
+restorecon reset /www/html/index.html context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
+[root@statichostname ~]# ls -Z /www/html/index.html
+-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /www/html/index.html
+# verificare che l'accesso e' garantito
+[root@statichostname ~]# wget http://127.0.0.1:80/index.html
+--2018-11-28 06:42:31--  http://127.0.0.1/index.html
+Connecting to 127.0.0.1:80... connected.
+HTTP request sent, awaiting response... 200 OK
+Length: 0 [text/html]
+Saving to: ‘index.html.1’
+    [ <=>                                                                                                                                      ] 0           --.-K/s   in 0s
+-11-28 06:42:31 (0.00 B/s) - ‘index.html.1’ saved [0/0]
+</code>
+==== Esercitazione 2 ====
+  - Utilizzare seinfo per visualizzare l'esistenza di un type init_t, l'elenco degli attributi associati a questo type e verificare che domain sia tra questi<code>
+[root@statichostname ~]# seinfo -t | grep init_t
+   cloud_init_tmp_t
+   run_init_t
+   cloud_init_t
+   init_tmp_t
+->   init_t
+   namespace_init_t
+[root@statichostname ~]# seinfo -tinit_t -x
+   init_t
+...
+      domain
+...
+</code>
+  - Utilizzare seinfo per visualizzare l'esistenza dell'attribute domain, l'elenco di type che hanno domain tra i loro attributi e verificare che init_t sia tra questi<code>
+[root@statichostname ~]# seinfo -adomain
+   domain
+[root@statichostname ~]# seinfo -adomain -x | grep init_t
+      cloud_init_t
+->      init_t
+      namespace_init_t
+      run_init_t
+</code>
+  - Domain transition: identificare le policy che permettono la domain transition da systemd a httpd
+    - Visualizzare domain e type di systemd, httpd, /usr/sbin/httpd<code>
+root@statichostname ~]# ps -eZ | grep systemd$
+system_u:system_r:init_t:s0         1 ?        00:00:03 systemd
+[root@statichostname ~]# ls -Z /usr/sbin/httpd
+-rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd
+[root@statichostname ~]# ps -eZ | grep httpd | head -n 1
+system_u:system_r:httpd_t:s0     4021 ?        00:00:01 httpd
+</code>
+    - Verificare l'esistenza di una rule che permetta a systemd di eseguire /usr/sbin/httpd<code>
+[root@statichostname ~]# sesearch -s init_t -t httpd_exec_t -c file -A
+Found 3 semantic av rules:
+...
+   allow initrc_domain direct_init_entry : file { read getattr execute open } ;
+...
+# La regola e' permessa perche' init_t ha l'attributo initrc_domain:
+[root@statichostname ~]# seinfo -ainitrc_domain -x | grep init_t
+      init_t
+e perche' httpd_exec_t ha l'attributo direct_init_entry
+[root@statichostname ~]# seinfo -adirect_init_entry -x | grep http
+      httpd_exec_t
+      httpd_rotatelogs_exec_t
+</code>
+    - Verificare che esista una rule che definisca che il type dell'eseguibile sia entrypoint del dominio di destinazione<code>
+[root@statichostname ~]# sesearch -s httpd_t -p entrypoint -A
+Found 3 semantic av rules:
+   allow sepgsql_client_type sepgsql_temp_object_t : db_procedure { create drop getattr setattr execute entrypoint install } ;
+   allow sepgsql_client_type sepgsql_trusted_procedure_type : db_procedure { getattr execute entrypoint } ;
+->   allow httpd_t httpd_exec_t : file { ioctl read getattr lock execute execute_no_trans entrypoint open } ;
+</code>
+    - Verificare che esista una rule che permette al parent domain (init_t) una transizione verso il destination domain (httpd_t)<code>
+[root@statichostname ~]# sesearch -s init_t -t httpd_t -p transition -A
+Found 1 semantic av rules:
+   allow initrc_domain daemon : process transition ;
+# initrc_domain e' attributo di init_t (gia' visto), e daemon e' attributo di httpd_t.
+[root@statichostname ~]# seinfo -adaemon -x | grep httpd_t
+      httpd_t
+</code>
+    - Verificare l'esistenza di una transition rule che definisca il default destination domain conseguente alla esecuzione di un eseguibile di type httpd_exec_t da parte di un processo di domain init_t<code>
+[root@statichostname ~]# sesearch -T -s init_t -t httpd_exec_t
+Found 1 semantic te rules:
+   type_transition init_t httpd_exec_t : process httpd_t;
+</code>
+==== Esercitazione 3 ====
+  - Confinamento di un utente: confinare user1 a user_u (verifica impossibilita' di fare su)
+    - Visualizzazione context del processo di login dell'utente user1 e verifica che l'utente user1 possa eseguire su e diventare user2<code>
+[user1@statichostname ~]$ id -Z
+unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+[user1@statichostname ~]$ su - user2
+Password:
+Attempting to create directory /home/user2/perl5
+[user2@statichostname ~]$ logout
+[user1@statichostname ~]$ logout
+Connection to 192.168.56.102 closed.
+</code>
+    - Confinare il linux user user1 associandolo all'SELinux user user_u<code>
+[root@statichostname ~]# semanage login -a -s user_u user1
+[root@statichostname ~]# semanage login -l
+Login Name           SELinux User         MLS/MCS Range        Service
+__default__          unconfined_u         s0-s0:c0.c1023       *
+root                 unconfined_u         s0-s0:c0.c1023       *
+system_u             system_u             s0-s0:c0.c1023       *
+user1                user_u               s0                   *
+</code>
+    - Verificare che user1, il cui dominio attuale e' user_t, non puo' fare su e diventare user2<code>
+# ssh user1@192.168.56.102
+user1@192.168.56.102's password:
+Warning: No xauth data; using fake authentication data for X11 forwarding.
+Last login: Wed Nov 28 18:45:06 2018 from 192.168.56.1
+[user1@statichostname ~]$ id -Z
+user_u:user_r:user_t:s0
+[user1@statichostname ~]$ su - user2
+Password:
+su: Authentication failure
+</code>
+  - Visualizzazione del policy module apache<code>
+[root@statichostname ~]# semodule -l | grep apache
+apache	2.7.2
+[root@statichostname ~]# semodule -lfull | grep apache
+apache            pp
+[root@statichostname ~]# ls /etc/selinux/targeted/active/modules/100/apache/
+cil  hll  lang_ext
+[root@statichostname ~]# cat /etc/selinux/targeted/active/modules/100/apache/cil | bunzip2 > /tmp/apache.txt
+[root@statichostname ~]# wc -l /tmp/apache.txt
+/tmp/apache.txt
+</code>
+  - Abilitare tramite boolean httpd a leggere le home directory degli utenti<code>
+[root@statichostname ~]# semanage boolean -l  | grep http | grep user
+httpd_read_user_content        (off  ,  off)  Allow httpd to read user content
+[root@statichostname ~]# sesearch -b httpd_read_user_content -AC
+Found 40 semantic av rules:
+DT allow httpd_user_script_t user_home_type : dir { getattr search open } ; [ httpd_read_user_content ]
+DT allow httpd_user_script_t user_home_type : dir { ioctl read getattr lock search open } ; [ httpd_read_user_content ]
+...
+[root@statichostname ~]# semanage boolean --modify --on httpd_read_user_content
+[root@statichostname ~]# semanage boolean -l  httpd_read_user_content
+list option can not be used with --boolean
+[root@statichostname ~]# semanage boolean -l  | grep httpd_read_user_content
+httpd_read_user_content        (on   ,   on)  Allow httpd to read user content
+</code> o alternativamente tramite **getsebool** e **setsebool**<code>
+[root@statichostname ~]# getsebool httpd_read_user_content
+httpd_read_user_content --> off
+[root@statichostname ~]# setsebool -P httpd_read_user_content on
+[root@statichostname ~]# getsebool httpd_read_user_content
+httpd_read_user_content --> on
+[root@statichostname ~]# semanage boolean -l  | grep httpd_read_user_content
+httpd_read_user_content        (on   ,   on)  Allow httpd to read user content
+[root@statichostname ~]#
+</code>
+==== Esercitazione 4 ====
+  - Generare un messaggio di errore eseguendo il comando **su** come user **user1**<code>
+[root@statichostname ~]# semanage login -lC
+Login Name           SELinux User         MLS/MCS Range        Service
+user1                user_u               s0                   *
+[user1@statichostname ~]$ su - user2
+Password:
+su: Authentication failure
+</code>
+  - Analizzare l'errore e generare un modulo che contenga le rule per rendere lecita l'operazione<code>
+[root@statichostname ~]# ausearch -m avc --start recent
+----
+time->Thu Nov 29 14:38:06 2018
+type=PROCTITLE msg=audit(1543498686.922:223): proctitle=7375002D007573657232
+type=SYSCALL msg=audit(1543498686.922:223): arch=c000003e syscall=105 success=yes exit=0 a0=0 a1=0 a2=800020 a3=7f0bc56d9300 items=0 ppid=2459 pid=2460 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=6 comm="su" exe="/usr/bin/su" subj=user_u:user_r:user_t:s0 key=(null)
+type=AVC msg=audit(1543498686.922:223): avc:  denied  { setuid } for  pid=2460 comm="su" capability=7  scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=capability
+----
+time->Thu Nov 29 14:38:11 2018
+type=PROCTITLE msg=audit(1543498691.746:226): proctitle=7375002D007573657232
+type=SYSCALL msg=audit(1543498691.746:226): arch=c000003e syscall=2 success=no exit=-13 a0=55763c0f20d0 a1=1 a2=99b a3=5bffebc3 items=0 ppid=2305 pid=2459 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=6 comm="su" exe="/usr/bin/su" subj=user_u:user_r:user_t:s0 key=(null)
+type=AVC msg=audit(1543498691.746:226): avc:  denied  { write } for  pid=2459 comm="su" name="btmp" dev="dm-0" ino=33860287 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:faillog_t:s0 tclass=file
+----
+time->Thu Nov 29 14:38:09 2018
+type=PROCTITLE msg=audit(1543498689.416:224): proctitle=7375002D007573657232
+type=SYSCALL msg=audit(1543498689.416:224): arch=c000003e syscall=105 success=yes exit=0 a0=0 a1=55763dbd8840 a2=800020 a3=7f0bc56d9300 items=0 ppid=2459 pid=2461 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=6 comm="su" exe="/usr/bin/su" subj=user_u:user_r:user_t:s0 key=(null)
+type=AVC msg=audit(1543498689.416:224): avc:  denied  { setuid } for  pid=2461 comm="su" capability=7  scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=capability
+[root@statichostname ~]# ausearch -m avc --start recent | audit2allow
+#============= user_t ==============
+allow user_t faillog_t:file write;
+#!!!! This avc can be allowed using the boolean 'selinuxuser_use_ssh_chroot'
+allow user_t self:capability setuid;
+[root@statichostname ~]# ausearch -m avc --start recent | audit2allow -M mylocalmodule
+******************** IMPORTANT ***********************
+To make this policy package active, execute:
+semodule -i mylocalmodule.pp
+[root@statichostname ~]# ls -l mylocalmodule.*
+-rw-r--r--. 1 root root 1120 Nov 29 14:47 mylocalmodule.pp
+-rw-r--r--. 1 root root  304 Nov 29 14:47 mylocalmodule.te
+[root@statichostname ~]#
+</code>
+  - Caricare il modulo generato e verificare che l'operazione ora e' permessa<code>
+[root@statichostname ~]# semodule -i mylocalmodule.pp
+[root@statichostname ~]# semodule -lfull | grep mylocalmodule
+mylocalmodule     pp
+[root@statichostname ~]# ls /etc/selinux/targeted/active/modules/
+/      400/      disabled/
+[root@statichostname ~]# ls /etc/selinux/targeted/active/modules/400/
+mylocalmodule
+[root@statichostname ~]# ls /etc/selinux/targeted/active/modules/400/mylocalmodule/
+cil  hll  lang_ext
+[root@statichostname ~]#
+[user1@statichostname ~]$ su - user2
+Password:
+[user2@statichostname ~]$
+</code>
+  - Disabilitare e rimuovere il modulo, verificando che l'operazione e' nuovamente proibita<code>
+[root@statichostname ~]# semodule -d mylocalmodule
+[root@statichostname ~]# semodule -lfull | grep mylocalmodule
+mylocalmodule     pp disabled
+[root@statichostname ~]# semodule -r mylocalmodule
+libsemanage.semanage_direct_remove_key: Removing last mylocalmodule module (no other mylocalmodule module exists at another priority).
+[root@statichostname ~]# semodule -lfull | grep mylocalmodule
+[user1@statichostname ~]$ su - user2
+Password:
+su: Authentication failure
+</code>