Red Hat Security: Linux in Physical, Virtual, and Cloud

Objectives

After completing this section, students should be able to examine a system's SELinux policy to evaluate the access it permits, and to troubleshoot and resolve issues.

Introducing the SELinux Policy

The SELinux policy is a set of rules that guides the SELinux security engine. It defines the SELinux users, Booleans, types for files and processes, and many other objects. Red Hat Enterprise Linux ships with a standardized policy that is tunable for many use cases.

You can use the seinfo command, part of the setools-console package, to list all the objects in the policy.

[user@demo ~]$ seinfo

Statistics for policy file: /sys/fs/selinux/policy
Policy Version & Type: v.31 (binary, mls)

   Classes:            97    Permissions:       265
   Sensitivities:       1    Categories:       1024
   Types:            4756    Attributes:        253
   Users:               8    Roles:              14
   Booleans:          310    Cond. Expr.:       356
   Allow:          102235    Neverallow:          0
   Auditallow:        153    Dontaudit:        8906
   Type_trans:      17777    Type_change:        74
   Type_member:        35    Role allow:         39
   Role_trans:        416    Range_trans:      5697
   Constraints:       110    Validatetrans:       0
   Initial SIDs:       27    Fs_use:             29
   Genfscon:          105    Portcon:           608
   Netifcon:            0    Nodecon:             0
   Permissives:         0    Polcap:              4

[user@demo ~]$ seinfo --type

Types: 4756
   bluetooth_conf_t
   cmirrord_exec_t
   colord_exec_t
   container_auth_t
...output omitted...

The policy also includes the rules that determine how each domain may access each type; remember that a domain is what a type is called when it is applied to a process. These rules are discussed in more detail in a later section.

SELinux types have names that end in "_t", and for clarity, they usually include the kind of object they apply to. For example, types associated with service executable files end in _exec_t: httpd_exec_t for /usr/sbin/httpd, crond_exec_t for /usr/sbin/crond, or postfix_master_exec_t for /usr/sbin/postfix. Types for log files end in _log_t: httpd_log_t for /var/log/httpd, or cron_log_t for /var/log/cron. Types used to label ports end in _port_t: http_port_t, or smtp_port_t.

For categorization and organization, SELinux associates attributes with types. Attributes are a way to group types. For example, the logfile attribute includes the httpd_log_t and cron_log_t types. The exec_type attribute contains the httpd_exec_t, crond_exec_t, and postfix_master_exec_t types. The domain attribute groups all the domains (types for processes), such as httpd_t, sshd_t, or crond_t.

Attributes help reduce and simplify the access rules. Because all processes need access to the libraries in the /usr/lib64 directory, a single rule exists to allow the domain attribute to read directories with the lib_t type, the type associated with /usr/lib64.

You can list all attributes with the seinfo --attribute command, and you can list the types in an attribute with seinfo --attribute=attribute -x.

[user@demo ~]$ seinfo --attribute

Attributes: 253
   cert_type
   privfd
   file_type
   boinc_domain
   cfengine_domain
   wine_domain
   can_setenforce
   exec_type
...output omitted...

[user@demo ~]$ seinfo --attribute=exec_type -x
   exec_type
      abrt_exec_t
      abrt_initrc_exec_t
      abrt_dump_oops_exec_t
      abrt_handle_event_exec_t
      abrt_helper_exec_t
      abrt_retrace_worker_exec_t
      abrt_retrace_coredump_exec_t
      abrt_watch_log_exec_t
...output omitted...

Analyzing the Targeted Policy

In Red Hat Enterprise Linux 7, Red Hat supports three policies: targeted, MLS, and minimum.

The targeted policy is the default policy. This policy controls all the daemons that listen on the network and the services that start at boot. Processes started by users, however, run in the unconfined_t domain. For processes in unconfined_t, the SELinux policy still enforces restrictions, but the rules that are in effect allow almost complete access, so these processes are mostly restricted by standard permissions.

The targeted policy is flexible enough to fit into enterprise infrastructures. The daemons that are part of the policy run in their own domains and SELinux controls every operation they perform on the system. This way daemons that are defective or exploited are limited in the damage they can do.

The MLS (Multi-Level Security) policy contains the differentiation of security levels and categories. It is used in military applications and allows for classifications such as unclassified, secret, or top secret.

The minimum policy is based on the targeted policy, but nearly everything is running under the unconfined_t domain. You can activate SELinux for a specific domain by loading its SELinux module.

Interpreting the Allow Rules

The targeted policy includes rules that determine how each domain may access each type. For example, the following rule allows the httpd service (httpd_t domain) to access and read its configuration files (httpd_config_t).

allow httpd_t httpd_config_t : file { ioctl read getattr lock open } ;

To list the rules, use the sesearch command with the -A option. sesearch is part of the setools-console package.

[root@demo ~]# sesearch -A
Found 102235 semantic av rules:
   allow sandbox_x_domain user_seunshare_t : process { sigchld signull } ;
   allow unconfined_usertype sshd_t : unix_stream_socket { ioctl read write getattr setattr lock append bind connect listen accept getopt setopt shutdown } ;
   allow rpm_t sysfs_t : filesystem getattr ;
...output omitted...

sesearch accepts options to filter its output. The following command only displays the rule that allows the httpd_t source type (-s) to access files (-c file) with the httpd_config_t target type (-t).

[root@demo ~]# sesearch -A -s httpd_t -t httpd_config_t -c file
Found 1 semantic av rules:
   allow httpd_t httpd_config_t : file { ioctl read getattr lock open } ;

The following table lists some of the most useful options.

The -C option is useful for identifying the Boolean that enables or disables a specific rule. The following example shows that the httpd daemon, can execute CGI files with the httpd_sys_script_exec_t type when the httpd_enabled_cgi Boolean is enabled.

[root@demo ~]# sesearch -A -s httpd_t -t httpd_sys_script_exec_t \
> -c file -p execute -C
Found 1 semantic av rules:
ET allow httpd_t httpd_sys_script_exec_t : file { read getattr execute open } ; [ httpd_enable_cgi ]

The uppercase letter E at the beginning of the rule indicates the current status of the associated Boolean: E for enabled and D for disabled.

The -s and -t options also accept SELinux attributes. The following command lists the rules that allow domains to access directories with the lib_t type, which is the type of the /usr/lib64 directory.

[root@demo ~]# sesearch -A -s domain -t lib_t -c dir
...output omitted...
   allow domain lib_t : dir { ioctl read getattr lock search open } ;
...output omitted...

Remember that the domain attribute groups all the types associated with domains, such as httpd_t. Distinguishing attributes and types may be challenging at first, but remember that types always end in _t, which is never the case for attributes.

Disabling and Enabling "dontaudit" Rules

In addition to allow rules, the SELinux policy also contains dontaudit rules. When SELinux does not allow an action, but a dontaudit rule exists for that action, then SELinux does not log the denial.

dontaudit rules are useful because some applications probe for files or directories: for example to identify some features or devices which might be provided by the operating system. If those files or directory are missing, or the access is not allowed, there is no impact on the application. But these access attempts still might trigger SELinux violations, which would normally be added to the log.

By setting dontaudit rules, the log file does not store logs for access violations that are expected and do not have significant security implications.

Sometimes, for troubleshooting purposes, you may want to disable the dontaudit rules to record all SELinux denials in the log. Use the semodule -DB command to disable the dontaudit rules.

[root@demo ~]# semodule -DB

To re-enable the dontaudit rules, use the semodule -B command.

[root@demo ~]# semodule -B

To list the dontaudit rules, use the sesearch -D command. The following dontallow rule indicates that if a process in the postfix_master_t domain accesses a directory with the device_t type (typically located in /dev), and SELinux denies the action, then no denial is logged.

[root@demo ~]# sesearch -D -s postfix_master_t -d
...output omitted...
   dontaudit postfix_master_t device_t : dir { ioctl read getattr lock search open } ;
...output omitted...

Creating Custom Policy Modules

Developing a custom policy for your application is beyond the scope of this course. The audit2allow command can, however, generate a policy module for you by analyzing the denials in the audit.log file.

For example, and with the following message in /var/log/audit/audit.log, the audit2allow command can generate a custom rule.

[root@demo ~]# grep denied /var/log/audit/audit.log
type=AVC msg=audit(1533625522.976:164): avc:  denied  { getattr } for  pid=1563 comm="httpd" path="/var/www/html/index.html" dev="vdb1" ino=4569861 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

Run audit2allow -a to print the rule to allow the access.

[root@demo ~]# audit2allow -a

#= httpd_t ==

#!!!! The file '/var/www/html/index.html' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /var/www/html/index.html
allow httpd_t admin_home_t:file getattr;

To generate a new SELinux policy module, add the -M modulename option to the previous audit2allow command. Use the semodule command to persistently load the new module in SELinux.

[root@demo ~]# audit2allow -a -M mymodule
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i mymodule.pp

[root@demo ~]# semodule -i mymodule.pp

In the example, the first operation the httpd daemon performs on index.html is to retrieve the file's attributes (getattr). Because SELinux is in enforcing mode, the operation is denied and httpd does not access the file further. The new rule that allows the getattr operation is not enough because httpd also needs to open and read the file and those operations are still not allowed.

Therefore, before using audit2allow, and to collect all the denials in one operation, put SELinux in permissive mode.

[root@demo ~]# setenforce 0
[root@demo ~]# curl http://localhost/index.html
Hello World!
[root@demo ~]# setenforce 1
[root@demo ~]# audit2allow -a

#= httpd_t ==

#!!!! The file '/var/www/html/index.html' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /var/www/html/index.html
allow httpd_t admin_home_t:file { getattr open read };

This time the rule also includes the open and read operations.

Analyzing Domain Transitions

New processes inherit the context type of their parent. The following example shows that the vim process has the same context as its parent.

[root@demo ~]# pstree -Z 1446
bash(`unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023')
 └─vim(`unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023')

Processes occasionally need to change their security contexts. This is fairly common with daemons started by systemd. When systemd starts a service, SELinux must confine the service in its own domain. For example, when systemd starts httpd, httpd transitions to the httpd_t domain.

[root@demo ~]# pstree -Z  | grep -e ^systemd -e httpd
systemd(`system_u:system_r:init_t:s0')
 |-httpd(`system_u:system_r:httpd_t:s0')
 |  |-httpd(`system_u:system_r:httpd_t:s0')
 |  |-httpd(`system_u:system_r:httpd_t:s0')
 |  |-httpd(`system_u:system_r:httpd_t:s0')
 |  |-httpd(`system_u:system_r:httpd_t:s0')
 |  `-httpd(`system_u:system_r:httpd_t:s0')

The previous output shows that even though the systemd process is running in the init_t domain, SELinux confines the child httpd process in its own httpd_t domain.

These transition rules are part of the SELinux policy.

The following transition rule specifies that if a process with the init_t context type executes a binary file that has the httpd_exec_t context type, then the resulting child process has the httpd_t context type.

type_transition init_t httpd_exec_t : process httpd_t ;

To list the transition rules, use the sesearch command with the -T option.

[root@demo ~]# sesearch -T -s init_t -t httpd_exec_t
Found 1 semantic te rules:
   type_transition init_t httpd_exec_t : process httpd_t;

As a complement to the sesearch -T command, the sepolicy transition command, from the policycoreutils-devel package, can analyze the policy and list all the intermediary types for the transition from one domain to another.

The following example lists all the paths of sequential transitions that can get from the httpd_t domain to the unconfined_t domain. In other words, it shows whether and how a subprocess of httpd may be unconfined through domain transitions. It does not indicate whether or not executables exist on the system to accomplish this set of transitions.

[root@demo ~]# sepolicy transition -s httpd_t -t unconfined_t
httpd_t ... abrt_retrace_worker_t ... mock_t ... mount_t ... glusterd_t ... initrc_t ... dhcpc_t ... cloud_init_t ... rpm_t ... rpm_script_t ... openshift_initrc_t ... condor_startd_t ... getty_t ... local_login_t @ shell_exec_t --> unconfined_t
...output omitted...

Run the sepolicy transition command on each transition to get more detail.

[root@demo ~]# sepolicy transition -s httpd_t -t abrt_retrace_worker_t
httpd_t @ abrt_retrace_worker_exec_t --> abrt_retrace_worker_t

[root@demo ~]# sepolicy transition -s abrt_retrace_worker_t -t mock_t
abrt_retrace_worker_t @ mock_exec_t --> mock_t

[root@demo ~]# sepolicy transition -s mock_t -t mount_t
mock_t @ fusermount_exec_t --> mount_t
mock_t @ mount_exec_t --> mount_t

There might be no way to transition from the initial domain to the final domain under the current policy:

[root@demo ~]# sepolicy transition -s postfix_master_t -t unconfined_t

[root@demo ~]# 

Analyzing File Transitions

New files and directories inherit the context of their parent directory. Sometimes this inherited context is not correct and you need to relabel the object.

You can get the expected context of an object with the matchpathcon command. The file or directory you specify does not need to exist because the command uses the file context rules database, the same that restorecon uses, to retrieve the context.

[root@demo ~]# matchpathcon /var/www/html/myimage.png
/var/www/html/myimage.png	system_u:object_r:httpd_sys_content_t:s0

Remember that you can list the default file context rules with the semanage fcontext -l command and add new rules with semanage fcontext -a.

[root@demo ~]# semanage fcontext -l
...output omitted...
/var/www(/.*)?      all files     system_u:object_r:httpd_sys_content_t:s0
...output omitted...
[root@demo ~]# semanage fcontext -a -t httpd_sys_content_t '/virtual(/.*)?'

Sometimes, new files and directories need to have a specific context at creation time. For example, the /var/log/cron file has a specific context that allows the crond daemon to write to it. The context of this file is not the same as its parent directory.

[root@demo ~]# ls -Zd /var/log /var/log/cron
drwxr-xr-x. root root system_u:object_r:var_log_t:s0   /var/log
-rw-r--r--. root root system_u:object_r:cron_log_t:s0  /var/log/cron

The SELinux policy contains file transition rules that allow SELinux to automatically set the context of specific files and directories at creation time. For example, the following transition rule specifies that if a process in the crond_t domain (crond) creates a file in a directory with the var_log_t type, then the resulting file has the cron_log_t type.

type_transition crond_t var_log_t : file cron_log_t ;

To list the file transition rules, use the sesearch -T command.

[root@demo ~]# sesearch -T -s crond_t -t var_log_t -c file
Found 1 semantic te rules:
   type_transition crond_t var_log_t : file cron_log_t;

These file transition rules can include an extra parameter to specify the object name. The following rule sets the rpm_log_t type on the yum.log file when an unconfined_t domain creates it in a directory with the var_log_t type.

[root@demo ~]# sesearch -T -s unconfined_t -t var_log_t -c file | \
> grep yum.log
type_transition unconfined_t var_log_t : file rpm_log_t "yum.log";