RH415 - ch08s02

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start selinux-enabling

Instructions

Log in to the servere machine as the student user and use the sudo -i command to switch to the root account. The password for the student user account is student.
```
[student@workstation ~]$ ssh student@servere
[student@servere ~]$ sudo -i
[sudo] password for student: student
[root@servere ~]#
```
Confirm that SELinux is disabled on the servere machine and verify that the test.html file is accessible.
1. Confirm that SELinux is in Disabled mode.
```
[root@servere ~]# getenforce
Disabled
```
2. Use the curl command to access the test.html file on the servere machine.
```
[root@servere ~]# curl http://localhost/test.html
<html>
        <head>SELinux</head>
        <body>
                <h1>Works!</h1>
        </body>
</html>
```
Enable SELinux in permissive mode, and reboot the server.
1. Enable SELinux in permissive mode in the /etc/selinux/config file.
```
...output omitted...
SELINUX=permissive
...output omitted...
```
2. Use the grubby command to enable SELinux by removing the argument that disables SELinux from the kernel command line.
```
[root@servere ~]# grubby --update-kernel ALL --remove-args selinux
```
3. Reboot the servere machine.
```
[root@servere ~]# reboot
Connection to servere closed.
[student@workstation ~]$
```
Verify that the SELinux mode on the servere machine is set to Permissive mode.
1. Log in to the servere machine as the student user.
```
[student@workstation ~]$ ssh student@servere
[student@servere ~]$
```
2. Change to the root user. Use student as the password.
```
[student@servere ~]$ sudo -i
[sudo] password for student: student
[root@servere ~]#
```
3. Verify that SELinux is in Permissive mode.
```
[root@servere ~]# getenforce
Permissive
```

Relabel all the files upon the next reboot.

Relabel all the files.

[root@servere ~]# fixfiles -F onboot
System will relabel on next boot

Reboot the servere machine.

[root@servere ~]# reboot
Connection to servere closed.
[student@workstation ~]$

Check for SELinux denial messages.

[student@workstation ~]$ ssh student@servere
[student@servere ~]$

Use the curl command to access the test.html file on the servere machine.

[student@servere ~]$ curl http://localhost/test.html
<html>
        <head>SELinux</head>
        <body>
                <h1>Works!</h1>
        </body>
</html>

Change to the root user. Use student as the password.

[student@servere ~]$ sudo -i
[sudo] password for student: student
[root@servere ~]#

Check the Audit log file for any SELinux denial messages. The curl command in the previous step was successful because SELinux is set to permissive mode, but the command did generate an AVC denied message in the log. This denied message means that the curl http://localhost/test.html command fails if SELinux is set to enforcing mode.

[root@servere ~]# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent
...output omitted...
time->Tue Nov 21 15:34:36 2023
type=PROCTITLE msg=audit(1700598876.985:553): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=SYSCALL msg=audit(1700598876.985:553): arch=c000003e syscall=9 success=yes exit=140467566579712 a0=0 a1=6c a2=1 a3=1 items=0 ppid=4050 pid=4139 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1700598876.985:553): avc:  denied  { map } for  pid=4139 comm="httpd" path="/web/test.html" dev="vda4" ino=25195768 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=1
...output omitted...

Check the journal log file for any SELinux denial messages.

[root@servere ~]# journalctl -t setroubleshoot
-- No entries --

Change SELinux to enforcing mode, and reboot the server.

Change SELinux to enforcing mode in the /etc/selinux/config file.

...output omitted...
SELINUX=enforcing
...output omitted...

Reboot the servere machine.

[root@servere ~]$ reboot
Connection to servere closed.
[student@workstation ~]$

Verify that the SELinux mode on servere is set to Enforcing mode and determine whether the test.html file is accessible.

[student@workstation ~]$ ssh student@servere
[student@servere ~]$

Change to the root user. Use student as the password.

[student@servere ~]$ sudo -i
[sudo] password for student: student
[root@servere ~]#

Verify that the SELinux mode on the servere machine is set to Enforcing mode.
```
[root@servere ~]$ getenforce
Enforcing
```

Use the curl command to determine whether the test.html file is accessible.

[root@servere ~]# curl http://localhost/test.html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>`403 Forbidden`</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
</body></html>

Check for the SELinux denial messages. Also, check the SELinux context for the document root directory of the httpd service.

Check the /var/log/audit/audit.log file for AVC denials. In enforcing mode, the curl command generates an AVC denied entry that is similar to the one from a previous step, but this time, the command fails.

[root@servere ~]# grep denied /var/log/audit/audit.log
...output omitted...
type=AVC msg=audit(1698002546.646:386): avc:  denied  { getattr } for  pid=28806 comm="httpd" name="test.html" dev="vda4" ino=151760 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=0
type=AVC msg=audit(1698002546.646:386): avc:  denied  { getattr } for  pid=28806 comm="httpd" path="/web/test.html" dev="vda4" ino=151760 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=0
...output omitted...

Retrieve the document root configuration from the httpd configuration file.

[root@servere ~]# grep ^DocumentRoot /etc/httpd/conf/httpd.conf
DocumentRoot "/web"

Check the SELinux context for the /web directory.

[root@servere ~]# ls -laZ /web
total 4
drwxr-xr-x.  2 root root unconfined_u:object_r:default_t:s0  23 Oct 20 20:09 .
dr-xr-xr-x. 20 root root system_u:object_r:root_t:s0        257 Oct 20 18:39 ..
-rw-r--r--.  1 root root unconfined_u:object_r:default_t:s0  72 Oct 20 19:41 test.html

Verify the SELinux context for the /var/www/html directory.

[root@servere ~]# ls -laZ /var/www/html/
total 0
drwxr-xr-x. 2 root root system_u:object_r:httpd_sys_content_t:s0  6 Mar 29  2023 .
drwxr-xr-x. 4 root root system_u:object_r:httpd_sys_content_t:s0 33 Oct 20 19:59 ..

Change the SELinux context of the document root directory to the httpd_sys_content_t type.

Use the semanage fcontext command to add the httpd_sys_content_t type to the /web directory.
```
[root@servere ~]# semanage fcontext -a -t httpd_sys_content_t '/web(/.*)?'
```

Use the restorecon command to apply the context changes recursively to the /web directory.

[root@servere ~]# restorecon -Rv /web
Relabeled /web from unconfined_u:object_r:default_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0
Relabeled /web/test.html from unconfined_u:object_r:default_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0

Verify that the /web directory has the httpd_sys_content_t type.

[root@servere ~]# ls -laZ /web
total 4
drwxr-xr-x.  2 root root unconfined_u:object_r:httpd_sys_content_t:s0  23 Oct 20 20:09 .
dr-xr-xr-x. 20 root root system_u:object_r:root_t:s0                  257 Oct 20 18:39 ..
-rw-r--r--.  1 root root unconfined_u:object_r:httpd_sys_content_t:s0  72 Oct 20 19:41 test.html

Use the curl command to verify that the test.html file is accessible.

[root@servere ~]# curl http://localhost/test.html
<html>
        <head>SELinux</head>
        <body>
                <h1>Works!</h1>
        </body>
</html>

Return to the workstation machine as the student user.

[root@servere ~]# logout
[student@servere ~]$ logout
Connection to servere closed.
[student@workstation ~]$

Finish

On the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish selinux-enabling

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-9.2-a821299