RH415 - ch08s04

Bookmark this page

Guided Exercise: Controlling Access with Confined Users

Configure users as SELinux confined users to limit the mechanisms that they might use to access the system and the superuser account.

Outcomes

Prevent Linux users from switching to a different SELinux confined user.
Control the methods that administrators are permitted to use to switch user with SELinux confined users.
Examine the effects of confined SELinux users on the sudo, su, and ssh commands, and on SUID execution.
Explore the Booleans that control how SELinux controls confined users.

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start selinux-controlling

Instructions

On the serverc machine, confine all Linux users except the root user by mapping them to the user_u SELinux user at login.

Log in to the serverc machine as the student user. No password is required.
```
[student@workstation ~]$ ssh student@serverc
[student@serverc ~]$
```

Display the SELinux user that is associated with the student user.

[student@serverc ~]$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Change to the root user. Use student as the password.

[student@serverc ~]$ sudo -i
[sudo] password for student: student
[root@serverc ~]#

Confirm that SELinux is in Enforcing mode.
```
[root@serverc ~]# getenforce
Enforcing
```

Retrieve the mapping between the Linux user and the SELinux user.

[root@serverc ~]# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *

By default, SELinux maps the Linux users to the unconfined_u SELinux user. Changing this mapping has no impact on the root user because it has its own rule.

Change the default mapping to map the Linux users to the user_u SELinux user. The semanage command might take up to one minute to complete.
```
[root@serverc ~]# semanage login -m -s user_u  -r s0 __default__
```

Use the semanage login -l command again to verify your work.

[root@serverc ~]# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          user_u               s0                   *
root                 unconfined_u         s0-s0:c0.c1023       *

Log out of the serverc machine, and then log in again as the student user.

[root@serverc ~]# logout
[student@serverc ~]$ logout
[student@workstation ~]$ ssh student@serverc

Use the id -Z command to confirm that SELinux maps the student user to the user_u SELinux user.
```
[student@serverc ~]$ id -Z
user_u:user_r:user_t:s0
```

Confirm that the student user cannot use the sudo or su commands anymore. For the su command, use redhat as the password for the root user.

[student@serverc ~]$ sudo -i
sudo: PERM_SUDOERS: setresuid(-1, 1, -1): Operation not permitted
sudo: no valid sudoers sources found, quitting
sudo: setresuid() [0, 0, 0] -> [1000, -1, -1]: Operation not permitted
sudo: error initializing audit plugin sudoers_audit
[student@serverc ~]$ su -
Password: redhat
su: Authentication failure

Set the user_exec_content SELinux Boolean to the off value to prevent users who are mapped to the user_u SELinux user from executing programs in the /tmp directory or in their home directories.
1. Verify that the student user can execute programs in their home directory and in the /tmp directory on the serverc machine.
```
[student@serverc ~]$ /tmp/runme
Tested
[student@serverc ~]$ ./runme
Tested
```
  The runme program was deployed by the lab start command.
2. The new mapping to the user_u SELinux user prevents Linux users from using the sudo -i command. To use the root account, log out of the serverc machine and log in again as the root user.
```
[student@serverc ~]$ logout
[student@workstation ~]$ ssh root@serverc
[root@serverc ~]#
```
3. Set the SELinux user_exec_content Boolean to the off value. The setsebool command might take up to one minute to complete.
```
[root@serverc ~]# setsebool -P user_exec_content off
```
4. Log out of the serverc machine and log in again as the student user. No password is required.
```
[root@serverc ~]# logout
[student@workstation ~]$ ssh student@serverc
[student@serverc ~]$
```
5. Confirm that the student user can no longer execute programs in the /tmp directory or their home directory.
```
[student@serverc ~]$ /tmp/runme
-bash: /tmp/runme: Permission denied
[student@serverc ~]$ ./runme
-bash: ./runme: Permission denied
```
Create the operator1 Linux user as follows:
- The user is a system administrator and must be able to use the sudo and su commands. Map the user to the sysadm_u SELinux user.
- Add the user to the wheel group, to benefit from the existing sudo rule that grants permission to run any command as any user.
- Set the user's password to redhat.
- The operator1 user must be able to log in by using the ssh command. The sysadm_u SELinux user does not allow this by default, but you can meet this requirement by allowing users that are mapped to the sysadm_u SELinux user to use the ssh command to log in.
1. Log out of the serverc machine and log in again as the root user.
```
[student@serverc ~]$ logout
[student@workstation ~]$ ssh root@serverc
[root@serverc ~]#
```
2. Create the operator1 Linux user account, map it to the sysadm_u SELinux user, and add it to the wheel group. The useradd command might take up to one minute to complete.
```
[root@serverc ~]# useradd -G wheel -Z sysadm_u operator1
[root@serverc ~]#
```
3. Confirm that SELinux maps the operator1 user to the sysadm_u SELinux user.
```
[root@serverc ~]# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          user_u               s0                   *
operator1            sysadm_u             s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
```
4. Set the password for the operator1 user to redhat.
```
[root@serverc ~]# echo redhat | passwd --stdin operator1
Changing password for user operator1.
```
5. Log out of the serverc machine and try to use SSH to log in as the operator1 user.
```
[root@serverc ~]# logout
[student@workstation ~]$ ssh operator1@serverc
client_loop: send disconnect: Broken pipe
[student@workstation ~]$
```
  By default, SELinux denies access to sysadm_u accounts over SSH.
6. Log in as the root user and set the ssh_sysadm_login Boolean to the on value.
```
[student@workstation ~]$ ssh root@serverc
[root@serverc ~]# setsebool -P ssh_sysadm_login on
[root@serverc ~]#
```
7. Log out of the serverc machine and log in as the operator1 user. This time, the connection succeeds.
```
[root@serverc ~]# logout
[student@workstation ~]$ ssh operator1@serverc
...output omitted...
[operator1@serverc ~]$
```
8. To confirm that the operator1 user can administer the system, use the sudo -i command to switch identity to the root user and restart the sshd service. Use redhat as the password.
```
[operator1@serverc ~]$ sudo -i
[sudo] password for operator1: redhat
[root@serverc ~]# systemctl restart sshd
[root@serverc ~]# systemctl is-active sshd
active
```
Create the developer1 Linux user account for your developer. The developer1 user is not a system administrator, but they must be able to restart the sshd service with the sudo command.
Create the user account as follows:
- Map the developer1 user to the staff_u SELinux user. Remember that if you do not explicitly map the user account, it is mapped to the user_u SELinux user, which does not allow the sudo command.
- Set the user's password to redhat.
- Create a sudo configuration file, /etc/sudoers.d/developers, and add a rule to permit the developer1 user to run the systemctl restart sshd command as the root user.
1. Create the developer1 Linux user account and map it to the staff_u SELinux user. The useradd command might take up to one minute to complete.
```
[root@serverc ~]# useradd -Z staff_u developer1
```
2. Confirm that SELinux maps the developer1 user to the staff_u SELinux user.
```
[root@serverc ~]# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          user_u               s0                   *
developer1           staff_u              s0-s0:c0.c1023       *
operator1            sysadm_u             s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
```
3. Set the password for the developer1 user to redhat.
```
[root@serverc ~]# echo redhat | passwd --stdin developer1
Changing password for user developer1.
```
4. Create the /etc/sudoers.d/developers file and add a rule to permit the developer1 user to run the systemctl restart sshd command as the root user.
```
[root@serverc ~]# cat /etc/sudoers.d/developers
developer1  ALL=/bin/systemctl restart sshd
```
5. Log out of the serverc machine and log in as the developer1 user. No password is required.
```
[root@serverc ~]# logout
[operator1@serverc ~]$ logout
[student@workstation ~]$ ssh developer1@serverc
[developer1@serverc ~]$
```
6. Use the id -Z command to confirm that SELinux maps the developer1 user to the staff_u SELinux user.
```
[developer1@serverc ~]$ id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023
```
  Notice that the current role is the staff_r role.
7. Only the sysadm_r role allows the execution of commands that use the sudo command. Confirm that the staff_r role does not allow the user to restart the sshd service by using the sudo command. Use redhat as the password.
```
[developer1@serverc ~]$ sudo systemctl restart sshd
[sudo] password for developer1: redhat
Failed to add a watch for /run/systemd/ask-password: Permission denied
```
8. To run commands with the sudo command, the developer1 user must change their current role to the sysadm_r role. Log out of the serverc machine and log in as the root user. Use the semanage user -l command to confirm that SELinux allows staff_u users to change role to the sysadm_r role.
```
[developer1@serverc ~]$ logout
[student@workstation ~]$ ssh root@serverc
[root@serverc ~]# semanage user -l

              Labeling  MLS/
SELinux User  Prefix    MCS Level  ...  SELinux Roles

guest_u       user      s0         ...  guest_r
root          user      s0         ...  staff_r sysadm_r system_r unconfined_r
staff_u       user      s0         ...  staff_r sysadm_r system_r unconfined_r
sysadm_u      user      s0         ...  sysadm_r
system_u      user      s0         ...  system_r unconfined_r
unconfined_u  user      s0         ...  system_r unconfined_r
user_u        user      s0         ...  user_r
xguest_u      user      s0         ...  xguest_r
```
9. Configure the sudo command to perform the role change before running the command. Edit the /etc/sudoers.d/developers file and insert the ROLE variable before the command.
```
[root@serverc ~]# cat /etc/sudoers.d/developers
developer1  ALL= ROLE=sysadm_r /bin/systemctl restart sshd
```
10. Log out of the serverc machine and log in as the developer1 user.
```
[root@serverc ~]# logout
[student@workstation ~]$ ssh developer1@serverc
[developer1@serverc ~]$
```
11. Confirm that the developer1 user can restart the sshd service. Use redhat as the password. Return to the workstation machine when done.
```
[developer1@serverc ~]$ sudo /bin/systemctl restart sshd
[sudo] password for developer1: redhat
[developer1@serverc ~]$ logout
[student@workstation ~]$
```
  The systemctl restart command does not display anything when successful.

Finish

On the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish selinux-controlling

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-9.2-a821299