RH415 - ch08s06

Bookmark this page

Guided Exercise: Auditing the SELinux Policy

Use system tools to examine the system's current SELinux policy, and to interpret whether specific SELinux domains that are used by processes have access to files and ports that are labeled with specific SELinux types.

Outcomes

Use policy tools to predict which SELinux domain the process will have when it is run, based on the SELinux type on an executable.
Determine which SELinux types might be accessed by that process, and what access is permitted or blocked.
Determine whether a particular SELinux domain can transition to the unconfined_t type, and whether the unconfined_t type can transition to that domain.

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start selinux-auditing

Instructions

Use the SELinux policy tools to predict the SELinux domain type for the httpd daemon when the systemd daemon starts the service.

Log in to the serverc machine as the student user. No password is required.
```
[student@workstation ~]$ ssh student@serverc
[student@serverc ~]$
```

Change to the root user. Use student as the password.

[student@serverc ~]$ sudo -i
[sudo] password for student: student
[root@serverc ~]#

Install the policycoreutils-devel and setools-console packages to provide the sepolicy and sesearch commands, respectively.

[root@serverc ~]# dnf install policycoreutils-devel setools-console
...output omitted...
Is this ok [y/N]: y
...output omitted...
Complete!

When using the systemctl command to start a service, the command forwards the request to the systemd daemon. Retrieve the SELinux domain type of the systemd daemon.

[root@serverc ~]# ps -Z -C systemd
LABEL                               PID TTY          TIME CMD
system_u:system_r:init_t:s0           1 ?        00:00:01 systemd
...output omitted...

The systemd daemon starts the service by executing the httpd binary file. Retrieve the SELinux context type of the httpd executable.

[root@serverc ~]# which httpd
/sbin/httpd
[root@serverc ~]# ls -Z /sbin/httpd
system_u:object_r:httpd_exec_t:s0 /sbin/httpd

Use the sesearch command to retrieve the SELinux domain transition rule for when a daemon of the init_t type executes a program of the httpd_exec_t type.
```
[root@serverc ~]# sesearch -T -s init_t -t httpd_exec_t
type_transition init_t httpd_exec_t:process httpd_t;
```
The SELinux domain type of the resulting process is the httpd_t type.

Use the sepolicy transition command as another way to list domain transitions.

[root@serverc ~]# sepolicy transition -s init_t -t httpd_t
init_t @ httpd_exec_t --> httpd_t
init_t ... initrc_t @ httpd_exec_t --> httpd_t
init_t ... initrc_t ... pegasus_t ... rpm_t ... rpm_script_t ... bootloader_t ... kmod_t ... mount_t ... glusterd_t @ httpd_exec_t --> httpd_t
init_t ... initrc_t ... pegasus_t ... rpm_t ... rpm_script_t ... bootloader_t ... kmod_t ... mount_t ... glusterd_t ... svc_start_t ... svc_run_t @ httpd_exec_t    --> httpd_t
...output omitted...

The sepolicy transition command displays all the transition paths between a source and a target domain. The first line indicates that a direct transition occurred through the execution of a binary with the httpd_exec_t type.

Confirm your observation by starting the httpd service and retrieving the domain type of the resulting httpd processes.

[root@serverc ~]# systemctl start httpd

[root@serverc ~]# ps -Z -C httpd
LABEL                               PID TTY          TIME CMD
system_u:system_r:httpd_t:s0      27970 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0      27971 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0      27972 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0      27973 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0      27974 ?        00:00:00 httpd

Manually start the httpd daemon, without using the systemctl command. Observe the resulting SELinux domain type.
1. Stop the httpd service.
```
[root@serverc ~]# systemctl stop httpd
```
2. Directly start the httpd daemon, without using the systemctl command.
```
[root@serverc ~]# httpd
```
  Red Hat recommends starting services by using the systemctl command.
3. Retrieve the SELinux domain type of the httpd daemon.
```
[root@serverc ~]# ps -Z -C httpd
LABEL                               PID TTY          TIME CMD
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 28192 ? 00:00:00 httpd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 28193 ? 00:00:00 httpd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 28194 ? 00:00:00 httpd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 28195 ? 00:00:00 httpd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 28196 ? 00:00:00 httpd
```
  The httpd domain type is the unconfined_t type.
4. The source domain that started the httpd daemon is your Bash shell. Retrieve the SELinux type of your shell.
```
[root@serverc ~]# ps -Z $$
LABEL                               PID TTY      STAT   TIME COMMAND
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 26503 pts/0 Ss   0:00 -bash
```
  The $$ token is the PID of the current process.
5. Look for a domain transition rule from the unconfined_t source type when executing a program with the httpd_exec_t type.
```
[root@serverc ~]# sesearch -T -s unconfined_t -t httpd_exec_t
```
  There is no such rule. Therefore, the daemon that results from the execution of the /usr/sbin/httpd binary inherits the domain type of the program that launches the command: your shell, in this example.
6. Terminate the httpd processes and restart the service by using the systemctl command.
```
[root@serverc ~]# pkill httpd
[root@serverc ~]# systemctl start httpd
```
Create a test HTML page, and locate the rule that allows the httpd daemon to read that file.
1. Create the index.html test page in the /var/www/html/ directory. Use the curl command to confirm that you can access the new page.
```
[root@serverc ~]# echo "Hello World" > /var/www/html/index.html
[root@serverc ~]# curl http://localhost
Hello World
```
2. Retrieve the SELinux domain type of the httpd daemon, and the type of the index.html file.
```
[root@serverc ~]# ps -Z -C httpd
LABEL                               PID TTY          TIME CMD
system_u:system_r:httpd_t:s0      28415 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0      28416 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0      28417 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0      28418 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0      28419 ?        00:00:00 httpd
[root@serverc ~]# ls -Z /var/www/html/index.html
unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html
```
3. Retrieve the rule that allows the httpd_t domain type to read files with the httpd_sys_content_t type.
```
[root@serverc ~]# sesearch -A -s httpd_t -t httpd_sys_content_t -c file
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow httpd_t httpd_content_type:file { getattr ioctl lock map open read };
allow httpd_t httpdcontent:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }; [ ( httpd_builtin_scripting && httpd_unified && httpd_enable_cgi ) ]:True
allow httpd_t httpdcontent:file { execute execute_no_trans getattr ioctl map open read }; [ ( httpd_builtin_scripting && httpd_unified && httpd_enable_cgi ) ]:True
```
  Four rules are returned that include httpd_t or an SELinux attribute that includes httpd_t as the source domain, and httpd_sys_content_t or an SELinux attribute that includes httpd_sys_content_t as the target type, for SELinux objects of class file (regular files).
  The second rule that matched is the critical one. It allows processes with the domain httpd_t to use the open and read system calls, among others, on regular files of an SELinux type that is in the httpd_content_type SELinux attribute. That includes the httpd_sys_content_t SELinux type.
  The first rule applies because the domain_can_mmap_files SELinux Boolean is currently turned on (True) in your system. The last two rules also apply because the httpd_unified SELinux Boolean is currently turned on on your system. (Both SELinux Booleans are turned on by default.)
  Note
  To prove that the httpd_sys_content_t SELinux type is part of the httpd_content_type SELinux attribute in the policy, other than the fact that it matches your search, you can run one of the following commands:
  To see all the SELinux attributes that include the httpd_sys_content_t type:
```
[root@serverc ~]# seinfo -t httpd_sys_content_t -x
```
  To see all the SELinux types in the httpd_content_type SELinux attribute:
```
[root@serverc ~]# seinfo --attribute=httpd_content_type -x
```

Locate the rule that allows the httpd daemon to execute CGI scripts in the /var/www/cgi-bin/ directory.

Retrieve the SELinux context type of the /var/www/cgi-bin/ directory.
```
[root@serverc ~]# ls -Zd /var/www/cgi-bin/
system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/cgi-bin/
```
CGI scripts in this directory also inherit that context.

Use the sesearch command to retrieve the rule that allows the httpd_t domain type to execute files with the httpd_sys_script_exec_t type.

[root@serverc ~]# sesearch -A -s httpd_t \
    -t httpd_sys_script_exec_t -c file
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow httpd_t httpd_content_type:file { getattr ioctl lock map open read };
allow httpd_t httpd_script_exec_type:file { getattr ioctl lock open read };
allow httpd_t httpd_sys_script_exec_t:file { execute execute_no_trans }; [ httpd_enable_cgi ]:True

The previous rule depends on the httpd_enable_cgi Boolean. The httpd_enable_cgi Boolean is currently on (True), therefore the rule applies.

Locate the rule that allows the httpd daemon to bind to TCP port 80.

Retrieve the SELinux type that is associated with TCP port 80.

[root@serverc ~]# semanage port -l | grep 80
...output omitted...
http_port_t           tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000
...output omitted...

Use the sesearch command to get the rule that allows the httpd_t domain type to bind to the ports with the http_port_t type.

[root@serverc ~]# sesearch -A -s httpd_t -t http_port_t
allow httpd_t http_port_t:tcp_socket name_bind;
...output omitted...

Return to the workstation machine as the student user.

[root@serverc ~]# logout
[student@serverc ~]$ logout
Connection to serverc closed.
[student@workstation ~]$

Finish

On the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish selinux-auditing

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-9.2-a821299

Red Hat Security: Linux in Physical, Virtual, and Cloud

Guided Exercise: Auditing the SELinux Policy

Note