RH415 - ch12s05

Bookmark this page

Lab: Mitigating Risk with SELinux

Configure confined users and address some SELinux denials.

Outcomes

Modify the SELinux mode.
Use the grubby command to disable and enable SELinux.
Inspect AVC messages by using the Audit system.
Allow the httpd service to listen on a different port for the http_port_t port type.
Prevent Linux users from switching to a different SELinux confined user.
Enable and configure SELinux to limit user access to sudo commands.
Explore the Booleans that determine how SELinux controls confined users.
Examine the effects of confined SELinux users on the sudo, su, and ssh commands, and on SUID execution.

If you did not reset your workstation and server machines at the end of the last chapter, then save any work you want to keep from earlier exercises on those machines, and reset them now.

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start compreview-selinux

Specifications

On the servere machine, set SELinux to permissive mode.
Use the grubby command to enable SELinux.
Troubleshoot for any SELinux denial messages.
Set SELinux to enforcing mode.
Allow the httpd service to listen on port 2693 for the http_port_t port type.
Confine users on the servere machine to prevent them from using the sudo and su commands. Prevent users from executing binaries within their home directory. Verify this configuration by running the runme binary in the student home directory. These changes do not apply to the root user.
Create an administrative operator4 user on the servere machine with redhat as the password, and add the user to the wheel Linux group. Map the operator4 user to the sysadm_u SELinux user to allow the use of the su and sudo commands.
For sysadm_u SELinux users on the servere machine, enable the use of the ssh command to log in.

[student@workstation ~]$ ssh student@servere
[student@servere ~]$ sudo -i
[sudo] password for student: student
[root@servere ~]#

Confirm that SELinux is in Disabled mode.
```
[root@servere ~]# getenforce
Disabled
```
Enable SELinux in permissive mode, and reboot the server.
1. Enable SELinux in permissive mode in the /etc/selinux/config file.
```
...output omitted...
SELINUX=permissive
...output omitted...
```
2. Use the grubby command to enable SELinux by removing the argument that disables SELinux from the kernel command line.
```
[root@servere ~]# grubby --update-kernel ALL --remove-args selinux
```
3. Reboot the servere machine. When ready, log in again to the servere machine as the student user and switch to the root user.
```
[root@servere ~]# reboot
Connection to servere closed.
[student@workstation ~]$ ssh student@servere
[student@servere ~]$ sudo -i
[sudo] password for student: student
[root@servere ~]#
```

Use the curl command to verify that the web server at http://servere.lab.example.com:2693 is available.

[root@servere ~]# curl http://servere.lab.example.com:2693
<html>
        <head>SELinux</head>
        <body>
                <h1>Works! - Port 2693</h1>
        </body>
</html>

Verify that SELinux is set to Permissive mode, and check for SELinux denial messages.

Verify that SELinux is in Permissive mode.
```
[root@servere ~]# getenforce
Permissive
```

Check the Audit log file for any SELinux denial messages. The curl command in the previous step was successful because SELinux is set to permissive mode, but the command did generate an AVC denied message in the log. This denied message means that the curl http://servere.lab.example.com:2693 command would fail if SELinux were set to enforcing mode.

[root@servere ~]# ausearch -m AVC,USER_AVC
...output omitted...
time->Tue Jan 30 20:06:47 2024
type=PROCTITLE msg=audit(1706663207.015:34): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=SYSCALL msg=audit(1706663207.015:34): arch=c000003e syscall=49 success=yes exit=0 a0=4 a1=556b528be438 a2=1c a3=7ffe0be018ac items=0 ppid=1 pid=793 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1706663207.015:34): avc:  denied  { name_bind } for  pid=793 comm="httpd" src=2693 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=1
...output omitted...

Check the journal log file for any SELinux denial messages.

[root@servere ~]# journalctl -t setroubleshoot
...output omitted...
Jan 30 20:06:55 servere setroubleshoot[1241]:
SELinux is preventing /usr/sbin/httpd from name_bind access on the tcp_socket port 2693.

    *****  Plugin bind_ports (92.2 confidence) suggests   *********************

    If you want to allow /usr/sbin/httpd to bind to network port 2693
    Then you need to modify the port type.
    Do
    # semanage port -a -t PORT_TYPE -p tcp 2693
...output omitted...

Change SELinux to enforcing mode, and reboot the server.

Change SELinux to enforcing mode in the /etc/selinux/config file.

...output omitted...
SELINUX=enforcing
...output omitted...

Reboot the servere machine. When ready, log in again to the servere machine as the student user and switch to the root user.

[root@servere ~]# reboot
Connection to servere closed.
[student@workstation ~]$ ssh student@servere
[student@servere ~]$ sudo -i
[sudo] password for student: student
[root@servere ~]#

Verify that the SELinux mode is set to Enforcing mode and determine whether the web server at http://servere.lab.example.com:2693 is available.
1. Verify that the SELinux mode on the servere machine is set to Enforcing mode.
```
[root@servere ~]$ getenforce
Enforcing
```
2. Use the curl command to verify that the web server at http://servere.lab.example.com:2693 is now unavailable.
```
[root@servere ~]# curl http://servere.lab.example.com:2693
curl: (7) Failed to connect to servere.lab.example.com port 2693: Connection refused
```
Allow the httpd service to listen on port 2693 for the http_port_t port type. Verify that the port has been added.
1. Use the semanage port -a command to allow the httpd service to listen on port 2693 for the http_port_t port type.
```
[root@servere ~]# semanage port -a -t http_port_t -p tcp 2693
```
2. Use the semanage port -l command to list the ports.
```
[root@servere ~]# semanage port -l | grep 2693
http_port_t         tcp      2693, 80, 81, 443, 488, 8008, 8009, 8443, 9000
```
Restart the httpd service and verify one more time that the web server at http://servere.lab.example.com:2693 is available.
1. Use the systemctl restart command to restart the httpd service.
```
[root@servere ~]# systemctl restart httpd.service
```
2. Use the curl command to verify that the web server at http://servere.lab.example.com:2693 is available.
```
[root@servere ~]# curl http://servere.lab.example.com:2693
<html>
        <head>SELinux</head>
        <body>
                <h1>Works! - Port 2693</h1>
        </body>
</html>
```

Confine users to prevent them from using the sudo and su commands. Prevent users from running programs in their home directory. These restrictions do not apply to the root user.

Change the default mapping to map the Linux users to the user_u SELinux user. The semanage command might take up to one minute to complete.
```
[root@servere ~]# semanage login -m -s user_u -r s0 __default__
```

Use the semanage login -l command to verify your work.

[root@servere ~]# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          user_u               s0                   *
root                 unconfined_u         s0-s0:c0.c1023       *

Set the user_exec_content SELinux Boolean to the off value to prevent users who are mapped to the user_u SELinux user from executing programs in their home directories.
```
[root@servere ~]# setsebool -P user_exec_content off
```

Log out of the servere machine and log in again as the student user.

[root@servere ~]# logout
[student@servere ~]$ logout
[student@workstation ~]$ ssh student@servere
...output omitted...
[student@servere ~]$

Confirm that the student user can no longer execute programs in their home directory. Verify that the student user can no longer execute the runme binary program in the /home/student/ directory.
```
[student@servere ~]$ ./runme
-bash: ./runme: Permission denied
```

Confirm that the student user can no longer use the sudo and su commands.

[student@servere ~]$ sudo -i
sudo: PERM_SUDOERS: setresuid(-1, 1, -1): Operation not permitted
sudo: no valid sudoers sources found, quitting
sudo: setresuid() [0, 0, 0] -> [1000, -1, -1]: Operation not permitted
sudo: error initializing audit plugin sudoers_audit
[student@servere ~]$ su -
Password: redhat
su: Authentication failure

On the servere machine, create an administrative operator4 user with redhat as the password. Map that user to a confined SELinux user to use the su and sudo commands, and to use the ssh command to log in.

Log out of the servere machine and log in as the root user.

[student@servere ~]$ logout
[student@workstation ~]$ ssh root@servere
[root@servere ~]#

Create the operator4 Linux user account, map it to the sysadm_u SELinux user, and add it to the wheel group.
```
[root@servere ~]# useradd -G wheel -Z sysadm_u operator4
```

Set the password for the operator4 user to redhat.

[root@servere ~]# echo redhat | passwd --stdin operator4
Changing password for user operator4.
passwd: all authentication tokens updated successfully.

Confirm that SELinux maps the operator4 user to the sysadm_u SELinux user.

[root@servere ~]# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          user_u               s0                   *
operator4            sysadm_u             s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *

Log out of the servere machine and try to use SSH to log in as the operator4 user.

[root@servere ~]# logout
[student@workstation ~]$ ssh operator4@servere
client_loop: send disconnect: Broken pipe
[student@workstation ~]$

By default, SELinux denies access to sysadm_u accounts over SSH.

[student@workstation ~]$ ssh root@servere
[root@servere ~]# setsebool -P ssh_sysadm_login on

Log out of the servere machine and log in as the operator4 user. This time, the connection succeeds.

[root@servere ~]# logout
[student@workstation ~]$ ssh operator4@servere
...output omitted...
[operator4@servere ~]$

To confirm that the operator4 user can administer the system, use the sudo -i command to switch identity to the root user and restart the sshd service. Use redhat as the password.
```
[operator4@servere ~]$ sudo -i
[sudo] password for operator4: redhat
[root@servere ~]# systemctl restart sshd
[root@servere ~]# systemctl is-active sshd
active
```

Return to the workstation machine

[root@servere ~]# logout
[operator4@servere ~]$ logout
[student@workstation ~]$

Evaluation

As the student user on the workstation machine, use the lab command to grade your work. Correct any reported failures and rerun the command until successful.

[student@workstation ~]$ lab grade compreview-selinux

Finish

As the student user on the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish compreview-selinux

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-9.2-a821299