SELinux Deepdive - 5huckle/OFFICIALTECHJOURNAL GitHub Wiki
Intro
💡Many systems administrator's only experience with SELinux involves the quickest way to disable it. This lab will highlight some of the major features of SELinux. Even though many of you have been victimized by SELinux in the past, disabling SELinux is not encouraged unless there is compelling reason.Note, this lab makes use of the "old school" raw audit log to debug SELinux. You may use the techniques shown in the video (journalctl) if you'd like.
Pre Requisites
- Ensure that httpd is running on one of your rocky servers (web01/02)
- Ensure that server has access to the Internet for updates etc.
- Create a custom index page with your name and SEC-440 lab info
- NOTE: you will need to use SSH later in lab and web01 and/or web02 may have google 2fa auth configured. May need to disable temporarily (see /etc/pam.d/sshd and comment out line)
SELinux
First, lets install packages
sudo yum install policycoreutils policycoreutils-python-utils selinux-policy selinux-policy-targeted libselinux-utils setroubleshoot-server setools setools-console mcstrans
Add the following users to your Rocky VM:
- regularuser
- switcheduser
- guestuser
- restrictedduser
augmenting ls -l with a Z shows selinux information. sos.conf has a
- selinux user of system_u
- a role of object_r and
- a type of etc_t.
- The remaining :s0 has to do with security levels when implementing a multi level secure system (MLS) which is beyond the scope of this lab.
home directories have a selinux
- user of unconfined_u,
- a role of object_r and
- a type of user_home_dir_t.
Type ls -lZ /home
Process Contexts
Process contexts are a bit different.
- user and role SELinux attributes are the same.
- httpd_t and ftpd_t are considered process domains and not types.
Try ps -efZ to show the process contexts.
Deliverables
Deliverable 1 Screenshot of webpage from xubuntu box
Deliverable 2 process domain highlighted
Deliverable 3 selinux type for /var/www/html/index.html
Deliverable 4 screenshot redhat release from xubuntu box
Deliverable 5
it changed users from unconfined_u to system_u, the copy operand may change the owner of a file
Deliverable 6
There was no error while accessing this
-
selinux type associated with moved file *
-
what happens to selinux context when you move a file?
- it changes the associated type
Deliverable 7 examine /var/log/audit/audit.log
I can't really do deliverable 7 as I was always able to access the file, there were never any error logs or changes I needed to make to allow this.
Deliverable 8 UserDirs
I used this guide to do the configurations necessary for setup
Deliverable 9 SSH from xubuntu - rocky over port 2222
I used this guide for setup. I had to change /etc/sshd/sshd_conf, use a oneliner for semanage, and open port 2222 on firewall-cmd