SELinux Deepdive - 5huckle/OFFICIALTECHJOURNAL GitHub Wiki

Intro

💡Many systems administrator's only experience with SELinux involves the quickest way to disable it.  This lab will highlight some of the major features of SELinux.  Even though many of you have been victimized by SELinux in the past, disabling SELinux is not encouraged unless there is compelling reason.Note, this lab makes use of the "old school" raw audit log to debug SELinux.  You may use the techniques shown in the video (journalctl) if you'd like.

Pre Requisites

  • Ensure that httpd is running on one of your rocky servers (web01/02)
  • Ensure that server has access to the Internet for updates etc.
  • Create a custom index page with your name and SEC-440 lab info
  • NOTE: you will need to use SSH later in lab and web01 and/or web02 may have google 2fa auth configured. May need to disable temporarily (see /etc/pam.d/sshd and comment out line)

SELinux

First, lets install packages

sudo yum install policycoreutils policycoreutils-python-utils selinux-policy selinux-policy-targeted libselinux-utils setroubleshoot-server setools setools-console mcstrans

Add the following users to your Rocky VM:

  • regularuser
  • switcheduser
  • guestuser
  • restrictedduser

augmenting ls -l with a Z shows selinux information. sos.conf has a

  • selinux user of system_u
  • a role of object_r and
  • a type of etc_t.
  • The remaining :s0 has to do with security levels when implementing a multi level secure system (MLS) which is beyond the scope of this lab.

home directories have a selinux

  • user of unconfined_u,
  • a role of object_r and
  • a type of user_home_dir_t.

Type ls -lZ /home

image

Process Contexts

Process contexts are a bit different.

  • user and role SELinux attributes are the same.
  • httpd_t and ftpd_t are considered process domains and not types.

Try ps -efZ to show the process contexts.

image

Deliverables

Deliverable 1 Screenshot of webpage from xubuntu box

image

Deliverable 2 process domain highlighted

image

Deliverable 3 selinux type for /var/www/html/index.html

image

Deliverable 4 screenshot redhat release from xubuntu box

image

Deliverable 5

it changed users from unconfined_u to system_u, the copy operand may change the owner of a file

Deliverable 6

image

There was no error while accessing this

  • selinux type associated with moved file * image

  • what happens to selinux context when you move a file?

    • it changes the associated type

Deliverable 7 examine /var/log/audit/audit.log

I can't really do deliverable 7 as I was always able to access the file, there were never any error logs or changes I needed to make to allow this.

image

Deliverable 8 UserDirs

I used this guide to do the configurations necessary for setup

image

Deliverable 9 SSH from xubuntu - rocky over port 2222

I used this guide for setup. I had to change /etc/sshd/sshd_conf, use a oneliner for semanage, and open port 2222 on firewall-cmd

image

Deliverable 10 selinux error for su

image

image

Deliverable 11 find a log entry that selinux prevented a script

image

image

Deliverable 12 PERM SUDOERS ERROR

image