SELinux ‐ Deepdive - benjigifford/SEC-440 GitHub Wiki

Prerequisites

  • Ensure that httpd is running on one of your rocky servers (web01/02)

On web01:

systemctl status httpd

image

  • Ensure that server has access to the Internet for updates etc.
ping google.com

image

  • Create a custom index page with your name and SEC-440 lab info
cd /var/www/html
nano index.html

image

  • NOTE: you will need to use SSH later in lab and web01 and/or web02 may have google 2fa auth configured. May need to disable temporarily (see /etc/pam.d/sshd and comment out line)
cd /etc/pam.d
nano sshd
  • Comment out last line

image

Deliverable 1. Provide a screenshot that shows you accessing your index page from a web browser on one of your xubuntu workstations.

image

SELinux Packages

  • NOTE: SELinux is included and enabled by default in Rocky - but, Install the following selinux related packages to help with management and troubleshooting
sudo yum install policycoreutils policycoreutils-python-utils selinux-policy selinux-policy-targeted libselinux-utils setroubleshoot-server setools setools-console mcstrans
  • Add the following users to your Rocky VM:
useradd regularuser
passwd regularuser
useradd switcheduser
passwd switcheduser
useradd guestuser
passwd guestuser
useradd restrictedduser
passwd restrictedduser

File Contexts

image

Deliverable 2. What is the process domain for the sshd process? Take a screenshot with that domain highlighted.

ps -efZ | grep apache

image

This is the domain:

image

Deliverable 3. What is the selinux type for /var/www/html/index.html? Take a screenshot with that type highlighted

cd /var/www/html
ls -lZ

image

These are the types:

image

cp /etc/redhat-release /var/www/html

Deliverable 4. Provide a screenshot similar to the one below

  • Navigate to webpage

image

  • Examine the original context type of /etc/redhat-release.

Deliverable 5. What was it? Based upon the copy operation, what can you conclude happens during a copy?

  • redhat-release is system info about CentOS. The copy operation changes the /var/www/html folder to match new attributes

Create a file in your sudo user's home directory and move it to /var/www/html

cd
echo $USER $HOSTNAME > userhost.txt
cat userhost.txt
sudo mv userhost.txt /var/www/html

image

  • Navigate to the file, you should get an error.

image

Deliverable 6.

6a. What is the selinux type associated with your moved file?

  • The file type is unconfined
cd /var/www/html
ls -lZ

image

6b. What happens to the selinux context when you move a file?

  • The selinux stayed the same, so this means it only changes is you copy it.
cd /var/log/httpd
cat error_log | grep userhost.txt

image

This is where things start to go sideways. Everyone can read the file, including apache. Why is the permission denied?

Deliverable 7: Examine /var/log/audit/audit.log or use the semanage techniques shown in the video for any reference to the unfortunate file. What did you find?

  • Provide a screenshot of the relevant log entry. cat /var/log/audit/audit.log | grep userhost.txt image

  • Make the fix using restorecon (might google this) restorecon /var/www/html/userhost.txt

  • Provide another screenshot showing a successful browsing session to the file similar to this:

image

Enabling User Dirs.

Figure out how to enable user directories for apache. These changes will involve modification of SELinux Boolean parameters as well as changing/setting the context of directories and files.

sudo yum install httpd mod_userdir
cd /etc/httpd/conf.d
nano userdir.conf
  • Comment out UserDir disabled
  • Add UserDir enabled
  • Comment out UserDir public_html

image

cd /home/regularuser
mkdir public_html
cd public_html
nano index.html
  • Type regularuser index page
sudo setsebool -P httpd_read_user_content 1
sudo setsebool -P httpd_enable_homedirs on

sudo semanage fcontext -a -t httpd_sys_content_t "/home/regularuser/public_html(/.*)?"
sudo semanage fcontext -a -t httpd_sys_content_t "/home/switcheduser/public_html(/.*)?"
sudo semanage fcontext -a -t httpd_sys_content_t "/home/guestuser/public_html(/.*)?"
sudo semanage fcontext -a -t httpd_sys_content_t "/home/restrictedduser/public_html(/.*)?

chmod 755 /home/regularuser/public_html
chmod 755 /home/switcheduser/public_html
chmod 755 /home/guestuser/public_html
chmod 755 /home/restrictedduser/public_html

sudo systemctl restart httpd

Deliverable 8. Provide a screenshot similar to the one below that shows an index page served from the the home directory of regularuser. Make sure to capture the directory and file permissions as well as current SELinux Enforcement, these changes should survive a reboot.

ssh [email protected]
ls -lRZ

image

SELinux and SSH Ports

  • Figure out how to move the SSH port from the default of 22. Adjust SELinux to change the allowed port to 2222.

image

sudo semanage port -a -t ssh_port_t -p tcp 2222
sudo systemctl restart sshd
semanage port -l | grep ssh
firewall-cmd --permanent --zone=public --add-port=2222/tcp
firewall-cmd --reload
cd /etc/ssh
nano sshd_config

sudo systemctl reload sshd
  • Change port line to do port 2222

image

Deliverable 9. Provide screenshots showing an SSH connection from Xubuntu-LAN to rocky over port 2222.

ssh [email protected] -p 2222

image

Preventing su

Note the semanage login command used to switch regular user from the unconfined user to the user_u selinux user. Do this and then restart your ssh session as regularuser. Attempt to switch to switcheduser.

  • web01:
semanage login -a -s user_u regularuser
  • xubuntu-lan:
ssh [email protected] -p 2222
id -Z
su - switcheduser

image

Deliverable 10: Screenshot showing the selinux error in audit.log. See if you can find at least two denied messages such as these (note 1003 shows the link between the event and regular user:

  • web01: cat /var/log/audit/audit.log | grep switcheduser | grep failed

image

Guest User

  • Figure out how to associate the guestuser account with the guest_u SELinux user.
  • Provide a screenshot that shows the id -Z command run within a guestuser login
semanage login -a -s guest_u guestuser

image

  • SELinux bools (Boolean, true/false settings) can be used to adjust SELinux settings. The following booleans are associated with the guest_u SELinux user:
getsebool -a | grep guest

image

On xubuntu-lan ssh to guest:

nano friendly.sh
chmod +x friendly.sh
./friendly.sh

Figure out how to set the guest_exec_content flag to "off" and do so permanently. This flag controls whether user's associated with guest_u can run executables.

  • web01:
sudo setsebool -P guest_exec_content false

On xubuntu-lan ssh to guest:

ls
./friendly.sh
ls -l

image

Deliverable 11. Find a log entry that shows that SELinux prevented the execution of the script.

web01:

cat /var/log/audit/audit.log | grep friendly.sh
journalctl | grep friendly.sh

image

Preventing sudo for a member of the wheel (sudoers) DAC group

  • As root stop httpd
  • add restricteduser to the wheel group
  • Use sudo to restart httpd as restricteduser
systemctl stop httpd
systemctl status httpd
usermod -aG wheel restrictedduser

image

Log in as restricteduser

systemctl restart httpd
systemctl status httpd

image

Associate restricteduser to the user_u SELinux user. Logout as the restricted user, login again and reattempt the restart of httpd. This should fail.

Deliverable 12. Provide a screenshot that shows the PERM_SUDOERS error

image