Saturday, January 23, 2010

4. SELinux TYPE Context : chcon & restorecon

Changing and restoring the Types:(chcon with Apache public directory)
We will explain the usage of chcon and restorecon with the following example.
Correctly label files under ~/public_html which is served by Apache using the UserDir derivative on a server which runs SELinux in Enforcing mode.

Step 1
Make sure that the apache serves the file under public_html directory of all users.
# vim /etc/httpd/httpd.conf
#(comment the following derivative)
 # UserDir disable
UserDir public_html
# service httpd restart
This will make apache to serve the pages in the directory public_home of all users home directory.

Keep in mind that the SElinux is enabled and running in Permissive mode. Now create directory inside any users home directory
# cd /home/user
# mkdir public_html && cd public_html && echo "testing the Type Enforcement(TE)" > index.html
Now check the label of the newly created directory
# ls -ltdZ public_html
drwxrwxr-x user user user_u:object_r:user_home_t public_html
The labeling is done automatically while creation of the folder with the specific type "user_home_t". But the Apache will not be able to server from this folder because of this type Tuple .

Step 2
First make sure that the DAC level permission is done for apache user to enter the users home directory to get the files inside the public_html folder. Because "SELinux honors the DAC prior to MAC"
# chmod a+x /home/user
# chmod a+x /home/user/public_html
Try accessing the file using the web browser http://localhost/~user.
This will serve the page from the users home directory. If we recall the SELinux has been set as Permissive mode so the page has been served. Refer Logs to find more details about the SElinux policy violations. The Logs will be generated since the SELinux is running at Permissive mode

Step:- 3
Now change the SELInux mode to Enforced
# echo 1 > /selinux/enforce
# setenforce 1
# sestatus
Make sure SELinux is running in the Enforced mode. Try accessing the file using the web browser http://localhost/~user.
This time we will get the 403 "Forbidden" error msg.

Step:- 4
Manipulate the Type Enforcement(TE), this means we have to make sure that the type or the value of the Tuple is changed on the files to be accessed by Apache.
# chcon -R -t httpd_user_content_t public_html/
Recursively change the type (TE) to "httpd_user_content_t". This will make apache to serve the page from the directory public_html. "httpd_user_content_t" is defined in the policy binary and source file.
# ls -ltrZ public_html/
Confirm the change.

Now Try accessing the file using the web browser http://localhost/~user.
This will serve the content.

To change the mode from enforcing to permissive mode
# echo 0 > /selinux/enforce
# setenforce 0

DAC-checks occurs first and if denied obviates need for MAC-checks

Restorecon - allows to restore the context information or the Tuple.
     This will allow to correctly restore the policy-based (/etc/selinux/targeted/policy/policy.xx) security-label context. The type contexts are inherited from the parent folder while running restorecon.
# restorecon -nv public_html
This will show the change that will be applied in the context from the policy to the current context. Usage of "-n" makes "no changes" to the files.
# restorecon -Rv public_html
This will restore the type context recursively under the folder public_html. The SElinux is need not to be enabled to run this utility because, this tool is based on the /etc/selinux/targeted/policy/policy.xx and applies accordingly.

verify the context with the following command.
# ls -ltrZ public_html

"Copying a file will result in inheriting the type context of the targeted folder".
"Moving a file will preserve the SElinux security Tuple/context/label"

Thursday, January 21, 2010

3. SELinux Labeling

   As we discussed earlier SELinux works based on MAC systems, so that the system admin can separate the subjects from objects and this separation is based on the proper labeling of files in the filesystem. So this labeling becomes the heart of the SELinux functionality. SELinux enforces "types based" on the labels stored with in the files.

Labeling of Objects to support Type Enforcement(TE):

Labeling Features:
  1. To ensure that SELinux functions properly all Objects must be properly labeled to facilitate the Type Enforcement.
  2. File that are improperly labeled will not be protected.
# cd /root
# ls -lZ 

-rw-r--r--    root    root    user_u:object_r:file_t    install.log
    This will show the context information of the SELinux(labeling of each file), stored in the extended attributes of the file which supported by the ext2, ext3 reizerfs file systems inside the root folder. Files will be only properly labeled if we enable SELinux while creation of the files, that means while installation if we enable the SELinux all the files will be properly labeled and will be protected by SELinux and the file that created while SELinux was disabled will not be labeled and we have to do it manually.

       3.  Tuples/labels are the Security context. it is defined in user:role:type
                user example:- system_u, root etc
                role example:-  object_r
                type example:-  user_home_t, file_t etc
       4. Type applied to subject (httpd) is called = DOMAIN
       5. Type applied to Object (install.log) is called = TYPE

Re-Labeling the files to support SELinux
    Two ways to relabel the filesystem
1. Suggested way
    a. # touch /.autorelabel && reboot
        This will properly relabels all the files in the system. This will make the init to initiate the SELinux labeling This will happens before the programs start running.

2. Using the command "fixfiles"
    /sbin/fixfiles which belongs to "policycoreutils" rpm will change the context information will be done with out the system reboot.
To work with the fixfiles, the SELinux must be disabled before creation of the files and then use fixfiles to relabel the file
# fixfiles relabel
    This will relabels entire filesystem
# fixfiles -l fixedfile_log relabel
    This will relabels entire filesystem and logs output to the file fixedfile_log.
# fixfiles -R package name
    This will restore the labeling information of all the files installed by the particular package

APT-GET command real time examples