Thursday, February 4, 2010

8. SELinux Targeted Policy (RedHat) - III

SELinux Context Definition:
    Here we will discuss about the basics behind roles, types and domains in SELinux. Its important that we have a clear understanding of the three key pieces of information used in the security context Tuple.

Security Context or Tuple:
    A security context or Tuple consist of 2 or more related fields in given row.
eg:- user_u:system_r:unconfined_t
explained in simple word is  "id:first_name:last_name"

Field/Degree 1: USER LABEL
eg:- user_u, root_u etc
In general the first value will be the user value. Usually the non-privilege user will be described as "user_u". However the root user is treated as "root_u". The targeted policy in RHEL is not much more concentrated in the first and second fields

Field/Degree 2: (Role based Access control[RBAC])
    SELinux supports users being the members of Role (same like a typical DAC system where the user belongs to a group). i.e, in this example of Tuple user_u:system_r:unconfined_t & root_u:system_r:unconfined_t  the non privilege & privilege user is having a common role "system_r"

Field/Degree 3: Type/Domain
    It makes a difference whether we apply this to a subject or object. i.e, Type is applied to objects such as files and Domains are applied to Subjects (Programs or users).
Privilege as well as non privilege users are grouped in to unconfined "Type" by default .
For process such as httpd, each process has a domain named after the process with a suffix of "_t" eg:- httpd_t, dhcpd_t

7. SELinux Targeted Policy (RedHat) - II

Confined and Unconfined states
1. How to Disable Protection of currently protected targeted Daemon (httpd) while SELinux runns at enforcing mode ?
How to Disable a particular domain from SELinux protection while it runs in enforcing mode?
Transition from confined state to unconfined state of a daemon

We will explain this with apache daemon. Lets start configuring apache from confined state to unconfined state.
# ps -axZ |grep httpd
    This will show the apache sandbox (Tuple) details or SELinux labeling httpd process .
# cd /selinux
    Inside this directory is a file called httpd_disable_trans, which controlls the httpd upon invication makes the transition from the default unconfined_t (unconfined) to httpd_t (confined)

Step: 1
# echo "1 1" > /selinux/booleans/httpd_disable_trans
    The file is overwritten by two values "1 1". The first value "1" is related to the currently running status of the daemon with respect to SELinux i.e, the service is currently being protected and the other value "1" is the pending value.
Step: 2
# echo "1" > /selinux/commit_pending_bools
    This makes the changes to booleans immediately, reloads  SELinux policy (None of the other domains are effected)
Step: 3
# service httpd restart
    This cause the httpd service reload finishes the transition from confined (httpd_t) sandbox to unconfined (unconfined_t) sandbox, "which is not protected by the Targeted Policy ". This means the httpd service will be behaving like a typical Linux service.
# ps -axZ |grep httpd
    Now we can notice that the httpd has been moved from confined to unconfiend.

2. Changing back httpd from unconfined  to confined context.

# echo "0 0" > /selinux/booleans/httpd_disable_trans
# echo "1" > /selinux/commit_pending_bools
# service httpd restart
# ps -axZ
    Now we can see that the httpd is running in confined.

Wednesday, February 3, 2010

6. SELinux Targeted Policy (RedHat) - I

    Here we will discuss about the daemons that supported with Targeted Policy. The Targeted policy in SELinux is specifically designed for RHEL and not applied to other Linux Distros. The idea of Targeted policy in SELinux is to protect vulnerability/highly utilized daemons/services of RHEL Servers. Each daemon is essentially sandboxed in targeted policy.i.e, daemons are restricted to some area and unable to interact to
other area/domains.
List of daemons protected by Targeted Policy by default.
  1. dhcpd
  2. httpd
  3. mysql
  4. named
  5. nscd - name service caching daemon
  6. ntpd
  7. portmap
  8. postgresql
  9. snmpd
  10. squid
  11. syslogd
  12. winbindd
  13. All other process
    The first 12 process mentioned above are the daemons which is protected as confined domains in Tuple (httpd_t, squid_t,snmp_t etc) and all other programs/subject/process are included in the unconfined (unconfined_t) domains in Targeted Policy. The Targeted policy restricts from communicating one domain with the other, i.e, dhcpd_t from httpd_t, which can be called as sandboxed.