Friday, February 12, 2010

11. SELinux Tools

Utility "star"
Archiving SELinux Labeled files (Backup of SELinux labeled files using "star")
    Currently "tar" is not supporting the SELinux context information backup while archiving. This tool is not installed by default. This tool is a replacement to tar in a SELinux system. "star" preserves the security context information
Usage of "star"
Will show with the following example
# mkdir /root/test
# seq 1000000 > /root/test/test_file.txt
# ls -alZ /root/test/
    Make note of the SELinux label.
# star -xattr -H=exustar -c -f /root/test
    This will create a file called
Now test the above statement by extracting the file using "STAR"
# cp /tmp && cd /tmp
# star -xattr -x -f
# ls -alZ /test
    Now we can see the directory which had archived before and still have the preserved security Tuple. While using "TAR" this result will vary (while extracting the newly created file will gain the Tuple of parent directory)
    The archive created by star can also be extracted by tar, but tar wont be able to read the extended attributes from the file resulting creation of extracted file without the preserved context information. Optionaly we can backup with out SELinux context information and can relay upon reinstate the SELinux context for all files using "fixfiles" or by " #touch /.autorelabel && reboot". This method is used for all the tools that are not SELinux compliant.

SELinux LOG files
What to look for in LOG files are related to denies/permission problems:
    /var/log/messages is the default AUDIT log file (This may vary according to the "kern*" parameter in syslogd.conf file), and this file stores the messages related to "avc".
# grep avc /var/log/messeges | less
    This shows the logs of SELinux activity in the system. This file logs the following events
1. usage of resources
2. relabeling file contexts
3. changing the modes (enforcing=0 & enforcing=1).
4. booleans change information
5. file system relabeled after a reboot by setting up /.autorelabel

Structure of logs while an action of denial by SELinux
avc: denied {getattr read link}(attempted operation by subject on object) for pid (the process ID) 4223 exec=/usr/sbin/httpd (executed daemon) path=/home/user/public_html(path to the object accessed by subject) scontext=user_u:system_r:httpd_t(source context information) tcontext=system_u:object:ruser_home_t(targeted context information) tclass=dir (This is the class of the object, directory or file)
    This logs are used to troubleshoot the issues with the SELinux. The problem may be initially due to the DAC or MAC both yields the logs here. So make sure the DAC permissions prior to checking MAC.

Enabling Auditing:
    This makes the SELinux more verbose in logging the information to log file. This makes easy for debugging SELinux related issues.
To enable the auditing
Modify /etc/grub.conf by appending "audit=1" to kernel boot line
# vim /etc/grub.conf
# reboot
    Reboot the system, This makes completion of enabling the auditing.
Confirming whether auditing is enabled
# cat /proc/cmdline
ro root=LABEL=/ rhgb quiet audit=1
    This file contains the switches used to start the currently running kernel. Verify the option "audit=1".
# grep audit /var/log/messages
(This may vary according to your kernel logging location)
    Monitor the above log file. this shows audit related messages.Or information about enabling the audit

Now we will create a condition to test/witness auditing. we will use here apache for it

# /usr/sbin/run_init /etc/init.d/httpd start
# ps -ef |grep httpd
    This starts the httpd with support to SELinux.
# cd /home/user/
# chcon -R -t user_home_t public_html
    Now we have changed the type of the public_html to user_home_t, which is an incorrect label and apache cannot be accessed this file. Thus we can generate the auditing information
Verify the mode  that SELinux is running
# cat /selinux/enforce
    This means the SElinux is running in permissive mode, which will generate the audit information.
Note: Permissive mode will not deny subjects from accessing the objects, but generated logs.

Open the browser and access the file
    This will load the file.(Because we are in permissive mode)
Now switch to enforcing mode and try accessing the same url http://localhost/~user/
# echo 1 > /selinux/enforce
    This will deny the file access.
Check the log file, According to syslog.conf file It logs to /var/log/firewall.log. This can be changed
# grep kern* /etc/syslog.conf
# less /var/log/firewall.log
   This default /var/log/messege file only contains the information about switching the SELinux mode, this means the auditing has been logged to some where else. The /var/log/firewall.log shows the detailed information about the SELinux activity. This makes very useful to trace out the exact problem with SELinux enabled system. We can analyze to get the information about which objects have been denied from accessing by objects. By default the auditing is disabled. It is necessery for debugging the SELinux related issues. The Log file keeps on increasing rapidly, so the log file analysis should be taken care in daily basis.

Installing SELinux Management Tools
    This tool helps in Auditing and inspecting SELinux environment. Both GUI and CLI tools are available.

Shell Based Tools
Install the package using the rpm setools-xx.rpm.
1. seinfo
    which provides useful input based on source or binary policy.
# /usr/bin/seinfo    /etc/selinux/targeted/policy/policy.18
    This will return the information about the policy. Without the path of the policy the tool fails to run.
This shows the policy that cached by "avc" and running in the system.

2. avcstat (Advanced Vector Cache Stat)
    This tool shows the status of avc which houses the current policy, includes the information about the hits,misses, lookups etc. So we can get the sence of SELinux usage whether increased of decreased.
Installed in the location /usr/sbin/avcstat
# /usr/sbin/avcstat
lookups             hits        misses      allocs      reclaims    frees
2033982       2010020    12772        13983        140        12005
    This will return the number of lookups to avc cache, number of hits to cache. These are metrics that we have to monitor whether the system is under performing. If the number of lookups are double that the number of hits then the system will be under performing.
# /usr/sbin/avcstat 5
    This will refresh every 5 sec and shows the output.
3. sesearch
    This has the ability to search based on source type, destination type or class and search all the policy to get a match and get the conclusion that which subject related to object as per the rules.
#/usr/bin/sesearch -a -t httpd_sys_content_t /etc/selinux/targeted/polcy/policy.18
    This shows the all the rules (-a) that matches the type (-t) httpd_sys_content_t in the given policy "policy.18". This tool dumps the permissions according to the type of content we have given. So it is very useful to troubleshoot as well can be used to mimic the rules while creating the rules for new domain
#/usr/bin/sesearch -a -s httpd_t /etc/selinux/targeted/polcy/policy.18
    This shows all the rules based on the subject httpd

GUI Based Tools
1. seaudit
    This provides a way to interact with the entries that logged by SELinux into the default location /var/log/messages If the kernel logs are not logging into /var/log/messeges we have to configure the tool with the approproate file location.
Installing the tool:
#rpm -ivh setools-gui-xx.rpm
    This will install both seaudit as well apol
# seaudit -l /var/log/firewall.log -p /etc/selinux/targeted/policy/policy.18
    seaudit has to be shown the location of the log file (-l) and the location of the policy (-p) -p /etc/selinux/targeted/policy/policy.18

2. apol
      apol is a graphical tool that allows the user to inspect aspects of a SELinux security policy. The tool lets the user browse policy components (types, classes, roles, users, etc.), rules (TE, RBAC, MLS), and file system contexts. Among other capabilities, the tool provides in depth analysis of domain transitions, information flows, and relabeling permissions.

Thursday, February 11, 2010

10. SELinux - Source Targeted Policy

The file_context file with respect to Source Targeted Policy:
    The binary installation of the Targeted Policy created the file "file_contexts" inside /etc/selinux/targeted/contexts/files, it involves many individual files for creation of the file_contexts file.
After installation of the source policy we will get a folder called /etc/selinux/targeted/src. Beneath "src" a folder called "policy" contains many files and folders including version information, role based access control information and other related files. Two important files in this folder are "attrib.te" used for the Type Enforcement for attributes and another file called "assert.te".The "file_contexts" sub directory inside the policy folder of "src" has additional file called "types.fc", which is almost similar as the binary installation "file_contexts". "distro.fc" file is having information about the linux distros to make conditional matches for m4 usage while building the policy(i.e, it guides to the exact file location according to the distro variable.)
(filename.fc = file context
 filename.te = type enforcement)
In "program" directory of the "file_contexts" have many *.fc files which defines the file context information about the various system utilities and daemons.
# cat ping.fc
# ping

/bin/ping.*        --    system_u:object_r:ping_exex_t
/usr/sbin/hping2    --    system_u:object_r:ping_exex_t
    This file defines the file context information for the binary ping. i.e, if there were policy applied in the system then the security label will be as above. But if we look at the binary /bin/ping, it will show something that not matches the above statement.
The context information of the current binary is
# ls -alz /bin/ping
-rwx-rx-rx    root root system_u:object_r:bin_t
    This is because each file context defined inside the folder "/etc/selinux/targeted/src/policy/file_contexts/program" should have a corresponding type enforcement defined. Here the type "bin_t" is applied/inherited from the context of parent ( /bin) directory. The corresponding ".te" files should be located in /etc/selinux/targeted/src/policy/domains/program. This folder houses all the TE files that corresponds to .fc files. eg:- apache.te, dhcpd.te, ntpd.te etc. So the listed daemons (which corresponds to the programs) will be protected.
Check whether the protection for apache has been enforced
# cat /etc/selinux/targeted/src/policy/file_contexts/program/apache.fc | grep /var/www
/var/www(/.*)?    system_u:object:httpd_sys_content_t
(And the corresponding TE file has been created inside "/etc/selinux/targeted/src/policy/domains/program" )
# ls -al /etc/selinux/targeted/src/policy/domains/program |grep apache
-rwx------    root root Jan 8 2010    apache.te
Now check the file_context of folder /var/www
# ls -ldZ /var/www
-rwxr-x--x    root root Jan 8 2010 system_u:object:httpd_sys_content_t
    The folder is correctly labeled because of .fc has corressponding .te file defined. i.e, the Type has been enforced because it has a corressponding TE file for FC file.

Focus on TE files which relate to FC files.
    TE files resides inside /etc/selinux/targeted/src/policy/domains/program.
Function of TE :
1. TE Files enforce Type
    a. TE Files describes what are each domains able to do, this includes the types that domains that able to access as well as the system related calls (link, unlink, read, tcp_open, udp_open etc).
2. Now the action that are to be enabled in the object are defined in the TE file."TE" file enables actions on objects.

   " We will explain this process with apache service."

        The SELinux admin should have low level of understanding about the operating system in order to understand the calls that made by a program.
The general system calls that apache makes are described below.
    a. read files (config files, content files and log files)
    b. bind to network ports (TCP: 80, TCP :443)
    c. write to file (log files)
    d. execute scripts (cgi, php etc)

Now take a look at apache file:
# vim /etc/selinux/targeted/src/policy/domains/program/apache.te
    Initially it defines about the booleans that can be over written by the configurations in "/etc/selinux/targeted/booleans" file. Under the "Apache Types" we defines the types that supported by apache. This is where actually the labels that defined for the domains which usually corresponds the types that applied to the filenames.
For Eg:-
#ls -alZ /var/www/
-rwxr-x--x    root root Jan 8 2010 system_u:object:httpd_sys_script_exec_t cgi-bin
-rwxr-x--x    root root Jan 8 2010 system_u:object:httpd_sys_content_t error
-rwxr-x--x    root root Jan 8 2010 system_u:object:httpd_sys_content_t html
-rwxr-x--x    root root Jan 8 2010 system_u:object:httpd_sys_content_t icons
-rwxr-x--x    root root Jan 8 2010 system_u:object:httpd_sys_content_t manual
-rwxr-x--x    root root Jan 8 2010 system_u:object:httpd_sys_content_t usage
    Notice that the context entries in this folder are defined in the "apache.te" file. Beneath "Apache Types" we can see the type for allowing access for apache defined
# cat /etc/selinux/targeted/src/policy/domains/program/apache.te
    "This file governs what the apache and its related programs are allowed to do on your system."
# Syntax: The syntax is as follows
allow|neverallow|audit|dontaudit     subject|domains     object     object_class     {premissions that to be appiled}
allow httpd_t httpd_log_t:link_file read
    allows httpd_t domain to Object httpd_log_t with object class as link_file with permission read
allow httpd_suexec_t self:capability {setuid setgid };
    # allows the subject httpd_suexec_t domain to object self capability with permissions setuid & setgid
dontaudit httpd_suexec_t var_run_t:dir search;
    This will stop auditing the given process
allow httpd_suexec_t home_root_t:dir search;
    This grands apache the permission to search the object having label home_root_t in which the object class is a directory) This means the apache can search any directory having the label "home_root_t", which is a directory (object class :dir)
The permission should be in "{}" curly brackets while defining two or more at a time.

Monday, February 8, 2010

9. SELinux Targeted Policy (RedHat) - IV

Now we will discuss about Preparing system with the source policies that are associated with the policy number 18 (by default comes with RHEL 4)
Inside the "/etc/selinux" folder have "targeted" folder which contains the source & Binary policies. If we intend to make any changes to the Policy we have to install the targeted source policy. The default installation will be the Binary policy which is unchangeable. So for changing the policy we have to install the targeted source policy. Again "the default installation of RHEL 4 installs the binary packages."

Need of source Policy installation
  1. In order to customize the policy or changing the policy
  2. In order to Learn more about the targeted Policy that how it is written.
  3. May need to define a policy in case of installation of a new program (which moves the newly installed program to the confined domains in SELinux).
    SELinux which operates in the kernel, processes existing policy, based on binary format in memory, so the source file are not used by the SELinux portion of the kernel.
The "/etc/selinux" folder contains
  • targeted/
  • config,v
  • config
The "Targeted" folder Contains
  • booleans  (This file contains the variables for enabling and disabling features on the fly such as cgi enabled apache http_enable_homedirs (refer previous topic) etc)
  • policy/ (This Folder contains the actual binary file of the policy called policy.xx(Eg:- "policy.18" RHEL 4)
  • contexts/ (This Folder consists of information about the contexts. All the contexts (Tuples) are defined inside this folder. The "file_contexts" file inside the folder "contexts/files" is the key file that actually maintains the relation ship between directories of the files system and how those directories and files should be labeled. Also the file contains the context entries of all sorts of mount points (i.e, how should the the files created in the file system labeled by default).
Installing source policy for Targeted Policy:
# rpm -qa |grep -i selinux
    This will show the selinux-policy-targeted package. This is responsible for the binary policy installation.
For installation of the selinux source policy download the source package of the policy named selinux-policy-targeted-sources.version.rpm .The installation creates the folder called /etc/selinux/targeted/src.
Install the package
# rpm -ivh selinux-policy-targeted.version.rpm
# cd /etc/selinux/targeted/src
 Beneath the /etc/selinux/targeted/src have a directory called "policy" which contains all of the files and directories that pertained to targeted policy.

The "file_contexts" file:
    This file contains the labeling information of all objects and subjects. It uses regular expressions for labeling
the files. check the "/home" definitions in the file to get more idea about the regular expressions used in the file_contexts..
The format used in the file is
" regexp -type context|none "

-d = directory
  -- = file)
/home     -d     system_u:object_r:home_root_t
    The knowledge in this file is useful while creating the new policies.
Another eg:-
/media/[^/]*/.*    none
    This will make no labeling for the mounted object beneath the folder /media (eg:- cdrom mounted inside the /media). In short this file describes how the files in the system should be labeled to take effect of the targeted policy. So if we run the "fixfiles" (Refer previous posts) utility it refers this file for labeling.

RUN_INIT (Process at system boots with respect to SELinux)
    While system boots INIT determines the SELinux support and if found, it creates the process or allocates the space inside the memory with the help of utility called "run_init". "run_init" sets up the programs that are protected by SELinux in to distinct spaces that cannot be overlaped by each other or interacted by other daemons. So this way it increases the system security.

Key Start-up Utility For SELinux-Protected Daemons:
    If we need to restart a daemon, run_init will help that programs to run with in their protected spaces i.e, "run_init" ensures protected daemon isolation. "run_init" has been installed by package named "policycoreutils".

How to Check the process whether its out of context or running correctly with policy defined context:

We will use the apache to check whether the daemon is having the correct context
# ps -axZ |grep httpd
root:system_r:httpd_t    3111    ?    S    0:00    /usr/sbin/httpd
    Here we can see the Tuple/Context as "root:system_r:httpd_t". Here apache is running with the wrong user_id root:.

To change it First kill the process
# kill 3111

Now run the process/httpd daemon using run_init
# /usr/sbin/run_init /etc/init.d/httpd start
    ( This Will promt you for authentication for root user)
        This will start the httpd daemon in the domain that specified in the policy. i.e, the policy enforces the type or honors the type.
Now we check the httpd process again
# ps -axZ |grep httpd
user_u:system_r:httpd_t    5114    ?    S    0:00    /usr/sbin/httpd
    We can see that the apache is up and running with the proper context.