Utility "star"
Archiving SELinux Labeled files (Backup of SELinux labeled files using "star")
Currently "tar" is not supporting the SELinux context information backup while archiving. This tool is not installed by default. This tool is a replacement to tar in a SELinux system. "star" preserves the security context information
Usage of "star"
Will show with the following example
# mkdir /root/test
# seq 1000000 > /root/test/test_file.txt
# ls -alZ /root/test/
# star -xattr -H=exustar -c -f teststar.star /root/test
Now test the above statement by extracting the file using "STAR"
# cp teststar.star /tmp && cd /tmp
# star -xattr -x -f teststar.star
# ls -alZ /test
Note:-
The archive created by star can also be extracted by tar, but tar wont be able to read the extended attributes from the file resulting creation of extracted file without the preserved context information. Optionaly we can backup with out SELinux context information and can relay upon reinstate the SELinux context for all files using "fixfiles" or by " #touch /.autorelabel && reboot". This method is used for all the tools that are not SELinux compliant.
SELinux LOG files
What to look for in LOG files are related to denies/permission problems:
/var/log/messages is the default AUDIT log file (This may vary according to the "kern*" parameter in syslogd.conf file), and this file stores the messages related to "avc".
# grep avc /var/log/messeges | less
1. usage of resources
2. relabeling file contexts
3. changing the modes (enforcing=0 & enforcing=1).
4. booleans change information
5. file system relabeled after a reboot by setting up /.autorelabel
Structure of logs while an action of denial by SELinux
avc: denied {getattr read link}(attempted operation by subject on object) for pid (the process ID) 4223 exec=/usr/sbin/httpd (executed daemon) path=/home/user/public_html(path to the object accessed by subject) scontext=user_u:system_r:httpd_t(source context information) tcontext=system_u:object:ruser_home_t(targeted context information) tclass=dir (This is the class of the object, directory or file)
Enabling Auditing:
This makes the SELinux more verbose in logging the information to log file. This makes easy for debugging SELinux related issues.
To enable the auditing
Modify /etc/grub.conf by appending "audit=1" to kernel boot line
# vim /etc/grub.conf
audit=1
# reboot
Confirming whether auditing is enabled
# cat /proc/cmdline
ro root=LABEL=/ rhgb quiet audit=1
# grep audit /var/log/messages
(This may vary according to your kernel logging location)Monitor the above log file. this shows audit related messages.Or information about enabling the audit
Now we will create a condition to test/witness auditing. we will use here apache for it
# /usr/sbin/run_init /etc/init.d/httpd start
# ps -ef |grep httpd
# cd /home/user/
# chcon -R -t user_home_t public_html
Verify the mode that SELinux is running
# cat /selinux/enforce
0
Note: Permissive mode will not deny subjects from accessing the objects, but generated logs.
Open the browser and access the file
http://localhost/~user/
This will load the file.(Because we are in permissive mode)
Now switch to enforcing mode and try accessing the same url http://localhost/~user/
# echo 1 > /selinux/enforce
Check the log file, According to syslog.conf file It logs to /var/log/firewall.log. This can be changed
http://localhost/~user/
# grep kern* /etc/syslog.conf
# less /var/log/firewall.log
This default /var/log/messege file only contains the information about switching the SELinux mode, this means the auditing has been logged to some where else. The /var/log/firewall.log shows the detailed information about the SELinux activity. This makes very useful to trace out the exact problem with SELinux enabled system. We can analyze to get the information about which objects have been denied from accessing by objects. By default the auditing is disabled. It is necessery for debugging the SELinux related issues. The Log file keeps on increasing rapidly, so the log file analysis should be taken care in daily basis.
Installing SELinux Management Tools
This tool helps in Auditing and inspecting SELinux environment. Both GUI and CLI tools are available.
Shell Based Tools
Install the package using the rpm setools-xx.rpm.
1. seinfo
which provides useful input based on source or binary policy.
# /usr/bin/seinfo /etc/selinux/targeted/policy/policy.18
This shows the policy that cached by "avc" and running in the system.
2. avcstat (Advanced Vector Cache Stat)
This tool shows the status of avc which houses the current policy, includes the information about the hits,misses, lookups etc. So we can get the sence of SELinux usage whether increased of decreased.
Installed in the location /usr/sbin/avcstat
# /usr/sbin/avcstat
lookups hits misses allocs reclaims frees
2033982 2010020 12772 13983 140 12005
# /usr/sbin/avcstat 5
3. sesearch
This has the ability to search based on source type, destination type or class and search all the policy to get a match and get the conclusion that which subject related to object as per the rules.
#/usr/bin/sesearch -a -t httpd_sys_content_t /etc/selinux/targeted/polcy/policy.18
#/usr/bin/sesearch -a -s httpd_t /etc/selinux/targeted/polcy/policy.18
This shows all the rules based on the subject httpdGUI Based Tools
1. seaudit
This provides a way to interact with the entries that logged by SELinux into the default location /var/log/messages If the kernel logs are not logging into /var/log/messeges we have to configure the tool with the approproate file location.
Installing the tool:
#rpm -ivh setools-gui-xx.rpm
# seaudit -l /var/log/firewall.log -p /etc/selinux/targeted/policy/policy.18
2. apol
apol is a graphical tool that allows the user to inspect aspects of a SELinux security policy. The tool lets the user browse policy components (types, classes, roles, users, etc.), rules (TE, RBAC, MLS), and file system contexts. Among other capabilities, the tool provides in depth analysis of domain transitions, information flows, and relabeling permissions.
No comments:
Post a Comment
tag ur valuable ideas below