imported>mutante mNo edit summary |
imported>DrOwl No edit summary |
||
Line 10: | Line 10: | ||
Related: [[grsec]] |
Related: [[grsec]] |
||
= selinux = |
|||
<blockquote>SELinux is a mandatory access control (MAC) system that can be used to protect services and contain security exploits found in system daemons or user applications. SELinux constrains services to a least-privilege security domain by way of a security policy, customized by administrators, that provides fine-grain control over information flow.</blockquote> |
|||
== Log file == |
|||
# cat /var/log/audit/audit.log |
|||
=== Example denied entry=== |
|||
<pre> |
|||
type=AVC msg=audit(1247665905.681:32003): |
|||
avc: denied { write } for pid=1118 comm="cmd.cgi" name="nagios.cmd" dev=dm-2 ino=819218 |
|||
scontext=root:system_r:httpd_nagios_script_t:s0 |
|||
tcontext=root:object_r:nagios_log_t:s0 tclass=fifo_file |
|||
</pre> |
|||
*comm = command that had access denied |
|||
*name = target |
|||
*scontext = source security context |
|||
*tcontext = targets security context |
|||
== Create new rule== |
|||
the simpliest way to create a new rule, is with the audit2allow command. It will create a rule based on the error in selinux's audit log. The module/rule must have a unique name. The installed modules can be viewed using `semodule -l` |
|||
=== View new rule first=== |
|||
We have two methords |
|||
1) will create a rule for all errors in the log: |
|||
<pre> |
|||
# audit2allow -m localName -i /var/log/audit/audit.log > httpdNagiosCmd.te |
|||
</pre> |
|||
2) searches the log for a specied command |
|||
<pre> |
|||
# ausearch -m AVC --comm cmd.cgi | audit2allow -m local > httpdNagiosCmd.te |
|||
</pre> |
|||
==== example output==== |
|||
<pre> |
|||
module local 1.0; |
|||
require { |
|||
type nagios_log_t; |
|||
type httpd_nagios_script_t; |
|||
class fifo_file { write getattr }; |
|||
} |
|||
#============= httpd_nagios_script_t ===== |
|||
allow httpd_nagios_script_t nagios_log_t:fifo_file { write getattr }; |
|||
</pre> |
|||
=== edit the file=== |
|||
You can now edit the file to remove / add bits you want. |
|||
=== compile the new file=== |
|||
<pre> |
|||
checkmodule -M -m -o httpdNagiosCmd.mod httpdNagiosCmd.te |
|||
semodule_package -o httpdNagiosCmd.pp -m local.mod |
|||
semodule -i httpdNagiosCmd.pp |
|||
setenforce 1 |
|||
</pre> |
|||
=== Quick Way to allow === |
|||
if you dont want to edit the file you can just compile it directly with autid2allow's -M option |
|||
<pre> |
|||
ausearch -m AVC --comm cmd.cgi | audit2allow -M httpdNagiosCmd |
|||
semodule -i httpdNagiosCmd.pp |
|||
setenforce 1 |
|||
</pre> |
|||
== check status== |
|||
<pre> |
|||
# sestatus |
|||
SELinux status: enabled |
|||
SELinuxfs mount: /selinux |
|||
Current mode: enforcing |
|||
Mode from config file: enforcing |
|||
Policy version: 21 |
|||
Policy from config file: targeted |
|||
</pre> |
|||
== permissive mode== |
|||
permissive will disable enforcing of rules. it can used to create log entries showing what new rules need to be set up |
|||
<pre> |
|||
# setenforce 0 |
|||
# sestatus |
|||
SELinux status: enabled |
|||
SELinuxfs mount: /selinux |
|||
Current mode: permissive |
|||
Mode from config file: enforcing |
|||
Policy version: 21 |
|||
Policy from config file: targeted |
|||
</pre> |
|||
== list a files security context== |
|||
The Z switch will work with most other utilities such as ps. |
|||
<pre> |
|||
ls -Z /var/log/nagios/rw/nagios.cmd |
|||
prw-rw---- nagios nagiocmd root:object_r:nagios_log_t /var/log/nagios/rw/nagios.cmd |
|||
</pre> |
|||
=External Links= |
|||
[http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials.html RedHat Doc] |
|||
[[Category:Linux]] |
[[Category:Linux]] |
Latest revision as of 08:35, 13 July 2011
SELinux is an enhancement to the Linux kernel released by the NSA.
"Security-enhanced Linux is a research prototype of the Linux® kernel and a number of utilities with enhanced security functionality designed simply to demonstrate the value of mandatory access controls to the Linux community and how such controls could be added to Linux."
Related: grsec
selinux[edit]
SELinux is a mandatory access control (MAC) system that can be used to protect services and contain security exploits found in system daemons or user applications. SELinux constrains services to a least-privilege security domain by way of a security policy, customized by administrators, that provides fine-grain control over information flow.
Log file[edit]
- cat /var/log/audit/audit.log
Example denied entry[edit]
type=AVC msg=audit(1247665905.681:32003): avc: denied { write } for pid=1118 comm="cmd.cgi" name="nagios.cmd" dev=dm-2 ino=819218 scontext=root:system_r:httpd_nagios_script_t:s0 tcontext=root:object_r:nagios_log_t:s0 tclass=fifo_file
- comm = command that had access denied
- name = target
- scontext = source security context
- tcontext = targets security context
Create new rule[edit]
the simpliest way to create a new rule, is with the audit2allow command. It will create a rule based on the error in selinux's audit log. The module/rule must have a unique name. The installed modules can be viewed using `semodule -l`
View new rule first[edit]
We have two methords
1) will create a rule for all errors in the log:
# audit2allow -m localName -i /var/log/audit/audit.log > httpdNagiosCmd.te
2) searches the log for a specied command
# ausearch -m AVC --comm cmd.cgi | audit2allow -m local > httpdNagiosCmd.te
example output[edit]
module local 1.0; require { type nagios_log_t; type httpd_nagios_script_t; class fifo_file { write getattr }; } #============= httpd_nagios_script_t ===== allow httpd_nagios_script_t nagios_log_t:fifo_file { write getattr };
edit the file[edit]
You can now edit the file to remove / add bits you want.
compile the new file[edit]
checkmodule -M -m -o httpdNagiosCmd.mod httpdNagiosCmd.te semodule_package -o httpdNagiosCmd.pp -m local.mod semodule -i httpdNagiosCmd.pp setenforce 1
Quick Way to allow[edit]
if you dont want to edit the file you can just compile it directly with autid2allow's -M option
ausearch -m AVC --comm cmd.cgi | audit2allow -M httpdNagiosCmd semodule -i httpdNagiosCmd.pp setenforce 1
check status[edit]
# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: targeted
permissive mode[edit]
permissive will disable enforcing of rules. it can used to create log entries showing what new rules need to be set up
# setenforce 0 # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 21 Policy from config file: targeted
list a files security context[edit]
The Z switch will work with most other utilities such as ps.
ls -Z /var/log/nagios/rw/nagios.cmd prw-rw---- nagios nagiocmd root:object_r:nagios_log_t /var/log/nagios/rw/nagios.cmd