Beruflich Dokumente
Kultur Dokumente
Daniel J Walsh
Principal Software Engineer
Lead SELinux developer
Red Hat
IhavejustcompletedaprojecttosecuretheFedoraInfrastructure,andplanonwritingupwhatwedid
inafutureRedHatMagazineArticle.AftermanyyearsoflookingatSELinuxerrormessagesIhave
foundthatalmostallSELinuxproblemsfallintooneofthefollowingcategories.
LabelingProblems
AconfinedprocessisconfiguredinawaydifferentthenthedefaultSELinux
expected.
BuginPolicyoranApplication.
Yourmachinehasbeencompromised.
Iusethislisttotrytofigureoutwhattheproblemis,whenIamconfrontedwithSELinuxproblem,
YoucanalsousesystemconfigselinuxtosetupyouSELinuxlabeling
Nowifanadministratorcreatesafileunder/srv/myweb,orcopiesafilethere,thefilewill
automaticallygetlabeledhttpd_sys_content_t.Note:Ifyouusethemvcommand,thefilecouldend
upmislabeled.Themvcommandmaintainsthefilecontextofthesrcfile.Soifyoumv'dafilefrom
yourhomedirectories,thefilewouldendupbeinglabeleduser_home_t,andhttpdwouldnotbeableto
readit.Youcanuserestorecontofixthelabel.
Inthepastwehaveseensomeapplicationsthathavemodifiedfilesintheirpostinstallandleftthem
mislabeled.Forexamplethevmwarepackagecopiesthe/etc/servicesfiletothe/tmpdirectory.Itthen
addsaportlinetoit,andmv'sitbackto/etc/.Sincerpmlabelsfilescreatedin/tmpduringpostinstall,
thefilegetslabeledrpm_script_tmp_t,andthemvcommandmaintainsthelabel.Sincenoconfined
domainsareallowedtoreadfileslabeledrpm_script_tmp_t,theconfineddomainsstartbreaking
complainingaboutthislabel.Youcanuserestorecon/etc/servicestofixthelabel.
Therestorecondisadaemonservicethathastheabilitytowatchfilecreationsandmaintaintheirfile
context.Restorecondreadsthe/etc/selinux/restorecond.conffileforalistoffilestowatch,andthenif
thosefilesgetcreatedwiththewrongcontext,restorecondresetsthemtotherightcontext.Happily
restorecondislessimportantasappsandadminsbecomemoreSELinuxaware.Aswemoveto
confineduserappsthough,maintainingthelabelsinausershomedirectorywillbecomemore
important.
CGIscripts.
httpd_enable_ftp_server>offAllowhttpdtoactasaFTPserverbylisteningontheftpport.
Toolslikesystemconfigselinuxorgetseboolawilllistallofthepossiblebooleans.
OntheFedora10systemsandneweryoucanrunSELinuxerrormessages(avc)throughaudit2allow
w(audit2why).Thiscommandwillchecktoseeifanybooleancouldbeturnedontoallowtheaccess.
setroubleshootalsoisalsoprettygoodatdiagnosingtheseproblems.
Administratorsmightwanttochangethenetworkportsthataconfinedapplicationisallowedtolisten
on,ortoconnectto.Incertaincasesthereisabooleantoallowtheconnection,likethe
httpd_can_sendmailbooleanallowshttpddaemontoconnecttothemailport.Butinamoregeneral
caseyouneedtotellSELinuxifyouwanttousenondefaultportswithaconfinedapplication.Use
semanagecommandtotellSELinuxwhichportsyouwanttouse.
Ifanadministratordecideshewantstoallowthebinddaemontolistenontcpport54,hewouldneedto
executethefollowingcommand.
#semanageportatdns_port_tptcp54
#semanageportl|grepdns
dns_port_ttcp54,53
dns_port_tudp53
YoucanalsousesystemconfigselinuxtomanageSELinuxnetworkconfiguration.
SELinuxconfinescompromises...
SELinuxisnotanintrusiondetectionsystem,andourtoolsdonotcurrentlydoagreat
jobofdistinguishingbetweenanintrusionandageneralconfiguration,labelingor
SELinuxpolicyerror.Thereareseveraltoolsavailabletodointrusiondetectionand
someusetheSELinuxlogstowatchforintrusions.
SELinuxwilltriggerlotsofAVC'sifanappisactuallycompromisedandtriestodo
somethingitisnotdesignedtodo.SELinuxdevelopmentisplanningmodifying
setroubleshootertolookforcompromisedapplicationssignatures.Currently
SetroubleshootreportsthatallAVC'sthesameway.Oneideaistochange
SetroubleshoottoputupaRedStarandasternwarningwhencertainsignaturesshow
up.
SELinuxhasbeenaroundforawhilenowandthepolicyisprettygood.Ifan
applicationneedsmajorsecurityprivileges,SELinuxpolicyprobablyalreadyallowsit.
IfyouseeAVC'sthatdonotmakesenseorseemtobeanapplicationtryingtochange
securitysettings,yourapplicationmightbecompromised.
Potentialsignaturesofacompromisedconfinedapplication:
ConfinedapplicationshouldnevertrytochangeSELinuxenforcement.
Thisincludeschangingtheenforcementmodeortrytowriteto/etc/selinux
Settingbooleanswouldalsobeaverystrangethingforaconfinedapplication
todo.
Confinedapplicationshouldnottrytomodifythekernel
loadkernelmodules
Writetokerneldirectories
Writetobootloaderorimagedirectories
Confinedshouldnotbeattemptingtowritetofileslabeledetc_t(/etc),Sincea
confineddomainthatcanwritetoetc_twouldbeabletooverwritepasswd_t.
Confinedapplicationsshouldnotbeattemptingtowritetosecurityconfiguration
files,Forexamplecertificates,kerberosfiles,mostconfigurationdata.
Mostconfinedapplicationsshouldnotbeattemptingtowritetoshadow_torin
mostcasesreadingshadow_t.
Confinedapplicationsshouldnotbetryingtooverwritelogfiles.Especiallyifthe
logfilehasnothingtodowiththeapplication.
Mostconfinedapplicationsshouldnotbetryingtoreadfilesintheusershome
directories(user_home_t).Thisiswherethegoodstuffis
Confinedapplicationshouldnotsuddenlyattempttoconnecttorandomnetwork
portsthatdonotmakesense.SpamBotswilltrytoconnecttothemailport.
Confinedapplicationtryingtoexecutemailprogramsorconnecttothemailports,
whentheywerenotsetuptosendmail.Mostcrackerstrytograbmachinetoset
themupasSpamBots,sonorootaccessrequired.
Thesemightbeabug,butthedamagethatcouldbedoneistwosignificanttoignore.
Ifyouseesomethingliketheabove,gethelpindiagnosingtheAVCmessages.Useopen
sourcemaillistliketheselinuxlistofthefedoraselinuxlisttoaskforhelp.