Anyone (including me) playing around with something more than default servers (cPanel, webmin/virtualmin/cloudmin, plesk, ispconfig…etc) knows that selinux = off. That’s the Law. But what about a minimum policy ? Targeted and mls can’t and shouldn’t work on environments like a web server with home users. But if you need at least the essential protection of selinux continue reading…
Quick ‘n dirty guide. Just the basics. No time to explain everything.
First of all we need the minimum policy. Get it.
1 | yum install selinux-policy-minimum |
Now we need to enable selinux and change policy from targeted to minimum.
Edit /etc/selinux/config to something like this:
1 2 | SELINUX=enforcing SELINUXTYPE=minimum |
Reboot to your newly SELINUXed OS. setenforce won’t work if it’s completely off. Also check grub.conf for a selinux=off parameter. Remove it and reboot if exists.
You can check with “sestatus” if selinux is armed and ready to go:
1 2 3 4 5 6 7 8 | [root@devbox audit]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: minimum [root@devbox audit]# |
A few things will blow, check /var/log/audit/audit.log with grep “avc” to see what’s crying. I was testing on a box with webmin and virtualmin so a few things didn’t ran as expected. Let’s fix them. Webmin couldn’t write in /tmp, let’s check and fix it.
1 2 3 4 5 | [root@devbox audit]# grep "avc" audit.log type=AVC msg=audit(1392580143.021:7): avc: denied { write } for pid=1477 comm="ifconfig" path="/tmp/.webmin/771198_1409_1_webmincron.pl" dev=vda1 ino=526924 scontext tclass=file type=AVC msg=audit(1392580450.842:74): avc: denied { write } for pid=1677 comm="ifconfig" path="/tmp/.webmin/974512_1609_1_webmincron.pl" dev=vda1 ino=526924 scontex 0 tclass=file type=AVC msg=audit(1392580749.787:141): avc: denied { write } for pid=1859 comm="ifconfig" path="/tmp/.webmin/813856_1809_1_webmincron.pl" dev=vda1 ino=526924 sconte s0 tclass=file type=AVC msg=audit(1392581049.850:220): avc: denied { write } for pid=2091 comm="ifconfig" path="/tmp/.webmin/128664_2047_1_webmincron.pl" dev=vda1 ino=526922 sconte s0 tclass=file |
We will create a new policy for these.
First we isolate the selinux denies:
1 | [root@devbox audit]# cat audit.log | audit2allow -M allowPolicy |
It will create 2 files. allowPolicy.pp and allowPolicy.te. You can see the policy we have just created in .te file:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | [root@devbox audit]# cat allowPolicy.te module allowPolicy 1.0; require { type ifconfig_t; type file_t; type sshd_t; type unlabeled_t; class file { write getattr }; } #============= ifconfig_t ============== allow ifconfig_t file_t:file write; #============= sshd_t ============== allow sshd_t unlabeled_t:file getattr; [root@devbox audit]# |
Let’s enable it:
To make this policy package active, execute:
semodule -i allowPolicy.pp
1 | [root@devbox audit]# semodule -i allowPolicy.pp |
Tested with virtualmin and 3 users in it. Until now everything works well. Will do a thorough test again with mail and spamassassin. Didn’t check those out yet.
If you clear the logs and reboot, you can see audit.log will be clean. It won’t deny access to webmin about ifconfig.
Let’s play now with selinux attributes.
SELinux booleans
Check what you can do with minimum selinux policy using
1 | [root@devbox audit]# getsebool -a |
You will get a list like this:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 | [root@devbox audit]# getsebool -a allow_console_login --> off allow_daemons_dump_core --> on allow_daemons_use_tcp_wrapper --> off allow_daemons_use_tty --> off allow_domain_fd_use --> on allow_execheap --> off allow_execmem --> off allow_execmod --> off allow_execstack --> off allow_gssd_read_tmp --> on allow_mount_anyfile --> on allow_polyinstantiation --> off allow_ptrace --> off allow_ssh_keysign --> off allow_sysadm_exec_content --> on allow_unconfined_nsplugin_transition --> on allow_user_mysql_connect --> off allow_user_postgresql_connect --> off allow_write_xshm --> off allow_xserver_execmem --> off allow_ypbind --> off authlogin_radius --> off cron_can_relabel --> off daemons_enable_cluster_mode --> on dhcpc_exec_iptables --> off domain_kernel_load_modules --> off fcron_crond --> off fips_mode --> on global_ssp --> off init_upstart --> on logging_syslog_can_read_tmp --> off logging_syslogd_can_sendmail --> off mmap_low_allowed --> off nscd_use_shm --> off secure_mode --> off secure_mode_insmod --> off secure_mode_policyload --> off ssh_chroot_full_access --> off ssh_chroot_manage_apache_content --> off ssh_chroot_rw_homedirs --> off ssh_sysadm_login --> off unconfined_login --> on unconfined_mmap_zero_ignore --> off unconfined_mozilla_plugin_transition --> off use_fusefs_home_dirs --> off use_nfs_home_dirs --> on use_samba_home_dirs --> off user_direct_dri --> off user_direct_mouse --> off user_ping --> off user_rw_noexattrfile --> on user_setrlimit --> off user_tcp_server --> off user_ttyfile_stat --> off vbetool_mmap_zero_ignore --> off xdm_exec_bootloader --> off xdm_sysadm_login --> off xserver_object_manager --> off |
Most useful here that I set to off was:
1 2 3 4 | allow_execheap --> off allow_execmem --> off allow_execmod --> off allow_execstack --> off |
Turn booleans on and off using setsebool -P boolean 1 like that:
1 | setsebool -P allow_execmem off |
There is also this in minimum policy:
1 | allow_polyinstantiation --> off |
It turns to be quite handy, check post about polyinstantiation
That’s a basic guide to selinux minimum policy and sebooleans. How to shut them off and on. You will get a running virtualmin/webmin system.