Linux Fedora image - use root with "SElinux" password SELinux Modes: Enforcing/Permissive/Disabled commands: getenforce/setenforce/sestatus main config file: /etc/selinux/config Policy: targeted Subjects vs. Objects Users/Roles/Domains for subjects/Types for objects LABELS - user:role:type:sensitivity -Z parameters in commands: ls -lZ /etc ls -lZ /root ls -lZ /etc/shadow ps -eZ|grep sshd ps -eZ id -Z Policies: allow : { }; [commands: allow, dontaudit, audit2allow, neverallow] [class: file, dir, sock_file, tcp_socket, process, ...] [permissions: read, open, write, ...] Macros: /usr/share/selinux/devel/include/support/obj_perm_sets.spt sesearch --allow --source httpd_t --target httpd_sys_content_t --class file Lets play with policies: vi /root/my_secrets [Write some text into a file] setsebool daemons_use_tty on selinuxrun sshd cat /root/my_secrets selinuxrun unconfined cat /root/my_secrets systemctl start httpd links http://localhost/ vi /var/www/html/index.html [Write Hi into the file] ls -lZ /var/www/html/index.html links http://localhost/ chcon --type var_t /var/www/html/index.html ls -lZ /var/www/html/index.html links http://localhost/ restorecon -v /var/www/html/index.html links http://localhost/ Policies - modules: semodule -l ls -l /etc/selinux/targeted/modules/active/modules/ modules are compiled .pp files modules are integrated into a single file: ls -l /etc/selinux/targeted/policy/ Settings - boolean switches: semanage boolean -l getsebool secure_mode_insmod setsebool secure_mode_insmod=1 getsebool secure_mode_insmod modprobe vfat setsebool secure_mode_insmod=0 modprobe vfat lsmod Policy modules: - Type Enforcement (TE) File -- Contains all the rules used to confine the application - File Context (FC) File -- Contains the regular expression mappings for on disk file contexts - Interface (IF) Files -- Contains the interfaces defined for other confined applications, to interact with your confined application Diabling usage of an existing policy: hddtemp: man hddtemp ps -eZ|grep hddtemp systemctl start hddtemp ps -eZ|grep hddtemp semodule -d hddtemp for i in `rpm -ql hddtemp`;do restorecon -R -v $i;done systemctl restart hddtemo ps -eZ|grep hddtemp Creating a new policy: sepolicy generate --help sepolicy generate -n myhddtemp --init `which hddtemp` Generates: .te, .if, .fc, .spec, .sh files View the .te file less myhddtemp.te [see the policy if permissive] Apply the policy: make -f /usr/share/selinux/devel/Makefile myhddtemp.pp systemctl stop hddtemp semodule -i myhddtemp.pp for i in `rpm -ql hddtemp`;do restorecon -R -v $i;done semodule -l | grep hddtemp ls -Z `which hddtemp` systemctl start hddtemp ps -eZ | grep hddtemp ausearch -m avc -ts recent [|grep hddtemp] ausearch -m avc -ts today | grep hddtemp | audit2allow -R >> myhddtemp.te Comment out permisive: sed -i s/^permissive/#permissive/ myhddtemp.te make -f /usr/share/selinux/devel/Makefile myhddtemp.pp semodule -i myhddtemp.pp systemctl restart hddtemp systemctl status hddtemp Get the system back to original state: semodule -r myhddtemp -e hddtemp cd /root make -f /usr/share/selinux/devel/Makefile clean rm -rf myhddtemp* for i in `rpm -ql hddtemp`;do restorecon -R -v $i;done systemctl restart hddtemp ASSIGNMENT: Select any Linux utility/service and (re)create a policy for that utility/service. Submit not only the resulting policy, but describe also the process of the policy fine tuning... (the deadline is May 16, 24:00)