SELinux System Administration Second Edition Ward off traditional security permissions and effectively secure your Linux systems with SELinux Sven Vermeulen BIRMINGHAM - MUMBAI SELinux System Administration Second Edition Copyright © 2016 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. First published: September 2013 Second edition: December 2016 Production reference: 1131216 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-78712-695-4 www.packtpub.com Credits Author Copy Editor Sven Vermeulen Madhusudan Uchil Reviewers Project Coordinator David Quigley Judie Jose Sam Wilson Commissioning Editor Proofreader Kartikey Pandey Safis Editing Acquisition Editor Indexer Namrata Patil Pratik Shirodkar Content Development Editor Graphics Amedh Gemraram Pohad Kirk D'Penha Technical Editors Production Coordinator Vishal Kamal Mewada Shantanu N. Zagade Khushbu Sutar About the Author Sven Vermeulen is a long-term contributor to various free software projects and the author of various online guides and resources. He got his first taste of free software in 1997 and never looked back. In 2003, he joined the ranks of the Gentoo Linux project as a documentation developer and has since worked in several roles, including Gentoo Foundation trustee, council member, project lead for various documentation initiatives, and (his current role) project lead for Gentoo Hardened SELinux integration and the system integrity project. During this time, Sven gained expertise in several technologies, ranging from OS-level knowledge to application servers. He used his interest in security to guide his projects further in the areas of security guides using SCAP languages, mandatory access controls through SELinux, authentication with PAM, (application) firewalling, and more. Within SELinux, Sven contributed several policies to the Reference Policy project, and he is an active participant in policy development and user space development projects. In his daily job, Sven is an IT architect in a European financial institution as well as a self- employed solution engineer and consultant. The secure implementation of infrastructures (and the surrounding architectural integration) is, of course, an important part of this. Prior to this, he graduated with an MSc in computer engineering from Ghent University and MSc in ICT enterprise architecture from http://inno.com/, and he worked as a web application infrastructure engineer. Sven is the main author of the Gentoo Handbook, which covers the installation and configuration of Gentoo Linux on several architectures. He also authored the Linux Sea online publication, which is a basic introduction to Linux for novice system administrators, and SELinux System Administration and SELinux Cookbook for Packt Publishing. I would like to thank the open source / free software community for its never ending drive to create great software, documentation, artwork and services. It is through this drive that companies and organizations around the world are enjoying high quality services with all the freedom that this software provides. Specifically, I would like to thank the Gentoo community as it provides a great meta-distribution and operating system. The people I meet there are all greatly motivated, highly experienced and/or experts in particular fields. Being around in the community makes me eager to learn more. About the Reviewers David Quigley started his career as a computer systems researcher for the National Information Assurance Research Lab at the NSA, where he worked as a member of the SELinux team. David lead the design and implementation efforts to provide Labeled-NFS support for SELinux. David has previously contributed to the open source community through maintaining the Unionfs 1.0 code base and through code contributions to various other projects. David has presented at conferences such as the Ottawa Linux Symposium, the StorageSS workshop, LinuxCon, and several local Linux User Group meetings where presentation topics have included storage, file systems, and security. David currently works as a ZFS kernel engineer for the High Performance Data Division at Intel. He previously reviewed SELinux Cookbook, published by Packt publishing. I would like to thank my wonderful wife, Kathy, for all she does to make sure I have the time to do things like review this book and travel to give presentations on SELinux. She is the joy of my life and has helped me become the man I am today. I'd also like to thank all my children past and present: Zoe Jane and Caroline, who remind us to love and cherish the time we have as a family. Sam Wilson is a senior systems and security engineer with a newly acquired passion for radio hardware and a focus on Red Hat Enterprise Linux. Because of his extensive security knowledge spanning microservices, infrastructure, and SecOps, Sam is approached regularly for SELinux mentorship and advice across the organizations he collaborates and works with. Sam has been active in GNU/Linux communities since early 2007 and has volunteered his time for NTFreenet, Darwin Community Arts, Ansible, and the Fedora project. More recently, Sam can be found being a cranky neckbeard at https://www.cycloptivity. netas well working with the Atlassian Security Intelligence team on visibility, operational security, and controls to support and protect Atlassian customers in the cloud. www.PacktPub.com For support files and downloads related to your book, please visit www.PacktPub.com. Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details. At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks. https://www.packtpub.com/mapt Get the most in-demand software skills with Mapt. Mapt gives you full access to all Packt books and video courses, as well as industry-leading tools to help you plan your personal development and advance your career. Why subscribe? Fully searchable across every book published by Packt Copy and paste, print, and bookmark content On demand and accessible via a web browser Table of Contents Preface 1 Chapter 1: Fundamental SELinux Concepts 6 Providing more security to Linux 6 Using Linux security modules 8 Extending regular DAC with SELinux 10 Restricting root privileges 11 Reducing the impact of vulnerabilities 11 Enabling SELinux support 13 Labeling all resources and objects 13 Dissecting the SELinux context 15 Enforcing access through types 17 Granting domain access through roles 18 Limiting roles through users 19 Controlling information flow through sensitivities 21 Defining and distributing policies 22 Writing SELinux policies 23 Distributing policies through modules 24 Bundling modules in a policy store 26 Distinguishing between policies 27 Supporting MLS 27 Dealing with unknown permissions 28 Supporting unconfined domains 28 Limiting cross-user sharing 29 Incrementing policy versions 30 Different policy content 32 Summary 33 Chapter 2: Understanding SELinux Decisions and Logging 34 Switching SELinux on and off 34 Setting the global SELinux state 35 Switching to permissive (or enforcing) mode 36 Using kernel boot parameters 38 Disabling SELinux protections for a single service 40 Understanding SELinux-aware applications 42 SELinux logging and auditing 42 Following audit events 43 Uncovering more logging 45 Configuring Linux auditing 45 Configuring the local system logger 47 Reading SELinux denials 48 Other SELinux-related event types 53 USER_AVC 53 SELINUX_ERR 54 MAC_POLICY_LOAD 54 MAC_CONFIG_CHANGE 55 MAC_STATUS 55 NetLabel events 55 Labeled IPsec events 56 Using ausearch 57 Getting help with denials 58 Troubleshooting with setroubleshoot 58 Sending e-mails when SELinux denials occur 60 Using audit2why 61 Interacting with systemd-journal 62 Using common sense 63 Summary 64 Chapter 3: Managing User Logins 65 User-oriented SELinux contexts 65 Understanding domain complexity 66 Querying for unconfined domains 68 SELinux users and roles 69 Listing SELinux user mappings 69 Mapping logins to SELinux users 71 Customizing logins towards services 72 Creating SELinux users 73 Listing accessible domains 74 Managing categories 75 Handling SELinux roles 77 Defining allowed SELinux contexts 77 Validating contexts with getseuser 78 Switching roles with newrole 79 Managing role access through sudo 80 Reaching other domains using runcon 81 Switching to the system role 81 SELinux and PAM 83 [ ii ] Assigning contexts through PAM 83 Prohibiting access during permissive mode 84 Polyinstantiating directories 85 Summary 86 Chapter 4: Process Domains and File-Level Access Controls 88 About SELinux file contexts 89 Getting context information 89 Interpreting SELinux context types 90 Keeping or ignoring contexts 92 Inheriting the default context 92 Querying transition rules 92 Copying and moving files 94 Temporarily changing file contexts 95 Placing categories on files and directories 96 Using multilevel security on files 97 Backing up and restoring extended attributes 97 Using mount options to set SELinux contexts 97 SELinux file context expressions 99 Using context expressions 99 Registering file context changes 101 Using customizable types 102 Compiling the different file_contexts files 104 Exchanging local modifications 104 Modifying file contexts 105 Using setfiles, rlpkg, and fixfiles 105 Relabeling the entire file system 106 Automatically setting contexts with restorecond 106 The context of a process 107 Getting a process context 107 Transitioning towards a domain 108 Verifying a target context 111 Other supported transitions 111 Querying initial contexts 112 Limiting the scope of transitions 112 Sanitizing environments on transition 112 Disabling unconstrained transitions 113 Using Linux's NO_NEW_PRIVS 114 Types, permissions, and constraints 115 Understanding type attributes 116 [ iii ]