SELINUX Notes

 

 

selinux file


vi /etc/selinux/config
/sys/fs/selinux/enforce


what is selinux?


[root@localhost opt]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33



All processes and files have an SELinux security context.


[root@localhost opt]# ls -Z /etc/httpd/conf/httpd.conf
system_u:object_r:httpd_config_t:s0 /etc/httpd/conf/httpd.conf


security context fields: system_u:object_r:httpd_sys_content_t

This is based upon user:role:type:mls.
 In our example above, user:role:type fields are displayed and mls is hidden.
 Within the default targeted policy, type is the important field used to implement Type Enforcement, in this case httpd_sys_content_t.

[root@localhost opt]# ps axZ | grep httpd
system_u:system_r:httpd_t:s0       4510 ?        Ss     0:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0       4511 ?        S      0:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0       4512 ?        Sl     0:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0       4513 ?        Sl     0:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0       4514 ?        Sl     0:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0       4515 ?        Sl     0:00 /usr/sbin/httpd -DFOREGROUND


velmuruganponnusamy@localhost ~]$ ls -ltrZ ~/dj-practice/mysite/mysite/wsgi.py
-rw-rw-r--. 1 velmuruganponnusamy velmuruganponnusamy unconfined_u:object_r:user_home_t:s0 744 Apr  6 16:25 /home/velmuruganponnusamy/dj-practice/mysite/mysite/wsgi.py

Apache running as httpd_t can read ~/dj-practice/mysite/mysite/wsgi.py of type httpd_sys_content_t. Because Apache runs in the httpd_t domain and does not have the userid:username, it can not access ~/dj-practice/mysite/mysite/wsgi.py even though this file is world readable because /home/username/myfile.txt SELinux security context is not of type httpd_t. If Apache were to be exploited, assuming for the sake of this example that the root account right needed to effect a SELinux re-labeling into another context were not obtained, it would not be able to start any process not in the httpd_t domain (which prevents escalation of privileges) or access any file not in an httpd_t related domain



Error log due to selinux in centOS 9


[root@localhost opt]# tail -10 /etc/httpd/logs/error_log
[Thu Apr 07 10:29:30.750284 2022] [mpm_event:notice] [pid 4052:tid 4052] AH00492: caught SIGWINCH, shutting down gracefully
[Thu Apr 07 10:29:34.795105 2022] [core:notice] [pid 4510:tid 4510] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Thu Apr 07 10:29:34.795546 2022] [suexec:notice] [pid 4510:tid 4510] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message
[Thu Apr 07 10:29:34.801958 2022] [lbmethod_heartbeat:notice] [pid 4510:tid 4510] AH02282: No slotmem from mod_heartmonitor
[Thu Apr 07 10:29:34.807258 2022] [mpm_event:notice] [pid 4510:tid 4510] AH00489: Apache/2.4.51 (CentOS Stream) mod_wsgi/4.7.1 Python/3.9 configured -- resuming normal operations
[Thu Apr 07 10:29:34.807269 2022] [core:notice] [pid 4510:tid 4510] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Thu Apr 07 10:30:39.499003 2022] [mime_magic:error] [pid 4515:tid 4666] [client 127.0.0.1:50732] AH01512: mod_mime_magic: can't read `/home/velmuruganponnusamy/dj-practice/mysite/mysite/wsgi.py'
[Thu Apr 07 10:30:39.499104 2022] [mime_magic:error] [pid 4515:tid 4666] [client 127.0.0.1:50732] AH01512: mod_mime_magic: can't read `/home/velmuruganponnusamy/dj-practice/mysite/mysite/wsgi.py'
[Thu Apr 07 10:30:39.546092 2022] [wsgi:error] [pid 4512:tid 4649] (13)Permission denied: [remote 127.0.0.1:50732] mod_wsgi (pid=4512, process='mysite', application='localhost.localdomain|'): Call to fopen() failed for '/home/velmuruganponnusamy/dj-practice/mysite/mysite/wsgi.py'.


roles in se:


[root@localhost opt]# seinfo -r

Roles: 14
   auditadm_r
   dbadm_r
   guest_r
   logadm_r
   nx_server_r
   object_r
   secadm_r
   staff_r
   sysadm_r
   system_r
   unconfined_r
   user_r
   webadm_r
   xguest_r

types in se for httpd


[root@localhost opt]# seinfo -t|grep -i httpd
   httpd_bool_t
   httpd_cache_t
   httpd_config_t
   httpd_exec_t
   httpd_helper_exec_t
   httpd_helper_t
   httpd_initrc_exec_t
   httpd_keytab_t
   httpd_lock_t
   httpd_log_t
   httpd_modules_t
   httpd_passwd_exec_t
   httpd_passwd_t
   httpd_php_exec_t
   httpd_php_t
   httpd_php_tmp_t
   httpd_rotatelogs_exec_t
   httpd_rotatelogs_t
   httpd_squirrelmail_t
   httpd_suexec_exec_t
   httpd_suexec_t
   httpd_suexec_tmp_t
   httpd_sys_content_t
   httpd_sys_htaccess_t
   httpd_sys_ra_content_t
   httpd_sys_rw_content_t
   httpd_sys_script_exec_t
   httpd_sys_script_t
   httpd_t
   httpd_tmp_t
   httpd_tmpfs_t
   httpd_unconfined_script_exec_t
   httpd_unconfined_script_t
   httpd_unit_file_t
   httpd_user_content_t
   httpd_user_htaccess_t
   httpd_user_ra_content_t
   httpd_user_rw_content_t
   httpd_user_script_exec_t
   httpd_user_script_t
   httpd_var_lib_t
   httpd_var_run_t





MLS and MCS:


system_u:system_r:httpd_t:s0           -        s0:c0.c5
                          ▼                     ▼
                  Low security level,    High security level, also
                  associated with no     associated with compartments
                  compartments.          c0, c1, c2, c3, c4 and c5.



changing the security context of wsgi
[root@localhost opt]# chcon -v --type=httpd_sys_content_t /home/velmuruganponnusamy/dj-practice/mysite/mysite/wsgi.py
changing security context of '/home/velmuruganponnusamy/dj-practice/mysite/mysite/wsgi.py'

root@localhost opt]# semanage fcontext -a -t httpd_sys_content_t /home/velmuruganponnusamy/dj-practice/mysite/mysite/wsgi.py

[velmuruganponnusamy@localhost ~]$ ls -ltrZ ~/dj-practice/mysite/mysite/wsgi.py
-rw-rw-r--. 1 velmuruganponnusamy velmuruganponnusamy unconfined_u:object_r:httpd_sys_content_t:s0 744 Apr  6 16:25 /home/velmuruganponnusamy/dj-practice/mysite/mysite/wsgi.py
[velmuruganponnusamy@localhost ~]$ ls -ltr ~/dj-practice/mysite/mysite/wsgi.py
-rw-rw-r--. 1 velmuruganponnusamy velmuruganponnusamy 744 Apr  6 16:25 /home/velmuruganponnusamy/dj-practice/mysite/mysite/wsgi.py

sudo chcon system_u:object_r:httpd_sys_script_exec_t:s0  /home/velmuruganponnusamy/dj-practice/mysite/mysite/wsgi.py
chcon -R system_u:object_r:httpd_sys_script_exec_t:s0  /home/velmuruganponnusamy/.virtualenvs/djEnv/
sudo chcon -R system_u:object_r:httpd_sys_script_exec_t:s0  /home/velmuruganponnusamy/dj-practice/mysite

[root@localhost opt]# ps -efZ|grep -i http
system_u:system_r:httpd_t:s0    root        7798       1  0 12:35 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0    apache      7799    7798  0 12:35 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0    apache      7800    7798  0 12:35 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0    apache      7801    7798  0 12:35 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0    apache      7802    7798  0 12:35 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0    apache      7803    7798  0 12:35 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND

to see the latest changes:


root@localhost opt]# semanage fcontext -C -l
SELinux fcontext                                   type               Context

/home/velmuruganponnusamy/.virtualenvs/djEnv/bin/activate_this.py all files          system_u:object_r:httpd_sys_content_t:s0
/home/velmuruganponnusamy/dj-practice/mysite/mysite/wsgi.py all files          system_u:object_r:httpd_sys_content_t:s0
/opt/VBoxGuestAdditions-6.1.32/other/mount.vboxsf  all files          system_u:object_r:mount_exec_t:s0
/usr/bin/VBoxClient                                all files          system_u:object_r:bin_t:s0


/etc/selinux/targeted/contexts/files/file_contexts.local

[root@localhost opt]# cat /etc/selinux/targeted/contexts/files/file_contexts.local
# This file is auto-generated by libsemanage
# Do not edit directly.

/opt/VBoxGuestAdditions-6.1.32/other/mount.vboxsf    system_u:object_r:mount_exec_t:s0
/usr/bin/VBoxClient    system_u:object_r:bin_t:s0
/home/velmuruganponnusamy/dj-practice/mysite/mysite/wsgi.py    system_u:object_r:httpd_sys_content_t:s0
/home/velmuruganponnusamy/.virtualenvs/djEnv/bin/activate_this.py    system_u:object_r:httpd_sys_content_t:s0

Comments

Post a Comment

Popular posts from this blog

Django Server setup with Apache with mod_wsgi in Centos 9

Image
Description Python application needs to be configured with apache webserver to publish the host. The reason for mod_wsgi is the middleware which talks between python application and Apache   Overall Flow        installing the httpd service and modwsgi sudo yum install httpd mod-wsgi sudo systemctl start httpd sudo systemctl status httpd sudo systemctl enable httpd httpd -v sudo systemctl restart httpd systemctl status httpd.service Adding the user [root@localhost ~]# adduser dj_adm [root@localhost ~]# passwd dj_adm Changing password for user dj_adm. New password: Retype new password: passwd: all authentication tokens updated successfully. [root@localhost ~]# Create the virtual environment using python3 [dj_adm@localhost ~]$ virtualenv -p python3 ~/virtualenvs/dj-env created virtual environment CPython3.9.10.final.0-64 in 696ms   creator CPython3Posix(dest=/home/dj_adm/virtualenvs/dj-env, clear=False, no_vcs_ignore=False, global=False)   seeder FromAppD...
Read more

Mysql Installation on CentOS 9

 Mysql Installation on CentOS 9  Installing MYSQL package [root@localhost ~]# sudo dnf install mysql-server CentOS Stream 9 - BaseOS                         10 kB/s | 3.2 kB     00:00    CentOS Stream 9 - AppStream                      17 kB/s | 3.3 kB     00:00    CentOS Stream 9 - Extras packages                12 kB/s | 3.5 kB     00:00    Dependencies resolved. ================================================================================  Package                       Arch      Version             Repository    Size ================================================================================ Installing:  mys...
Read more

Install mysql8 on centOS 9 and integrating with Django

Image
 Description Our application data (live or prod app) will be loaded into RDBMS(Mysql). So we are integrating mysql with django     Install mysql8 on centOS 9 This is available in the appSteam repo [root@localhost ~]# sudo dnf install mysql mysql-server -y Last metadata expiration check: 0:00:21 ago on Fri 08 Apr 2022 07:27:09 AM IST. Dependencies resolved. ===================================================================================================================================================================================================================  Package                                                        Architecture         ...
Read more