Manage local SELinux policy in Cockpit

Manage/configure local SELinux policy in Cockpit Scope As a System administrator I want to configure certain elements of SELinux policy in Cockpit so that I can manage SELinux policy on a system without requiring recompilation from policy sources. For the rest of the document lets assume that "certain elements …

Manage/configure local SELinux policy in Cockpit

Scope

As a System administrator I want to configure certain elements of SELinux policy in Cockpit so that I can manage SELinux policy on a system without requiring recompilation from policy sources. For the rest of the document lets assume that "certain elements" are:

  • login

  • user

  • port

  • fcontext

  • boolean

Certain elements of SELinux policy can be configured without requiring modification to or recompilation from policy sources. This includes the mapping from Linux usernames to SELinux user identities (which controls the initial security context assigned to Linux users when they login and bounds their authorized role set) as well as security context mappings for various kinds of objects, such as network ports, interfaces, infiniband pkeys and endports, and nodes (hosts) as well as the file context mapping.

Acceptance Criteria

  • Verify that Cockpit provides an interface when a user can:

    • List current state of certain elements of SELinux policy

    • List certain local policy modifications

    • Add policy modifications

    • Change policy modifications

View Current State of Certain Element of SELinux

As a System administrator I want to see the current state of SELinux elements in Cockpit so that I keep track of the current SELinux policy configuration.

Acceptance Criteria

  • Verify that I can view certain elements of local SELinux policy in Cockpit

View Local Policy Modifications

As a System administrator I want to see local policy modifications in Cockpit so that I keep track of the local changes.

Acceptance Criteria

  • Verify that I can see local policy modifications in Cockpit

Add Local Policy Modifications

As a System administrator I want to be able to configure certain elements of SELinux policy in Cockpit so that I can manage SELinux policy on a system using Cockpit interface.

Acceptance Criteria

  • Verify that I can add local policy modifications

  • Verify that I can change local policy modifications

Implementation

Available interfaces

Command line

All data are available via semanage command, e.g:

  • show login mappings

    ^_^ sudo semanage login -l -n
    __default__          staff_u              s0-s0:c0.c1023       *
    plautrba             staff_u              s0-s0:c0.c1023       *
    root                 unconfined_u         s0-s0:c0.c1023       *
  • show local login mappings customizations

    ^_^ sudo semanage login -l -C -n
    __default__          staff_u              s0-s0:c0.c1023       *
    plautrba             staff_u              s0-s0:c0.c1023       *
  • Drop all local port mapping modifications

    ^_^ sudo semanage port -D
  • Add a file context mapping

    ^_^ sudo semanage fcontext -a -f a -t cockpit_ws_exec_t '/usr/libexec/cockpit-ssh'

DBUS

policycoreutils-dbus package provides org.selinux DBUS interface with the following two methods:

  • customized() -> s

    Returns output of semanage export

  • semanage(s: semanage_import_string)

    Sends semanage_import_string to semanage import

These methods can be use for manipulating local SELinux policy in the way as it’s done via shell using semanage export and semanage import commands. Few examples:

  • List all local modifications

    ^_^ dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.customized
    method return time=1506428975.961835 sender=:1.523 -> destination=:1.522 serial=8 reply_serial=2
       string "boolean -D
    login -D
    interface -D
    user -D
    port -D
    node -D
    fcontext -D
    module -D
    boolean -m -1 selinuxuser_tcp_server
    login -a -s staff_u -r 's0-s0:c0.c1023' __default__
    login -a -s root -r 's0-s0:c0.c1023' root
    user -a -L s0 -r s0-s0:c0.c1023 -R 'secadm_r staff_r sysadm_r system_r unconfined_r' staff_u
    port -a -t ipp_port_t -p udp 22161
    fcontext -a -f a -t ddclient_initrc_exec_t '/usr/bin/redhat-internal-ddns-client.sh'
    fcontext -a -f a -t shell_exec_t '/usr/local/bin/zsh-secadm'
  • Drop all local port mapping modifications

    ^_^ dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.semanage "string:port -D"
    method return time=1506429330.312157 sender=:1.534 -> destination=:1.533 serial=8 reply_serial=2
  • Add a file context mapping

    ^_^ dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.semanage "string:fcontext -a -f a -t cockpit_ws_exec_t '/usr/libexec/cockpit-ssh'"
    method return time=1506429550.568289 sender=:1.552 -> destination=:1.556 serial=12 reply_serial=2

Know Issues

Some list can be really long

List of fcontext mappings, boolean and `port`s can be really long:

^_^ semanage fcontext -l | wc -l
6581
^_^ semanage boolean -l | wc -l
320

Limits of current DBUS interface

  • Currently there’s no DBUS interface to list particular elements of SELinux policy, only local modifications are listed.

  • The current interface is just a wrapper around semanage [export|import] commands. A frontend which would want to use it would need to be able to parse output of semanage export


SELinux confined system with Fedora 27

Run Fedora 27 without unconfined_t

Goal All processes run with a confined domain. Setup ^_^ semanage login -l Login Name SELinux User MLS/MCS Range Service __default__ staff_u s0-s0:c0.c1023...

Read More
How to run a virtual CentOS 6 in few steps

Simple and easy way how to access a CentOS 6 system locally using qemu and CentOS cloud image.

Prepare an image We need to do some steps in order to be able to access CentOS cloud image: $ cat > user-data < meta-data < Read More


Deploying SELinux userspace and SETools4 using Ansible

Motivation When a bug comes to Fedora or Red Hat Enterprise Linux we need to check if it’s a downstream bug, or if the bug is still present or fixed upstream. For such cases it’s useful to have a simple mechanism to replace the downstream code from packages …

Motivation When a bug comes to Fedora or Red Hat Enterprise Linux we need to check if it’s a downstream bug, or if the bug is still present or fixed upstream. For such cases it’s useful to have a simple mechanism to replace the downstream code from packages with a code build from the latest upstream sources. Manual process is a little bit complicated You need to do several steps in...

Read More
How to compare two SELinux modules?

Since SELinux userspace 2.4, there are no versions in semodule -l output. One of the reasons is that CIL, which is used as intermediate language in SELinux modules store for cached modules, doesn’t support a module name nor a module version. Another reason is that the version wasn …

Since SELinux userspace 2.4, there are no versions in semodule -l output. One of the reasons is that CIL, which is used as intermediate language in SELinux modules store for cached modules, doesn’t support a module name nor a module version. Another reason is that the version wasn’t really used by SELinux tools. semodule -i did the same thing as semodule -u and both didn’t check a module version. So...

Read More
SELinux module packaging (draft)

Hi. This is a draft of a future packaging guidelines changes related to packaging SELinux modules. The text will be based on the original draft from 2012 - https://fedoraproject.org/wiki/PackagingDrafts/SELinux, but it will contain several process improvements. Use macros Some operations can done using macro defined in …

Hi. This is a draft of a future packaging guidelines changes related to packaging SELinux modules. The text will be based on the original draft from 2012 - https://fedoraproject.org/wiki/PackagingDrafts/SELinux, but it will contain several process improvements. Use macros Some operations can done using macro defined in selinux-policy. It allows to ensure that SELinux modules and policy packaging is consistent across variety systems. Since selinux-policy-x.y.z.fcNN, there are several macros available which simplify spec...

Read More
libselinux python bindings

libselinux provides an API for SELinux applications to get and set process and file security contexts and to obtain security policy decisions Examples Two simple one line examples which get basic information about SELinux status. $ python3 -c 'import selinux; print(selinux.is_selinux_enabled())' 1 $ python3 -c 'import selinux; print(["permissive", "enforcing …

libselinux provides an API for SELinux applications to get and set process and file security contexts and to obtain security policy decisions Examples Two simple one line examples which get basic information about SELinux status. $ python3 -c 'import selinux; print(selinux.is_selinux_enabled())' 1 $ python3 -c 'import selinux; print(["permissive", "enforcing", "disabled"][selinux.security_getenforce()])' enforcing Another example with a check if SELinux was updated. >>> import selinux >>> selinux.selinux_status_open(0) 0 >>> selinux.selinux_status_updated() 0 >>> selinux.selinux_status_policyload() 9 >>> selinux.selinux_status_updated() 0 >>> import os >>>...

Read More
What is new in setroubleshoot-3.3.8

DBUS API There are 3 new method available in org.fedoraproject.SetroubleshootdIface DBUS interface. All of them were added on request from Cockpit project which uses them for its SELinux troubleshooting feature - http://cockpit-project.org/guide/latest/feature-selinux.html set_filter() Sets a filter on an alert. The alert can be …

DBUS API There are 3 new method available in org.fedoraproject.SetroubleshootdIface DBUS interface. All of them were added on request from Cockpit project which uses them for its SELinux troubleshooting feature - http://cockpit-project.org/guide/latest/feature-selinux.html set_filter() Sets a filter on an alert. The alert can be always filtered, never filtered or after_first filtered. get_all_alerts_ignored() Returns an array of local_id's, summary's, and report_count's of all alerts which a user set...

Read More
How to decode HEX strings in audit logs?

How to decode HEX strings in audit logs?

When a record in audit log contains a white space, it's encoded to HEX string, e.g.: type=PROCTITLE msg=audit(1449583261.740:1899): proctitle=2F7573722F62696E2F7065726C002F7573722F73686172652F617773746174732F777777726F6F742F6367692D62696E2F617773746174732E706C002D757064617465002D636F6E6669673D68756C6B2E6C6F63616C002D636F6E6669676469723D2F6574632F61777374617473 This string can be simply decoded using a python script: $ python -c 'import binascii; print binascii.a2b_hex("2F7573722F62696E2F7065726C002F7573722F73686172652F617773746174732F777777726F6F742F6367692D62696E2F617773746174732E706C002D757064617465002D636F6E6669673D68756C6B2E6C6F63616C002D636F6E6669676469723D2F6574632F61777374617473")' /usr/bin/perl/usr/share/awstats/wwwroot/cgi-bin/awstats.pl-update-config=hulk.local-configdir=/etc/ Read More


SELinux tricks - auditallow

SELinux tricks - auditallow

Sometimes, you want to know when an SELinux rule is used, e.g. when/if sshd opens an authorized_keys file in a user home. You can use auditallow rule for that and check audit log: # cat > auditsshd.cil (auditallow sshd_t ssh_home_t (file (open))) # semodule -i auditsshd.cil Now when I log in using ssh I can see this records audit.log: time->Tue Dec 8 14:36:42 2015 type=PROCTITLE msg=audit(1449581802.796:1871): proctitle=737368643A206261636872616473757369205B707269765D type=PATH msg=audit(1449581802.796:1871): item=0 name="/home/bachradsusi/.ssh/authorized_keys" inode=3280290 dev=fd:03 mode=0100600 ouid=13567 ogid=13567 rdev=00:00 obj=unconfined_u:object_r:ssh_home_t:s0 nametype=NORMAL type=CWD...

Read More
SELinux tricks - permissive domain

SELinux tricks - permissive domain

Sometimes, you hit a policy issue, make non-standard configuration changes or you just need a daemon to work regardless of SELinux restriction. In these cases you might want to switch a domain to be permissive: # semanage permissive -a This simple command creates and loads a module permissive_ with one rule: # bzcat /var/lib/selinux/targeted/active/modules/400/permissive_openvpn_t/cil (typepermissive openvpn_t) From this point, SELinux is not enforced on openvpn_t while AVCs are still logged...

Read More
SELinux modules and priority

SELinux modules and priority

introduction The new SELinux modules storage in /var/lib/selinux/ allows to use priority on SELinux modules. # ls /var/lib/selinux/targeted/active/modules 100 400 disabled The default priority and priority used in selinux-policy-*** packages is 100. # ls /var/lib/selinux/targeted/active/modules/100 | wc -l 396 It means that a user can overwrite an existing module with a module she modified. The highest priority wins. # semodule --list-modules=full | grep sandbox 400 sandbox pp 100 sandbox...

Read More
  • 1
  • 2

Receive Updates

ATOM