SELinux confined system with Fedora 27

Run Fedora 27 without unconfined_t

Goal

All processes run with a confined domain.

Setup

^_^ semanage login -l
Login Name           SELinux User         MLS/MCS Range        Service
__default__          staff_u              s0-s0:c0.c1023       *
plautrba             staff_u              s0-s0:c0.c1023       *
root                 root                 s0-s0:c0.c1023       *
^_^ semanage user -l | grep staff_u
staff_u   user   s0   s0-s0:c0.c1023   secadm_r staff_r sysadm_r system_r unconfined_r
^_^ semanage boolean -l -C
SELinux boolean                State  Default Description
selinuxuser_tcp_server         (on   ,   on)  Allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users)  disabling this forces FTP passive mode and may change other protocols.
staff_use_svirt                (on   ,   on)  allow staff user to create and transition to svirt domains.
xserver_execmem                (on   ,   on)  Allows XServer to execute writable memory
^_^ cat /etc/sudoers.d/selinux
%wheel    ALL=(ALL)  TYPE=sysadm_t ROLE=sysadm_r    ALL
%wheel    ALL=(ALL)  TYPE=secadm_t ROLE=secadm_r    /usr/local/bin/zsh-secadm
%wheel    ALL=(ALL)  TYPE=secadm_t ROLE=secadm_r    /usr/sbin/semanage,/usr/sbin/semodule

Missing rules

A lot - myconfined.cil ;)

^_^ wc -l myconfined.cil
119 myconfined.cil

Current state

^_^ getenforce
Enforcing

Confined users

^_^ id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023
^_^ sudo -i
^_^ id -Z
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023

Confined processes

^_^ ps Z
LABEL                             PID  TTY         STAT   TIME COMMAND
staff_u:staff_r:staff_t:s0-s0:c0.c1023 2401  pts/2  Ss   0:00 /usr/bin/zsh
staff_u:sysadm_r:ssh_t:s0-s0:c0.c1023  10526 pts/12 S+   0:00 ssh localhost
staff_u:staff_r:staff_t:s0-s0:c0.c1023 10605 pts/11 S+   0:00 vim Fully-SELinux-confined-system-with-Fedora-27.adoc
staff_u:staff_r:staff_screen_t:s0-s0:c0.c1023 14770 pts/4 S+   0:00 tmux new-session -s openscap
staff_u:staff_r:staff_t:s0-s0:c0.c1023 18754 pts/9  S+   0:02 vim src/OVAL/probes/unix/process58.c
staff_u:staff_r:staff_t:s0-s0:c0.c1023 25788 pts/10 S+   0:00 cscope -R
staff_u:staff_r:staff_t:s0-s0:c0.c1023 26368 pts/10 S+   0:00 vim +85 libselinux/src/ccntext.c
^_^ ps axZ | grep unconfined
staff_u:staff_r:staff_t:s0-s0:c0.c1023 13740 pts/12 S+   0:00 grep --color=auto --exclude-dir=.bzr --exclude-dir=CVS --exclude-dir=.git --exclude-dir=.hg --exclude-dir=.svn unconfined

unconfined module disabled

^_^ sudo semodule -lfull | grep unconfined
100 unconfined        pp disabled
100 unconfineduser    pp

How to run a virtual CentOS 6 in few steps

Simple and easy way how to access a CentOS 6 system locally using qemu and CentOS cloud image.

Prepare an image We need to do some steps in order to be able to access CentOS cloud image: $ cat > user-data < meta-data < Read More


Deploying SELinux userspace and SETools4 using Ansible

Motivation When a bug comes to Fedora or Red Hat Enterprise Linux we need to check if it’s a downstream bug, or if the bug is still present or fixed upstream. For such cases it’s useful to have a simple mechanism to replace the downstream code from packages …

Motivation When a bug comes to Fedora or Red Hat Enterprise Linux we need to check if it’s a downstream bug, or if the bug is still present or fixed upstream. For such cases it’s useful to have a simple mechanism to replace the downstream code from packages with a code build from the latest upstream sources. Manual process is a little bit complicated You need to do several steps in...

Read More
How to compare two SELinux modules?

Since SELinux userspace 2.4, there are no versions in semodule -l output. One of the reasons is that CIL, which is used as intermediate language in SELinux modules store for cached modules, doesn’t support a module name nor a module version. Another reason is that the version wasn …

Since SELinux userspace 2.4, there are no versions in semodule -l output. One of the reasons is that CIL, which is used as intermediate language in SELinux modules store for cached modules, doesn’t support a module name nor a module version. Another reason is that the version wasn’t really used by SELinux tools. semodule -i did the same thing as semodule -u and both didn’t check a module version. So...

Read More
SELinux module packaging (draft)

Hi. This is a draft of a future packaging guidelines changes related to packaging SELinux modules. The text will be based on the original draft from 2012 - https://fedoraproject.org/wiki/PackagingDrafts/SELinux, but it will contain several process improvements. Use macros Some operations can done using macro defined in …

Hi. This is a draft of a future packaging guidelines changes related to packaging SELinux modules. The text will be based on the original draft from 2012 - https://fedoraproject.org/wiki/PackagingDrafts/SELinux, but it will contain several process improvements. Use macros Some operations can done using macro defined in selinux-policy. It allows to ensure that SELinux modules and policy packaging is consistent across variety systems. Since selinux-policy-x.y.z.fcNN, there are several macros available which simplify spec...

Read More
libselinux python bindings

libselinux provides an API for SELinux applications to get and set process and file security contexts and to obtain security policy decisions Examples Two simple one line examples which get basic information about SELinux status. $ python3 -c 'import selinux; print(selinux.is_selinux_enabled())' 1 $ python3 -c 'import selinux; print(["permissive", "enforcing …

libselinux provides an API for SELinux applications to get and set process and file security contexts and to obtain security policy decisions Examples Two simple one line examples which get basic information about SELinux status. $ python3 -c 'import selinux; print(selinux.is_selinux_enabled())' 1 $ python3 -c 'import selinux; print(["permissive", "enforcing", "disabled"][selinux.security_getenforce()])' enforcing Another example with a check if SELinux was updated. >>> import selinux >>> selinux.selinux_status_open(0) 0 >>> selinux.selinux_status_updated() 0 >>> selinux.selinux_status_policyload() 9 >>> selinux.selinux_status_updated() 0 >>> import os >>>...

Read More
What is new in setroubleshoot-3.3.8

DBUS API There are 3 new method available in org.fedoraproject.SetroubleshootdIface DBUS interface. All of them were added on request from Cockpit project which uses them for its SELinux troubleshooting feature - http://cockpit-project.org/guide/latest/feature-selinux.html set_filter() Sets a filter on an alert. The alert can be …

DBUS API There are 3 new method available in org.fedoraproject.SetroubleshootdIface DBUS interface. All of them were added on request from Cockpit project which uses them for its SELinux troubleshooting feature - http://cockpit-project.org/guide/latest/feature-selinux.html set_filter() Sets a filter on an alert. The alert can be always filtered, never filtered or after_first filtered. get_all_alerts_ignored() Returns an array of local_id's, summary's, and report_count's of all alerts which a user set...

Read More

Receive Updates

ATOM