What's new with SELinux in RHEL7

Daniel J Walsh

Senior Principal Software Engineer

@rhatdan, danwalsh.livejournal.com, dwalsh@redhat.com

Thursday Oct 3 2013

Domains?


735 total domain

71 unconfined domains

disable unconfine.pp module (semodule -d unconfined)

11 unconfined domains

New Confined Domains (156)

abrt_upload_watch_t
abrt_watch_log_t
ajaxterm_ssh_t
ajaxterm_t
anon_sftpd_t
antivirus_t
auditadm_dbusd_t
auditadm_gkeyringd_t
auditadm_screen_t
auditadm_seunshare_t
auditadm_su_t
auditadm_sudo_t
auditadm_t
auditadm_wine_t
authconfig_t
blktap_t
blueman_t
callweaver_t
cloud_init_t
cluster_t
collectd_t
colord_t
couchdb_t
dbadm_sudo_t
dbadm_t
ddclient_t
disk_munin_plugin_t
dnssec_trigger_t
fail2ban_client_t
firewalld_t
grid_crsd_t
grid_initrc_t
grid_t
gssproxy_t
haproxy_t
httpd_collectd_script_t
httpd_man2html_script_t
httpd_mojomojo_script_t
httpd_mythtv_script_t
httpd_passwd_t
httpd_webalizer_script_t
httpd_zoneminder_script_t
hypervkvp_t
iodined_t
isnsd_t
jockey_t
kdumpctl_t
keyboardd_t
ladvd_t
lsmd_t
mail_munin_plugin_t
mandb_t
mock_build_t
mock_t
mount_ecryptfs_t
mscan_t
nagios_openshift_plugin_t
neutron_t
nsd_crond_t
nsd_t
nsjoin_t
obex_t
openhpid_t
openshift_mail_t
openshift_min_app_t
openshift_min_t
openshift_net_app_t
openshift_net_t
openvpn_unconfined_script_t
oracle_root_t
oracle_t
oracleasm_t
pam_timestamp_t
pegasus_openlmi_account_t
pegasus_openlmi_admin_t
pegasus_openlmi_logicalfile_t
pegasus_openlmi_services_t
pegasus_openlmi_storage_t
pegasus_openlmi_system_t
pegasus_openlmi_unconfined_t
pesign_t

New Confined Domains (156)

pki_ra_t
pki_tomcat_script_t
pki_tomcat_t
pki_tps_t
polipo_session_t
polipo_t
prosody_t
puppetca_t
pwauth_t
pyicqt_t
qemu_dm_t
rabbitmq_beam_t
rabbitmq_epmd_t
realmd_consolehelper_t
realmd_t
redis_t
rngd_t
rssh_chroot_helper_t
sandbox_firefox_client_t
sandbox_firefox_t
secadm_dbusd_t
secadm_gkeyringd_t
secadm_screen_t
secadm_seunshare_t
secadm_su_t
secadm_sudo_t
secadm_t
secadm_wine_t
selinux_munin_plugin_t
sepgsql_ranged_proc_t
services_munin_plugin_t
sftpd_t
smsd_t
spamd_update_t
squid_cron_t
sshd_net_t
sshd_sandbox_t
staff_gkeyringd_t
stapserver_t
svirt_lxc_net_t
svirt_qemu_net_t
svirt_socket_t
svirt_tcg_t
swift_t
sysadm_dbusd_t
system_munin_plugin_t
systemd_hostnamed_t
systemd_localed_t
systemd_logger_t
systemd_logind_t
systemd_notify_t
systemd_passwd_agent_t
systemd_sysctl_t
systemd_timedated_t
systemd_tmpfiles_t
tcsd_t
telepathy_logger_t
testpolicy_seunshare_t
testpolicy_t
thin_aeolus_configserver_t
thumb_t
tomcat_t
unconfined_munin_plugin_t
user_gkeyringd_t
virsh_ssh_t
virsh_t
virt_qemu_ga_unconfined_t
vlock_t
vnstat_t

Removed Confined Domains (72)

ada_t
aisexec_t
amavis_t
clamd_t
clamscan_t
consoletype_t
corosync_t
ethereal_t
freshclam_t
git_shell_t
gnomeclock_t
guest_dbusd_t
hald_acl_t
hald_dccm_t
hald_keymap_t
hald_mac_t
hald_sonypic_t
hald_t
hotplug_t
howl_t
hplip_t
httpd_cobbler_script_t
httpd_unconfined_script_t
java_t
kerneloops_t
kudzu_t
matahari_hostd_t
matahari_netd_t
matahari_rpcd_t
matahari_serviced_t
matahari_sysconfigd_t
mono_t
munin_disk_plugin_t
munin_mail_plugin_t
munin_selinux_plugin_t
munin_services_plugin_t
munin_system_plugin_t
munin_unconfined_plugin_t
nsplugin_config_t
nsplugin_t
openoffice_t
pacemaker_t
pam_t
qemu_t
quantum_t
rgmanager_t
rhnsd_t
samba_unconfined_net_t
sandbox_t
shutdown_t
staff_execmem_t
staff_java_t
staff_mono_t
staff_openoffice_t
tethereal_t
tzdata_t
unconfined_execmem_t
unconfined_java_t
unconfined_mono_t
unconfined_mount_t
unconfined_notrans_t
unconfined_sendmail_t
user_execmem_t
user_java_t
user_mono_t
user_openoffice_t
xdm_dbusd_t
xfs_t
xguest_execmem_t
xguest_java_t
xguest_mono_t
xguest_openoffice_t

Shrinking Policy Size RHEL6

# seinfo 

Statistics for policy file: /etc/selinux/targeted/policy/policy.24
Policy Version & Type: v.24 (binary, mls)

   Classes:            81    Permissions:       235
   Sensitivities:       1    Categories:       1024
   Types:            3620    Attributes:        280
   Users:               9    Roles:              12
   Booleans:          205    Cond. Expr.:       241
   Allow:          299690    Neverallow:          0
   Auditallow:        116    Dontaudit:      220788
   Type_trans:      30779    Type_change:        38
   Type_member:        48    Role allow:         20
   Role_trans:        308    Range_trans:      4521
   Constraints:        90    Validatetrans:       0
   Initial SIDs:       27    Fs_use:             22
   Genfscon:           83    Portcon:           434
   Netifcon:            0    Nodecon:             0
   Permissives:        73    Polcap:              2

Shrinking Policy Size RHEL7

# seinfo 

Statistics for policy file: /sys/fs/selinux/policy
Policy Version & Type: v.28 (binary, mls)

   Classes:            83    Permissions:       253
   Sensitivities:       1    Categories:       1024
   Types:            4264    Attributes:        353
   Users:              10    Roles:              15
   Booleans:          263    Cond. Expr.:       314
   Allow:           86854    Neverallow:          0
   Auditallow:         12    Dontaudit:        8096
   Type_trans:      13806    Type_change:        80
   Type_member:        35    Role allow:         34
   Role_trans:        735    Range_trans:      4846
   Constraints:        97    Validatetrans:       0
   Initial SIDs:       27    Fs_use:             25
   Genfscon:           91    Portcon:           524
   Netifcon:            1    Nodecon:             1
   Permissives:         8    Polcap:              2

Shrinking Policy Size

RHEL6

du /etc/selinux/targeted/policy/policy.24 
7116	/etc/selinux/targeted/policy/policy.24

RHEL7

du /etc/selinux/targeted/policy/policy.29 
2652	/etc/selinux/targeted/policy/policy.29

Systemd SELinux Integration

systemd will start all daemons now. transitions to all init domains.

systemd can impersonate domains, for start on demand

systemd SELinux access manager

Is NetworkManager_t allowed to start dhclient_t? httpd_t?

File Transitions


In RHEL6 there were three ways for a file object to get a label on creation.

1. Labeled the same as its containing directory.

2. Program could use SELinux API to request label.

3. File Transitions.

Process Labeled A Creating a File Object in a Directory labeled B will get label C.

File Transitions


Process needs to create two files objects in same directory with different labels?

mkdir /root/.ssh

In RHEL6 admin must run restorecon -r -v /root/.ssh

Or sshd will not be allowed to read content.

File Name Transitions


In RHEL7 we will have 4th mechanism.

File Name Transitions

policy writer can write

If process labeled A creates File Object in Directory B with the name FOOBAR, create FOOBAR with the label C.

		  type_transition unconfined_t admin_home_t : dir ssh_home_t ".ssh"; 
		

In RHEL7 an admin typing mkdir /root/.ssh will automatically get the correct label!!!

Type_trans: 13806

sepolicy tool chain


booleans - Description of booleans

communicate - Can domains communicate with each other

generate - Generate SELinux Policy module template

interface - See SELinux Policy interfaces

manpage - Generate SELinux man pages

network - See network information

transition - See how domain can transition to the target domain

sepolicy GUI


gui - New Application Centric Graphical User Interface

sepolicy Demonstration

SELinux and Containers

http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/openshift_selinux.ogv

If a file object is mislabeled you will get errors?

Someone put Skittles in the M&M dispenser!!!

Classic SELinux issue


vi ~/index.html

sudo mv ~/index.html /var/www/html

# wget localhost
--2013-08-08 11:33:24--  http://localhost/
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2013-08-08 11:33:24 ERROR 403: Forbidden.
		    

How we currently diagnose

 tail -1 /var/log/httpd/error_log
[Thu Aug 08 11:33] Permission denied: AH00132: file permissions 
deny server access: /var/www/html/index.html
		    

Maybe SELinux?

kernel sends message to audit daemon.

auditd writes message to /var/log/audit/audit.log

ausearch -m avc -ts recent
----
time->Thu Aug  8 11:33:24 2013
type=PATH msg=audit(1375976004.652:1042): name="/var/www/html/index.html"
inode=3145858 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 
obj=unconfined_u:object_r:user_home_t:s0
type=CWD msg=audit(1375976004.652:1042):  cwd="/"
type=AVC msg=audit(1375976004.652:1042): avc:  denied  { read } pid=23276
comm="httpd" name="index.html" dev="sda3" ino=3145858 
scontext=system_u:system_r:httpd_t:s0 
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

Setroubleshootd

writes message in /var/log/message

Aug 08 11:43:47 redsox setroubleshoot[24241]: SELinux is preventing 
/usr/sbin/httpd from read access on the file /var/www/html/index.html. 
For complete SELinux messages. run 
sealert -l fd6b9022-1ced-4065-905a-8f0e884f9915
		    

writes analysys in /var/lib/setroubleshoot/setroubleshoot_database.xml

sealert

sealert -l fd6b9022-1ced-4065-905a-8f0e884f9915
SELinux is preventing /usr/sbin/httpd from read access on the file 
/var/www/html/index.html.

*****  Plugin restorecon (92.2 confidence) suggests   ************************

If you want to fix the label. 
/var/www/html/index.html default label should be httpd_sys_content_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /var/www/html/index.html
...
		    

System writes information all over the place

/var/log/httpd/error_log

/var/log/audit/audit.log

/var/log/messages

/var/lib/setroubleshoot/setroubleshoot_database.xml

SETroubleshoot integration with journald

type=AVC msg=audit(1375976004.652:1042): avc:  denied  { read } pid=23276
comm="httpd" name="index.html" dev="sda3" ino=3145858 
scontext=system_u:system_r:httpd_t:s0 
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

Journald now allows privileged logging tools to reference other processes by PID

SETroubleshoot integration with journald

systemctl status httpd

# systemctl status -l httpd
httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
   Active: active (running) since Thu 2013-08-08 11:33:15 EDT; 45min ago
 Main PID: 23272 (httpd)
   Status: "Total requests: 4; Current requests/sec: 0; ..."
   CGroup: /system.slice/httpd.service
...
Aug 08 11:33:15 redsox systemd[1]: Started The Apache HTTP Server.
Aug 08 11:33:23 redsox python[23287]: SELinux is preventing /usr/sbin/httpd 
from read access on the file /var/www/html/index.html.
*****  Plugin restorecon (
                                                              

Secure Linux Containers

Labeled NFS

https://access.redhat.com/site/videos/214723

IDM/FreeIPA supports SELinux Confined Users

At login sssd contacts FreeIPA for user@machine

Downloads /etc/selinux/targeted/logins

cat dwalsh
sshd:staff_u:s0-s0:c0.c1023
*:guest_u:s0-s0:c0.c1023

sudo be configured by IPA with SELinux Config

dwalsh ALL=(ALL) TYPE=webadm_t ROLE=webadm_r	ALL

Confined Users
Active Directory

being worked on

Future RHEL7?

New coreutils
mv -Z
cp -Z
install -Z
mkdir -Z

Future

Friendly EPERM

questions?