[ URL ] : https://notes.fr/2024/10/30/RH-Gestion-de-la-securite-avec-SELinux/
[ CATEGORY ] : /Linux/Administration

[ TAGS ] : Booléen, Enforcing, Fcontext, Permissive, RH2024, Restorecon, SELinux, Semanage, systèmes

[ UPDATED ] : 2024-11-03 09:07

[ AUTHOR ] : 4l1N3

Gestion de la sécurité avec SELinux

SELinux permet de protéger et de gérer la sécurité d’un serveur. Il protège les ressources, peut modifier le mode SELinux actif du système et définir le mode SELinux par défaut.

Contexte SELinux

Gérer les règles de politique SELinux déterminant le contexte par défaut des fichiers et des répertoires avec la commande semanage fcontext et appliquer le contexte défini par la politique SELinux aux fichiers et répertoires avec la commande restorecon.

Politique générale

Politique générale de SELinux.

# setenforce 0
# getenforce
Permissive

# setenforce 1
# getenforce
Enforcing

Pour que le paramètre soit persistant, il faut le changer directement dans /etc/selinux/config et effectuer un reboot :

# cat /etc/selinux/config

SELINUX=enforcing

Cas du site Internet

Cas du site Internet dans un dossier non conventionnel.

# mkdir /myBlog

# echo "Mon super Blog !" > /myBlog/index.html

# vim /etc/httpd/conf/httpd.conf 

#DocumentRoot "/var/www/html"
DocumentRoot "/myBlog"

#<Directory "/var/www">
<Directory "/myBlog">
    AllowOverride None
    # Allow open access:
    Require all granted
</Directory>

# systemctl enable httpd.service --now

# curl http://192.168.1.113/index.html
[...]
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
[...]

# semanage fcontext -a -t httpd_sys_content_t "/myBlog(/.*)?"

# restorecon -R -v /myBlog
Relabeled /myBlog from unconfined_u:object_r:default_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0
Relabeled /myBlog/index.html from unconfined_u:object_r:default_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0

# curl http://192.168.1.113/index.html
Mon super Blog !

Booleéns

Activer et désactiver les règles de politique SELinux avec la commande setsebool, gérer la valeur persistante des valeurs booléennes SELinux avec la commande semanage boolean -l et consulter les pages MAN se terminant par _selinux pour trouver les informations utiles sur les valeurs booléennes SELinux.

Cas de l’accessibilité de tous les répertoires ~

Cas de l’accessibilité de tous les répertoires ~<user>.

En root :

# vim /etc/httpd/conf.d/userdir.conf

<IfModule mod_userdir.c>
[...]
    # UserDir disabled

    # To enable requests to /~user/ to serve the user's public_html directory, remove
    # the "UserDir disabled" line above, and uncomment the following line instead:

    UserDir public_html

</IfModule>

# systemctl enable --now httpd

En user :

$ mkdir /home/aline/public_html

$ echo "Aline's personal Blog !" > /home/aline/public_html/index.html

$ chmod 711 /home/aline/

$ curl http://192.168.1.113/~aline/index.html
[...]
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>

En root :

# getsebool -a | grep homedirs
git_cgi_enable_homedirs --> off
git_system_enable_homedirs --> off
httpd_enable_homedirs --> off
mock_enable_homedirs --> off
mpd_enable_homedirs --> off
openvpn_enable_homedirs --> on
ssh_chroot_rw_homedirs --> off

# setsebool -P httpd_enable_homedirs on

En user :

$ curl http://192.168.1.113/~aline/index.html
Aline's personal Blog !

Exemple dans man setsebool :

EXAMPLE
Enable container_use_devices boolean (will return to persistent value after reboot)
# setsebool container_use_devices 1
Persistently enable samba_create_home_dirs and samba_enable_home_dirs booleans
# setsebool -P samba_create_home_dirs=on samba_enable_home_dirs=on

Journaux

Utilisation des outils d’analyse des journaux SELinux et afficher des informations utiles.

$ curl http://192.168.1.110/~john/index.html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
</body></html>

Pour voir les récentes violations d’accès :

# ausearch -m AVC -ts today p

- ---
time->Sat Nov  2 08:16:24 2024
type=PROCTITLE msg=audit(1730531784.475:1092): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=SYSCALL msg=audit(1730531784.475:1092): arch=c000003e syscall=262 success=no exit=-13 a0=ffffff9c a1=7f9284004b28 a2=7f929fffe8b0 a3=0 items=0 ppid=84633 pid=84635 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1730531784.475:1092): avc:  denied  { getattr } for  pid=84635 comm="httpd" path="/home/john/public_html/index.html" dev="dm-0" ino=328646 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=file permissive=0
- ---
time->Sat Nov  2 08:16:24 2024
type=PROCTITLE msg=audit(1730531784.475:1093): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=SYSCALL msg=audit(1730531784.475:1093): arch=c000003e syscall=262 success=no exit=-13 a0=ffffff9c a1=7f9284004c18 a2=7f929fffe8b0 a3=100 items=0 ppid=84633 pid=84635 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1730531784.475:1093): avc:  denied  { getattr } for  pid=84635 comm="httpd" path="/home/john/public_html/index.html" dev="dm-0" ino=328646 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=file permissive=0

Pour filtrer les événements relatifs à SELinux dans le fichier /var/log/messages et pour rapidement repérer les messages concernant SELinux dans les logs système sans avoir à parcourir tout le fichier.

Les logs donnent la commande à lancer pour cibler le problème :

# cat /var/log/messages | grep SELinux

[...]
Nov  2 08:16:24 Redhat1-Test2 systemd[1]: Starting SETroubleshoot daemon for processing new SELinux denial logs...
Nov  2 08:16:24 Redhat1-Test2 systemd[1]: Started SETroubleshoot daemon for processing new SELinux denial logs.
Nov  2 03:16:26 Redhat1-Test2 setroubleshoot[84843]: SELinux is preventing /usr/sbin/httpd from getattr access on the file /home/john/public_html/index.html. For complete SELinux messages run: sealert -l b3bfc527-326d-49f8-8e62-910ac6d13ab9
Nov  2 03:16:26 Redhat1-Test2 setroubleshoot[84843]: SELinux is preventing /usr/sbin/httpd from getattr access on the file /home/john/public_html/index.html.#012#012*****  Plugin catchall_boolean (32.5 confidence) suggests   ******************#012#012If you want to allow httpd to enable homedirs#012Then you must tell SELinux about this by enabling the 'httpd_enable_homedirs' boolean.#012#012Do#012setsebool -P httpd_enable_homedirs 1#012#012*****  Plugin catchall_boolean (32.5 confidence) suggests   ******************#012#012If you want to allow httpd to unified#012Then you must tell SELinux about this by enabling the 'httpd_unified' boolean.#012#012Do#012setsebool -P httpd_unified 1#012#012*****  Plugin public_content (32.5 confidence) suggests   ********************#012#012If you want to treat index.html as public content#012Then you need to change the label on index.html to public_content_t or public_content_rw_t.#012Do#012# semanage fcontext -a -t public_content_t '/home/john/public_html/index.html'#012# restorecon -v '/home/john/public_html/index.html'#012#012*****  Plugin catchall (4.5 confidence) suggests   ***************************#012#012If you believe that httpd should be allowed getattr access on the index.html file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'httpd' --raw | audit2allow -M my-httpd#012# semodule -X 300 -i my-httpd.pp#012
Nov  2 03:16:27 Redhat1-Test2 setroubleshoot[84843]: SELinux is preventing /usr/sbin/httpd from getattr access on the file /home/john/public_html/index.html. For complete SELinux messages run: sealert -l b3bfc527-326d-49f8-8e62-910ac6d13ab9
Nov  2 03:16:27 Redhat1-Test2 setroubleshoot[84843]: SELinux is preventing /usr/sbin/httpd from getattr access on the file /home/john/public_html/index.html.#012#012*****  Plugin catchall_boolean (32.5 confidence) suggests   ******************#012#012If you want to allow httpd to enable homedirs#012Then you must tell SELinux about this by enabling the 'httpd_enable_homedirs' boolean.#012#012Do#012setsebool -P httpd_enable_homedirs 1#012#012*****  Plugin catchall_boolean (32.5 confidence) suggests   ******************#012#012If you want to allow httpd to unified#012Then you must tell SELinux about this by enabling the 'httpd_unified' boolean.#012#012Do#012setsebool -P httpd_unified 1#012#012*****  Plugin public_content (32.5 confidence) suggests   ********************#012#012If you want to treat index.html as public content#012Then you need to change the label on index.html to public_content_t or public_content_rw_t.#012Do#012# semanage fcontext -a -t public_content_t '/home/john/public_html/index.html'#012# restorecon -v '/home/john/public_html/index.html'#012#012*****  Plugin catchall (4.5 confidence) suggests   ***************************#012#012If you believe that httpd should be allowed getattr access on the index.html file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'httpd' --raw | audit2allow -M my-httpd#012# semodule -X 300 -i my-httpd.pp#012
[...]

Comme indiqué dans les log, lancement de sealert -l b3bfc527-326d-49f8-8e62-910ac6d13ab9 :

# sealert -l b3bfc527-326d-49f8-8e62-910ac6d13ab9

SELinux is preventing /usr/sbin/httpd from getattr access on the file /home/john/public_html/index.html.

*****  Plugin catchall_boolean (32.5 confidence) suggests   ******************

If you want to allow httpd to enable homedirs
Then you must tell SELinux about this by enabling the 'httpd_enable_homedirs' boolean.

Do
setsebool -P httpd_enable_homedirs 1

*****  Plugin catchall_boolean (32.5 confidence) suggests   ******************

If you want to allow httpd to unified
Then you must tell SELinux about this by enabling the 'httpd_unified' boolean.

Do
setsebool -P httpd_unified 1

*****  Plugin public_content (32.5 confidence) suggests   ********************

If you want to treat index.html as public content
Then you need to change the label on index.html to public_content_t or public_content_rw_t.
Do
# semanage fcontext -a -t public_content_t '/home/john/public_html/index.html'
# restorecon -v '/home/john/public_html/index.html'

*****  Plugin catchall (4.5 confidence) suggests   ***************************

If you believe that httpd should be allowed getattr access on the index.html file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -X 300 -i my-httpd.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:httpd_user_content_t:s0
Target Objects                /home/john/public_html/index.html [ file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          Redhat1-Test2
Source RPM Packages           httpd-core-2.4.57-11.el9_4.1.x86_64
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-38.1.23-1.el9.noarch
Local Policy RPM              selinux-policy-targeted-38.1.23-1.el9.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     Redhat1-Test2
Platform                      Linux Redhat1-Test2 5.14.0-362.8.1.el9_3.x86_64 #1
                              SMP PREEMPT_DYNAMIC Tue Oct 3 11:12:36 EDT 2023
                              x86_64 x86_64
Alert Count                   2
First Seen                    2024-11-02 08:16:24 EDT
Last Seen                     2024-11-02 08:16:24 EDT
Local ID                      b3bfc527-326d-49f8-8e62-910ac6d13ab9

Raw Audit Messages
type=AVC msg=audit(1730531784.475:1093): avc:  denied  { getattr } for  pid=84635 comm="httpd" path="/home/john/public_html/index.html" dev="dm-0" ino=328646 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1730531784.475:1093): arch=x86_64 syscall=newfstatat success=no exit=EACCES a0=ffffff9c a1=7f9284004c18 a2=7f929fffe8b0 a3=100 items=0 ppid=84633 pid=84635 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: httpd,httpd_t,httpd_user_content_t,file,getattr

Également ici, le résultat donne des solution pour résoudre le problème :

If you want to allow httpd to enable homedirs
Then you must tell SELinux about this by enabling the 'httpd_enable_homedirs' boolean.

Do
setsebool -P httpd_enable_homedirs 1

Donc, lancement de setsebool -P httpd_enable_homedirs 1 :

# setsebool -P httpd_enable_homedirs 1

Et l’accès à la page web est autorisée :

# curl http://192.168.1.110/~john/index.html

My Page ! This is John's Blog !

Ordre

Pour résoudre les problèmes liés à SELinux :

# ausearch -m AVC -ts today p           // Récentes violations d’accès
# cat /var/log/messages | grep SELinux  // Cibler le problème
# sealert -l <ID>                       // L'ID et la commande sont donnés par la cmd précédente
# setsebool -P httpd_enable_homedirs 1  // Cmd donnée par la cmd précédente

Documentation

Internet
MAN