[ URL ] : https://notes.fr/2024/11/17/Snippet-Linux-Redhat-Manage-SELinux/
[ CATEGORY ] : /Snippet/Linux

[ TAGS ] : RH2024, SELinux

[ UPDATED ] : 2024-11-18 22:37

[ AUTHOR ] : undefined

Manage SELiux

TIPS & TRICKS

To search the contents of the man pages

# man -k searchterm 
# man -K searchterm

SELinux task examples

To keep in mind.

Context:

# cat /etc/selinux/config               // Edit context - permanent

Web site:

# vim /etc/httpd/conf/httpd.conf        // Change document root if needed
# systemctl enable httpd.service --now
# systemctl reload httpd.service

# man semanage-fcontext
# semanage fcontext -a -t httpd_sys_content_t "/myBlog(/.*)?"
# restorecon -R -v /myBlog

Users directories (non standard directories):

# vim /etc/httpd/conf/httpd.conf        // Uncomment "UserDir public_html" and comment "UserDir disabled"
# systemctl enable httpd.service --now
# systemctl reload httpd.service

$ mkdir /home/aline/public_html
$ chmod 711 /home/aline/

# getsebool -a | grep homedirs
# setsebool -P httpd_enable_homedirs on

Specific problem:

# ausearch -m AVC -ts today p           // Récentes violations d’accès
# cat /var/log/messages | grep SELinux  // Cibler le problème
# sealert -l <ID>                       // L'ID et la commande sont donnés par la cmd précédente
# setsebool -P httpd_enable_homedirs 1  // Cmd donnée par la cmd précédente

See: http://n0tes.fr/2024/10/30/RH-Gestion-de-la-securite-avec-SELinux/

Configure SELinux 1

| Enable SELinux in enforcing mode

Checks status of SELinux:

# getenforce Checks status of SELinux
SELINUX=permissive

Add it permanemtly by modify the value in ‘/etc/selinux/config’:

# vim /etc/selinux/config
SELINUX=enforcing

# systemctl reboot

After reboot, rechecks status of SELinux:

# getenforce (checks status of SELinux)
SELINUX=enforcing

Configure SELinux 2

| Assurez-vous que SELinux est en mode enforcing
| Configurez un contexte SELinux pour permettre à Apache d’accéder à un répertoire /webdata.

# setenforce 1

# vim /etc/selinux/config
SELINUX=enforcing

Accès pour apache au répertoire:

# chown -R apache:apache /webdata
# chmod 755 /webdata

Modifier le contexte pour Apache (qui utilise httpd_sys_content_t):

# semanage fcontext -a -t httpd_sys_content_t "/webdata(/.*)?"
# restorecon -Rv /webdata

Note : # chcon -R -t httpd_sys_content_t /webdata est temporaire

Voir MAN semanage-fcontext

Configure SELinux 2

| Assign the same SELinux contexts used by the home directories to the /xfs directory permanently.

Check the home directory context with the z option:

# ls -Z /home
drwx------. john john unconfined_u:object_r:user_home_dir_t:s0 john

# semanage fcontext -a -t user_home_dir_t "/xfs(/.*)?"
# restorecon -R -v /xfs

Voir MAN semanage-fcontext

Configure SELinux 3

| Your webcontent has been configured at port 82 in the /var/www/html directory.
| (Don’t alter or remove any files in this directory)
| Make the content accessible.

# yum install httpd -y               // These first 3 steps are to set up the question

# cat /var/www/html/index.html       // Hello World!
# cat /etc/httpd/conf/httpd.conf     // Listen 82

# systemctl status httpd

Check whether port 82 is enabled or if not, use the command below to add it:

# semanage port -l | grep http                    // indicate http_port_t for other web port
# semanage port -a -t http_port_t -p tcp 82       // -a=add, -t= type, -p=protocol
# semanage port -l | grep http                    // verify port 82 if it is added or not

# systemctl enable httpd
# systemctl restart httpd

You need to configure firewal:

# firewall-cmd --add-port=82/tcp --permanent
# firewall-cmd --reload
# firewall-cmd --list-all (check port 82 is added or not)

# curl http://servera.lab.example.com:82
Hello World!

Configure SELinux 4

| A HTTP web server running on non standard port 82 is having issues serving content.
| Debug and fix the issues.
| - The web server on your system can server all the existing HTML files from /var/www/html
| ( NOTE: Do not make any changes to these files ).
| - Web service should automatically start at boot time.

Find the sealert messages

# grep -i sealert /var/log/messages

Copy the command from the logs

# seleart -l <HASH_CODE>

Run the suggested command given in the message of the above command, for example:

# setsebool -P httpd_unified 1

Finally enable httpd service

# systemctl enable --now httpd

Configure SELinux 5

| Adjust the context of port 2332 to xen_port_t using the tcp protocol.

# semanage port -l | grep 2332
# semanage port -a -t xen_port_t -p tcp 2332
# semanage port -l | grep 2332

Configure SELinux 6

| Install Apache and allow it to get documents from NFS mounted folder

First step is to install Apache using DNF. It does not require special treatment - just type the

# dnf install -y httpd

Always when installing service/software which interacts with network it is crucial to keep in mind configuring firewall to enable incoming connections for this service. Therefore the commands used:
notice the ‘-permament’ option (in order to save rule to survive during reboots)

# firewall-cmd –permanent –add-service=http
# firewall-cmd –reload

Besides firewall configuration for network-interacting services for all services being installed in the system remember to enable it (to autostart after reboot) and also starting it up right after the installation (services usually does not autostart as a part of installation process):

# systemctl enable httpd
# systemctl start httpd

SELinux at the end of the exam should be enabled and set to enforcing mode. Therefore always pay attention to this aspect of system configuration. The usual problem for using SELinux is to find out what rule should be used.

One easy way to tell which SELinux related configuration has to be done, is through sealert command. This command is used to diagnose SELinux denials and attempts to provide user friendly explanations for a SELinux denial and recommendations for how one might adjust the system to prevent the denial in the future.

So use this command to analyze Selinux denials log /var/log/audit/audit.log

# sealert -a /var/log/audit/audit.log

The output suggest to adjust the following boolean setting:

*****  Plugin catchall_boolean (47.5 confidence) suggests   ******************

If you want to allow httpd to use nfs
Then you must tell SELinux about this by enabling the 'httpd_use_nfs' boolean.

Do
setsebool -P httpd_use_nfs 1
Or, for persistant after reboot,
semanage boolean --on --modify httpd_use_nfs

After executing setsebool -P httpd_use_nfs 1 Apache will be allowed to get documents from NFS mounted folder

Configure SELinux 7

| Create a directory hierarchy /dir1/dir2/dir3/dir4
| Apply SELinux contexts for /etc on it recursively.

# mkdir -p /dir1/dir2/dir3/dir4
# ls -dZ /etc 		                              // check the context of the /etc, it's **etc_t**  
# semanage fcontext -a -t  etc_t "/dir1(/.*)?" 
# restorecon -R -v /dir1

Configure SELinux 8

| Create a directory sedir1 under /tmp and a file sefile1 under sedir1.
| Check the context on the directory and file.
| Change the SELinux user and type to user_u and public_content_t on both and verify

# mkdir /tmp/sedir1
# touch /tmp/sedir1/sefile1 
# ls -laZ /tmp/sedir1
# ls -laZ sefile1 
# semanage fcontext -a -s user_u -t public_content_t "/tmp/sedir1(/.*)?"
# restorecon -Rv /tmp/sedir1
# ls -laZ sefile1

Configure SELinux 10

| Add a non-standard port 8010 to the SELinux policy database for the httpd service and confirm the addition.
| Remove the port from the policy and verify the deletion

# semanage port -a -t http_port_t -p tcp 8010
# semanage port -l | grep http
# semanage port -d -t http_port_t -p tcp 8010	=> d : for delete
# semanage port -l | grep http

Configure SELinux 11

| Display the current state of the Boolean nfs_export_all_rw.
| Toggle its value persistently after the system has been reboot

# getsebool -a | grep nfs_export_all_rw
# setsebool -P nfs_export_all off

Configure SELinux 12

| A web server running on a non-standard port 82 is having trouble serving content.
| Debug and resolve the issue as necessary so that the following conditions are met:
| - The web server on the system is able to serve all existing HTML files in /var/www/html
| (note: do not delete or otherwise alter the contents of existing files)
| - The web server serves this content on port 82
| - The web server starts automatically at system startup

View httpd service status

# systemctl status httpd
Active: failed (Result: exit-code)

View the security context of the HTML file (prints the security context of the file):

# ls -laZ /var/www/html/*
system_u:object_r:default_t:s0 /var/www/html/file1
system_u:object_r:httpd_sys_content_t:s0 /var/www/html/file2
system_u:object_r:httpd_sys_content_t:s0 /var/www/html/file3

Modify the security context of the original /var/www/html/ directory:

# man semange fcontext
# semanage fcontext -m -t httpd_sys_content_t "/var/www/html(/.*)?""

Refresh the security context

# restorecon -R -v /var/www/html/
Relabeled /var/www/html/file1 from system_u:object_r:default_t:s0 to system_u:object_r:httpd_sys_content_t:s0
[...]

Use semanage to release port 82

# man semanage port
# semanage port -a -t http_port_t -p tcp 82

Check whether port 82 is allowed

# semanage port -l | grep http
http_port_t tcp 82, 80, 81, 443, 488, 8008, 8009, 8443, 9000

Restart the httpd service, set the boot to start automatically, and check whether the service is enabled

# systemctl restart httpd
# systemctl enable httpd
# systemctl status httpd

Access verification

# curl http://172.25.250.100:82/file{1..3}

Documentations

Internet
Git
ChatGPT