path: root/xml/selinux/hb-using-commands.xml

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE sections SYSTEM "/dtd/book.dtd">

<!-- The content of this document is licensed under the CC-BY-SA license -->
<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->

<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-commands.xml,v 1.3 2011/06/07 19:46:52 klondike Exp $ -->

<sections>
<version>6</version>
<date>2011-10-15</date>

<section>
<title>SELinux Information Commands</title>
<subsection>
<title>Introduction</title>
<body>

<p>
You should currently have a SELinux enabled system (but running in permissive
mode, so it will not enforce its policy rules). So before we introduce you to
the world of SELinux and how you can add more rules to make sure your system
remains functional when you switch to enforcing mode, we first give a quick
overview of the various SELinux related commands.
</p>

<p>
We start off with state commands where you can get global information on SELinux
state (is it running in enforcing mode or not, versions etc.)
</p>

</body>
</subsection>
<subsection>
<title>Getting SELinux Status</title>
<body>

<p>
The first command we will talk about is <c>sestatus</c>.
</p>

<pre caption="Running sestatus">
# <i>sestatus</i>
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 24
Policy from config file:        strict
</pre>

<p>
The output of this command shows you that SELinux is enabled and is currently in
the <e>permissive</e> mode. It also tells you that the system is configured to
run in <e>strict</e> mode - so no unconfined_t domain here.
</p>

<p>
The <c>sestatus</c> command also has an extended output if you run it with the
<c>-v</c> option. When this is done, the command returns the contexts of
important processes and files:
</p>

<pre caption="Running sestatus -v">
# <i>sestatus -v</i>
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        strict

Process contexts:
Current context:                staff_u:sysadm_r:sysadm_t
Init context:                   system_u:system_r:init_t
/sbin/agetty                    system_u:system_r:getty_t
/usr/sbin/sshd                  system_u:system_r:sshd_t

File contexts:
Controlling term:               staff_u:object_r:user_devpts_t
/sbin/init                      system_u:object_r:init_exec_t
/sbin/agetty                    system_u:object_r:getty_exec_t
/bin/login                      system_u:object_r:login_exec_t
/sbin/rc                        system_u:object_r:rc_exec_t
/usr/sbin/sshd                  system_u:object_r:sshd_exec_t
/sbin/unix_chkpwd               system_u:object_r:chkpwd_exec_t
/etc/passwd                     system_u:object_r:etc_t
/etc/shadow                     system_u:object_r:shadow_t
/bin/sh                         system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
/bin/bash                       system_u:object_r:shell_exec_t
/usr/bin/newrole                system_u:object_r:newrole_exec_t
/lib/libc.so.6                  system_u:object_r:lib_t -> system_u:object_r:lib_t
/lib/ld-linux.so.2              system_u:object_r:lib_t -> system_u:object_r:ld_so_t
</pre>

<p>
Another general SELinux status command is <c>getenforce</c>, which allows you to
quickly see if your SELinux is running in enforcing mode (SELinux policies are
enforced), permissive (SELinux policies are checked and logged, but not
enforced) or disabled (SELinux policy is not loaded and thus not checked).
</p>

<pre caption="Using the getenforce command">
# <i>getenforce</i>
Enforcing
</pre>

</body>
</subsection>
<subsection>
<title>Getting SELinux Object Information</title>
<body>

<p>
Next on the table is the <c>seinfo</c> command. This command allows you to query
the running policy for all objects (types, roles, attributes, users, booleans
...) defined.
</p>

<p>
Common usages are:
</p>

<ul>
  <li>
    checking if a specific domain is defined on your system (in case you're
    wondering if you need to load an additional SELinux policy module or not) 
  </li>
  <li>
    checking which domains a particular role can be in (in case you're wondering
    if your regular users are allowed by SELinux policies to even be
    transitioned towards a specific domain)
  </li>
  <li>
    checking which attributes are assigned to a specific domain (or vice versa,
    which domains have a specific attribute set) as some SELinux policy rules
    work on attributes rather than domains
  </li>
</ul>

<p>
As an example, we query if the crontab_t domain is known, if the user_r role can
use the contab_t domain and finally which domains have the cron_spool_type
attribute set.
</p>

<pre caption="Using seinfo">
# <i>seinfo -tcrontab_t</i>
  crontab_t
# <i>seinfo -ruser_r -x</i>
  user_r
    Dominated Roles:
      user_r
    Types:
      [...]
      crontab_t
      [...]
# <i>seinfo -acron_spool_type -x</i>
  cron_spool_type
    user_cron_spool_t
    system_cron_spool_t
</pre>

</body>
</subsection>
<subsection>
<title>Querying SELinux Policy Rules</title>
<body>

<p>
A command which you will often use is <c>sesearch</c>. This command allows you
to query the current policy allow rules and is a huge help when trying to find
out if something is allowed (or why something isn't allowed).
</p>

<p>
The <c>sesearch</c> command is most often used with a source domain (<c>-s</c>),
target domain (<c>-t</c>) or both, the class for which you want to query allow
rules for (file, dir, socket, process ...) and the privilege you want to query
for (read, write, open, transition, execute ...).
</p>

<p>
For instance, to find out which domains can write the files that have the
shadow_t domain:
</p>

<pre caption="Querying allow rules with sesearch">
# <i>sesearch -t shadow_t -c file -p write -A</i>
Found 8 semantic av rules:
  [...]
  allow portage_t shadow_t : file { ioctl read write ... };
  allow useradd_t shadow_t : file { ioctl read write ... };
  ...
</pre>

<p>
You will notice that there are sometimes results based on attributes rather than
domains:
</p>

<pre caption="Allow rule based on attribute">
  allow portage_t file_type : file { ioctl read write ... };
</pre>

<p>
In this case, the source domain (portage_t) is allowed to write to files whose
domain have the file_type attribute set. If you get the feeling of these things,
you'll wonder if the above rule is not a flagrant security issue as almost all
domains for files have the file_type set. Yes and no - if we take a look at
which domains have file write privileges to file_type domains, you'll notice
that this is only portage:
</p>

<pre caption="Querying domains with file-write privileges to file_type domains">
# <i>sesearch -t file_type -c file -p write -A -d</i>
Found 1 semantic av rules:
  allow portage_t file_type : file { ioctl read write ... };
</pre>

<p>
Note that we had one command without the <c>-d</c> option and one with. When
<c>-d</c> is given, the search will perform an exact search without resolving
the attributes. When <c>-d</c> is not given, it will resolve the attribute. In
the last command example, dropping <c>-d</c> would result in hundreds of allow
rules: for each domain that has file_type set, the search tries to find rules
that allow file-write access to that particular domain.
</p>

<p>
Another interesting functionality of the <c>sesearch</c> command is to show you
the rules that are applicable depending on the state of a boolean. If you want
to query on a particular boolean, use <c>-b</c>. If you want to see the logic
that the policy uses, use <c>-C</c> (and yes, both can be combined).
</p>

<p>
As an example, we'll check what we allow (or deny) when the <c>global_ssp</c>
boolean is set:
</p>

<pre caption="Checking the policy regarding the global_ssp boolean">
# <i>sesearch -b global_ssp -A -C -d</i>
Found 2 semantic av rules:
ET allow domain device_t : dir { getattr search open } ; [ global_ssp ]
ET allow domain urandom_device_t : chr_file { ioctl read getattr lock open } ; [ global_ssp ]
</pre>

<p>
The prefix you see shows two letters, relating to two important definitions:
</p>

<ul>
  <li>
    Is the rule currently <b>E</b>nabled or <b>D</b>isabled?
  </li>
  <li>
    Does the boolean need to be set to <b>T</b>rue or <b>F</b>alse to enable the rule?
  </li>
</ul>

</body>
</subsection>
<subsection>
<title>Getting Security Context Information</title>
<body>

<p>
During administrative tasks, and especially when you are checking if a SELinux
denial could be made, it is important to find out what the security context is
for a particular resource. Luckily, Gentoo Hardened - if properly installed -
has already patched some tools to allow you to get this information using your
standard tools.
</p>

<p>
To get the security context of a file, use <c>ls -Z</c>:
</p>

<pre caption="Getting a file security context">
~$ <i>ls -Z /etc/make.conf</i>
system_u:object_r:portage_conf_t /etc/make.conf
</pre>

<p>
To get the security context of a process, use <c>ps -Z</c>:
</p>

<pre caption="Getting a process security context">
# <i>ps -Z $(pidof init)</i>
LABEL                             PID TTY      STAT   TIME COMMAND
system_u:system_r:init_t            1 ?        Ss     0:00 init [3]  
</pre>

<p>
To get the security context of the current user, use <c>id -Z</c>:
</p>

<pre caption="Getting a user security context">
~$ <i>id -Z</i>
staff_u:staff_r:staff_t
</pre>

</body>
</subsection>
</section>
<section>
<title>Managing SELinux</title>
<subsection>
<title>Introduction</title>
<body>

<p>
Managing SELinux objects (booleans, users, ports, contexts ...) is most often
done using <c>semanage</c>. As this application offers the interface towards
various SELinux configurations, we dedicate an entire section on it, but will
also cover the commands that offer similar functionality (and are sometimes
easier to remember).
</p>

</body>
</subsection>
<subsection>
<title>Booleans</title>
<body>

<p>
We have already covered SELinux booleans earlier in this book as well as the
<c>getsebool</c> and <c>setsebool</c> commands. With <c>semanage</c> you can too
manage the booleans and, as an added bonus, listing the booleans will also show
the description of the boolean (even though there is still work to be done in
this area).
</p>

<pre caption="Listing the available SELinux booleans">
# <i>semanage boolean -l</i>
SELinux boolean                 Description

allow_ptrace            -> off  allow_ptrace
rsync_export_all_ro     -> off  rsync_export_all_ro
</pre>

<note>
As you will notice, most descriptions are just the boolean name, but you will
find more and more booleans with a better description as you get acquainted with
- and install more - SELinux policy modules.
</note>

<p>
You can set a boolean with both <c>setsebool</c> and <c>semanage</c>:
</p>

<pre caption="Setting SELinux boolean values">
# <i>semanage boolean -m --on -F user_dmesg</i>
</pre>

</body>
</subsection>
<subsection id="users">
<title>SELinux Users and Logins</title>
<body>

<p>
SELinux users and logins are different from Unix accounts. SELinux logins allow
you to map a Unix account to a SELinux user:
</p>

<pre caption="Listing the SELinux logins">
# <i>semanage login -l</i>
Login Name          SELinux User

__default__         user_u
root                root
swift               staff_u
system_u            system_u
</pre>

<p>
The default behavior is that users are logged on as the <e>user_u</e> SELinux
user. This SELinux user is a non-administrator user: it has no specific
privileges and should be used for every account that never requires elevated
privileges (so no <c>su</c> or <c>sudo</c> rights for anything).
</p>

<p>
The account you use to administer your system should be mapped to the
<c>staff_u</c> SELinux user (or its own user with the appropriate roles). This
can be accomplished as follows (example with the Unix account <e>anna</e>):
</p>

<pre caption="Letting 'anna' log on as 'staff_u'">
# <i>semanage login -a -s staff_u anna</i>
</pre>

<impo>
Make sure that whatever account you use to administer your system is mapped to
the <c>staff_u</c> user, or has the ability to switch to the <c>sysadm_r</c>
role. Portage only works from within the <c>sysadm_r</c> role.
</impo>

<p>
As mentioned, SELinux users are configured to be able to join in on one or more
roles. To list the available roles, you can use <c>semanage user -l</c>:
</p>

<pre caption="Listing login / role mappings">
# <i>semanage user -l</i>
SELinux User        SELinux Roles

root                staff_r sysadm_r
staff_u             staff_r sysadm_r
[...]
</pre>

</body>
</subsection>
<subsection>
<title>Managing Ports</title>
<body>

<p>
Even network ports (like port 22 for SSH) are 'protected' by SELinux. To get an
overview of which domains are assigned to which ports (or port ranges) use
<c>semanage port -l</c>.
</p>

<pre caption="Listing SELinux managed ports">
# <i>semanage port -l | grep '22$'</i>
ssh_port_t             tcp     22
</pre>

</body>
</subsection>
</section>

<section>
<title>Using SELinux</title>
<subsection>
<title>Introduction</title>
<body>

<p>
Up until now we've covered getting SELinux related information as well as
managing SELinux settings. However, users on a SELinux hardened system will also
need to know a few things about working with SELinux, including (but not limited
to) roles and role transitions.
</p>

</body>
</subsection>
<subsection>
<title>Switching Roles</title>
<body>

<p>
As a type enforcement access control system, SELinux allows particular roles to
be within a set of domains. If you are using a role which is not allowed within
a particular domain, you will not be successful in using that domain and will be
denied the actions assigned to that domain.
</p>

<p>
If your standard users are all SELinux user_u users (with the only supported
role being user_r) then those users will never need to switch roles (nor are
they allowed to). But users that are staff_u (or other users that have multiple
roles) those users should be made clear how they switch between roles. We have
already covered how to map such users to the correct SELinux user (see <uri 
link="#users">SELinux Users and Logins</uri>).
</p>

<p>
The command that accomplishes switching roles is called <c>newrole</c>. It's
use is pretty straight forward.
</p>

<pre caption="Using newrole">
~$ <i>newrole -r sysadm_r</i>
Password: <comment>(Enter the users' password - not root's!)</comment>
</pre>

<p>
When performing a role transition, SELinux will ask the user to re-authenticate
through its users' password. If you are logged on as a regular user and used
<c>su</c> or <c>sudo</c> to become the root user, then <c>newrole</c> will still
require you to enter the regular users' password.
</p>

</body>
</subsection>
</section>

</sections>