Re: SELinux MLS for Apache Process

2018-11-07 Thread Stephen Smalley 

On 11/7/18 2:04 AM, Ishara Fernando wrote:

Thanks Stephen , so below are the details of my SELinux setup


*Centos Version* : CentOS release 6.2 (Final)
*Kernel version* : 2.6.32-220.el6.x86_64
*RPM package* : selinux-policy-mls-3.7.19-312.el6.noarch


That's quite old.  Any particular reason you aren't at least on the 
latest CentOS 6.x release if not CentOS 7.x? 
CentOS/Fedora/RHEL-specific questions likely should go to the Fedora 
selinux list,

https://lists.fedoraproject.org/admin/lists/selinux.lists.fedoraproject.org/



*cat /etc/selinux/mls/contexts/securetty_types *
console_device_t
sysadm_tty_device_t
user_tty_device_t
staff_tty_device_t
auditadm_tty_device_t
secureadm_tty_device_t
user_devpts_t
sshd_devpts_t

*
*
*sestatus -v *
SELinux status: enabled
SELinuxfs mount:    /selinux
Current mode:   enforcing
Mode from config file:  enforcing
Policy version: 24
Policy from config file:    mls

Process contexts:
Current context:    system_u:system_r:sshd_t:s0-s15:c0.c1023


Your shell shouldn't be running in sshd_t; sshd should have transitioned 
to a user context (like root:sysadm_r:sysadm_t:... or 
staff_u:staff_r:staff_t:... or user_u:user_r:user_t:...).  Were there 
errors from sshd in /var/log/secure or elsewhere?



Init context:   unknown (Permission denied)

File contexts:
Controlling term:   system_u:object_r:sshd_devpts_t:s0
/etc/passwd system_u:object_r:etc_t:s0
/bin/bash   system_u:object_r:shell_exec_t:s0
/bin/sh system_u:object_r:bin_t:s0 -> 
system_u:object_r:shell_exec_t:s0

/usr/sbin/sshd  system_u:object_r:sshd_exec_t:s0


*Regarding the httpd process , i started the process by switching to a 
new role as follows , so that's why it has obtained the sshd_t type on 
the 'httpd' process*


[root@msc-ishara-system1 ~]# newrole -l s4-s5:c1,c2
Password:

[root@msc-ishara-system1 ~]# id -Z
system_u:system_r:*sshd_t*:s4-s5:c1,c2*
*
[root@msc-ishara-system1 ~]# /etc/init.d/httpd start


You first need to be in a proper user context before you do anything 
else.  Otherwise any processes you start are likely to be in the wrong 
context too.


I created a CentOS 6.10 VM, installed the mls policy, changed 
/etc/selinux/config to specify permissive and mls, touched 
/.autorelabel, rebooted to relabel filesystems, then changed 
/etc/selinux/config to enforcing and rebooted again.  If I try to ssh in 
as root, I get an error ("Unable to get valid context for root") and the 
connection is closed; /var/log/secure contains some additional error 
reporting from sshd.  That seems like a bug in selinux-policy-mls.


If I run the following command:
# semanage login -m -s staff_u root # map root to staff role
then I can ssh in as root albeit with some errors about accessing /root 
files.


Then I can do the following to switch to the sysadm role:
# newrole -r sysadm_r

I can't directly run /etc/init.d/httpd at all:
# /etc/init.d/httpd start
-bash: /etc/init.d/httpd: Permission denied

Or via service:
# service httpd start
env: /etc/init.d/httpd: Permission denied

I think -mls policy required the use of run_init to run init scripts in 
the proper context, ala the original SELinux policy:

# run_init /etc/init.d/httpd start
# ps -eZ | grep httpd
system_u:system_r:httpd_t:s0-s15:c0.c1023 1704 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0-s15:c0.c1023 1706 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0-s15:c0.c1023 1707 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0-s15:c0.c1023 1708 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0-s15:c0.c1023 1709 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0-s15:c0.c1023 1710 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0-s15:c0.c1023 1711 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0-s15:c0.c1023 1712 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0-s15:c0.c1023 1713 ? 00:00:00 httpd

However, if I switch levels before trying to do this, it fails:
# newrole -l s4-s5:c1,c2
# run_init /etc/init.d/httpd restart
execvp: Permission denied

And the denial is due to the change in levels:
# ausearch -i -m AVC -ts recent
type=SYSCALL msg=audit(11/07/2018 09:37:14.703:318) : arch=x86_64 
syscall=execve success=no exit=-13(Permission denied) a0=0x7fffaf68a871 
a1=0x7fffaf6893d0 a2=0x7fffaf6893e8 a3=0x7fffaf689030 items=0 ppid=1824 
pid=1838 auid=root uid=root gid=root euid=root suid=root fsuid=root 
egid=root sgid=root fsgid=root tty=pts0 ses=7 comm=run_init 
exe=/usr/sbin/run_init subj=staff_u:sysadm_r:run_init_t:s4-s5:c1,c2 
key=(null)
type=AVC msg=audit(11/07/2018 09:37:14.703:318) : avc:  denied  { 
transition } for  pid=1838 comm=run_init path=/etc/rc.d/init.d/httpd 
dev=dm-0 ino=133288 scontext=staff_u:sysadm_r:run_init_t:s4-s5:c1,c2 
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=process


run_init always tries to run the init script in the initrc_context, so 
you'd lose the

Re: SELinux MLS for Apache Process

2018-11-07 Thread Ishara Fernando 
Thanks Stephen , so below are the details of my SELinux setup


*Centos Version* : CentOS release 6.2 (Final)
*Kernel version* : 2.6.32-220.el6.x86_64
*RPM package* : selinux-policy-mls-3.7.19-312.el6.noarch

*cat /etc/selinux/mls/contexts/securetty_types *
console_device_t
sysadm_tty_device_t
user_tty_device_t
staff_tty_device_t
auditadm_tty_device_t
secureadm_tty_device_t
user_devpts_t
sshd_devpts_t


*sestatus -v *
SELinux status: enabled
SELinuxfs mount:/selinux
Current mode:   enforcing
Mode from config file:  enforcing
Policy version: 24
Policy from config file:mls

Process contexts:
Current context:system_u:system_r:sshd_t:s0-s15:c0.c1023
Init context:   unknown (Permission denied)

File contexts:
Controlling term:   system_u:object_r:sshd_devpts_t:s0
/etc/passwd system_u:object_r:etc_t:s0
/bin/bash   system_u:object_r:shell_exec_t:s0
/bin/sh system_u:object_r:bin_t:s0 ->
system_u:object_r:shell_exec_t:s0
/usr/sbin/sshd  system_u:object_r:sshd_exec_t:s0


*Regarding the httpd process , i started the process by switching to a new
role as follows , so that's why it has obtained the sshd_t type on the
'httpd' process*

[root@msc-ishara-system1 ~]# newrole -l s4-s5:c1,c2
Password:

[root@msc-ishara-system1 ~]# id -Z
system_u:system_r:*sshd_t*:s4-s5:c1,c2

[root@msc-ishara-system1 ~]# /etc/init.d/httpd start


[root@msc-ishara-system1 ~]# ps auxZ  |  grep -i httpd
system_u:system_r:*sshd_t*:s4-s5:c1,c2 root 29220 0.0  0.4 262888  9244
?Ss   00:18   0:00 /usr/sbin/httpd
system_u:system_r:*sshd_t*:s4-s5:c1,c2 apache 29223 0.0  0.2 262888 5264
?   S00:18   0:00 /usr/sbin/httpd


*And on the mlsconstraint statements for file read , i see the following
constrain *

mlsconstrain { file } { read getattr execute  }
(  l1 l2  dom  t1 { sysadm_t aide_t system_cronjob_t ksmtuned_t sssd_t
virtd_t xserver_t } ==  h1 l2  dom  &&  ||  t1 { bootloader_t pam_console_t
logrotate_t dmidecode_t iptables_t auditadm_wm_t myuser_wm_t setfiles_mac_t
initrc_t mcelog_t secadm_t sysadm_t fsadm_t getty_t kudzu_t lvm_t mdadm_t
quota_t rpm_t xdm_t xguest_wm_t myuser2_wm_t setsebool_t newrole_t
setrans_t user_wm_t local_login_t rpm_script_t tmpreaper_t devicekit_disk_t
NetworkManager_t audisp_t auditd_t kernel_t crond_t cupsd_t hald_t init_t
kdump_t klogd_t mount_t rshd_t sshd_t udev_t fsdaemon_t
sssd_selinux_manager_t load_policy_t remote_login_t secadm_wm_t readahead_t
system_dbusd_t staff_wm_t setfiles_t semanage_t consoletype_t auditctl_t
rlogind_t vbetool_t } ==  ||  t2 { cupsd_var_run_t sssd_var_lib_t
kvm_device_t null_device_t zero_device_t system_dbusd_var_run_t devlog_t
devtty_t tmpfs_t xdm_t vhost_device_t httpd_bool_t tun_tap_device_t
faillog_t setrans_t qemu_var_run_t anon_inodefs_t setrans_var_run_t crond_t
cupsd_t ptmx_t *sshd_t* sssd_t virt_log_t system_dbusd_t proc_numa_t
security_t initctl_t sudo_db_t syslogd_t xserver_t } ==  || );


Also I would like to understand about the precedence check by the SELinux
security server , assume if a *type is allowed* to read the file by the
mlsconstrain statements as shown above , then does the security server
check and compare for the security levels as well of the source process and
the destination ? (In this case the apache process runs in *s4-s5:c1,c2 *,
the linux user running the curl is mapped on SELinux user *s4-s5:c1,c2  *and
the php file : /var/www/html/info.php is on *s0:c3  *)

So in that case , any suggestions to bypass the constrain rule ?

I tried to create a new SELinux role so that it has no types at all (This
didn't work though as it gets the selinux types for *user_u* for some
reason) . Then I was planning to add just 1 new type (eg: testuser_t) and
then map this new 'type' to the new SELinux role and then map this role to
a Linux User . So in that case the Linux User will have one single type
accessible and then I can run the 'curl' command on the apache endpoint to
see if the Bell Lapadula condition works :) .










On Wed, Nov 7, 2018 at 1:13 AM Stephen Smalley  wrote:

> On 11/6/18 9:33 AM, Ishara Fernando wrote:
> > Dear all ,
> >
> > I have been trying to test and see how SELinux MLS works with Apache ,
> > this is what I did to test
> >
> > *1) As we're aware if we start apache process as the default SELinux
> > user (i.e: Just as root user) , it will obtain a security context which
> > has all the range of sensitivities and categories (i.e : s0-s15 ,
> > C0-C1023) *
> >
> > [root@msc-ishara-system1 ~]# id -Z
> > system_u:system_r:sshd_t:*s0-s15:c0.c1023*
> >
> > [root@msc-ishara-system1 ~]# ps auxZ | grep -i http
> > system_u:system_r:sshd_t:*s0-s15:c0.c1023* root 29161 0.0  0.4 262888
> > 9248 ? Ss   00:16   0:00 /usr/sbin/httpd
> > system_u:system_r:sshd_t:*s0-s15:c0.c1023* apache 29164 0.0  0.2 262888
> > 5264 ?   S00:16