Thanks Stephen , so below are the details of my SELinux setup
*Centos Version* : CentOS release 6.2 (Final)
*Kernel version* : 2.6.32-220.el6.x86_64
*RPM package* : selinux-policy-mls-3.7.19-312.el6.noarch
*cat /etc/selinux/mls/contexts/securetty_types *
console_device_t
sysadm_tty_device_t
user_tty_device_t
staff_tty_device_t
auditadm_tty_device_t
secureadm_tty_device_t
user_devpts_t
sshd_devpts_t
*sestatus -v *
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: mls
Process contexts:
Current context: system_u:system_r:sshd_t:s0-s15:c0.c1023
Init context: unknown (Permission denied)
File contexts:
Controlling term: system_u:object_r:sshd_devpts_t:s0
/etc/passwd system_u:object_r:etc_t:s0
/bin/bash system_u:object_r:shell_exec_t:s0
/bin/sh system_u:object_r:bin_t:s0 ->
system_u:object_r:shell_exec_t:s0
/usr/sbin/sshd system_u:object_r:sshd_exec_t:s0
*Regarding the httpd process , i started the process by switching to a new
role as follows , so that's why it has obtained the sshd_t type on the
'httpd' process*
[root@msc-ishara-system1 ~]# newrole -l s4-s5:c1,c2
Password:
[root@msc-ishara-system1 ~]# id -Z
system_u:system_r:*sshd_t*:s4-s5:c1,c2
[root@msc-ishara-system1 ~]# /etc/init.d/httpd start
[root@msc-ishara-system1 ~]# ps auxZ | grep -i httpd
system_u:system_r:*sshd_t*:s4-s5:c1,c2 root 29220 0.0 0.4 262888 9244
? Ss 00:18 0:00 /usr/sbin/httpd
system_u:system_r:*sshd_t*:s4-s5:c1,c2 apache 29223 0.0 0.2 262888 5264
? S 00:18 0:00 /usr/sbin/httpd
*And on the mlsconstraint statements for file read , i see the following
constrain *
mlsconstrain { file } { read getattr execute }
( l1 l2 dom t1 { sysadm_t aide_t system_cronjob_t ksmtuned_t sssd_t
virtd_t xserver_t } == h1 l2 dom && || t1 { bootloader_t pam_console_t
logrotate_t dmidecode_t iptables_t auditadm_wm_t myuser_wm_t setfiles_mac_t
initrc_t mcelog_t secadm_t sysadm_t fsadm_t getty_t kudzu_t lvm_t mdadm_t
quota_t rpm_t xdm_t xguest_wm_t myuser2_wm_t setsebool_t newrole_t
setrans_t user_wm_t local_login_t rpm_script_t tmpreaper_t devicekit_disk_t
NetworkManager_t audisp_t auditd_t kernel_t crond_t cupsd_t hald_t init_t
kdump_t klogd_t mount_t rshd_t sshd_t udev_t fsdaemon_t
sssd_selinux_manager_t load_policy_t remote_login_t secadm_wm_t readahead_t
system_dbusd_t staff_wm_t setfiles_t semanage_t consoletype_t auditctl_t
rlogind_t vbetool_t } == || t2 { cupsd_var_run_t sssd_var_lib_t
kvm_device_t null_device_t zero_device_t system_dbusd_var_run_t devlog_t
devtty_t tmpfs_t xdm_t vhost_device_t httpd_bool_t tun_tap_device_t
faillog_t setrans_t qemu_var_run_t anon_inodefs_t setrans_var_run_t crond_t
cupsd_t ptmx_t *sshd_t* sssd_t virt_log_t system_dbusd_t proc_numa_t
security_t initctl_t sudo_db_t syslogd_t xserver_t } == || );
Also I would like to understand about the precedence check by the SELinux
security server , assume if a *type is allowed* to read the file by the
mlsconstrain statements as shown above , then does the security server
check and compare for the security levels as well of the source process and
the destination ? (In this case the apache process runs in *s4-s5:c1,c2 *,
the linux user running the curl is mapped on SELinux user *s4-s5:c1,c2 *and
the php file : /var/www/html/info.php is on *s0:c3 *)
So in that case , any suggestions to bypass the constrain rule ?
I tried to create a new SELinux role so that it has no types at all (This
didn't work though as it gets the selinux types for *user_u* for some
reason) . Then I was planning to add just 1 new type (eg: testuser_t) and
then map this new 'type' to the new SELinux role and then map this role to
a Linux User . So in that case the Linux User will have one single type
accessible and then I can run the 'curl' command on the apache endpoint to
see if the Bell Lapadula condition works :) .
On Wed, Nov 7, 2018 at 1:13 AM Stephen Smalley <[email protected]> wrote:
> On 11/6/18 9:33 AM, Ishara Fernando wrote:
> > Dear all ,
> >
> > I have been trying to test and see how SELinux MLS works with Apache ,
> > this is what I did to test
> >
> > *1) As we're aware if we start apache process as the default SELinux
> > user (i.e: Just as root user) , it will obtain a security context which
> > has all the range of sensitivities and categories (i.e : s0-s15 ,
> > C0-C1023) *
> >
> > [root@msc-ishara-system1 ~]# id -Z
> > system_u:system_r:sshd_t:*s0-s15:c0.c1023*
> >
> > [root@msc-ishara-system1 ~]# ps auxZ | grep -i http
> > system_u:system_r:sshd_t:*s0-s15:c0.c1023* root 29161 0.0 0.4 262888
> > 9248 ? Ss 00:16 0:00 /usr/sbin/httpd
> > system_u:system_r:sshd_t:*s0-s15:c0.c1023* apache 29164 0.0 0.2 262888
> > 5264 ? S 00:16 0:00 /usr/sbin/httpd
> >
> >
> > *2) Then what I did was stop apache and then Switch to a new SELinux
> > role (s4-s5:c1,c2) and start Apache process as follows , apache will
> > also get the same security contexts as the User ( s4-s5:c1,c2 ) *
> >
> > [root@msc-ishara-system1 ~]# newrole -l s4-s5:c1,c2
> > Password:
> >
> > [root@msc-ishara-system1 ~]# id -Z
> > system_u:system_r:sshd_t:*s4-s5:c1,c2
> > *
> > [root@msc-ishara-system1 ~]# /etc/init.d/httpd start
> >
> >
> > [root@msc-ishara-system1 ~]# ps auxZ | grep -i httpd
> > system_u:system_r:sshd_t:*s4-s5:c1,c2* root 29220 0.0 0.4 262888 9244
> > ? Ss 00:18 0:00 /usr/sbin/httpd
> > system_u:system_r:sshd_t:*s4-s5:c1,c2* apache 29223 0.0 0.2 262888 5264
> > ? S 00:18 0:00 /usr/sbin/httpd
> >
> > *3) And now I created a file 'info.php' under /var/www/html , and then i
> > changed the security context of this file as follows
> > *
> >
> > touch /var/www/html/info.php
> > chcat s0:c3 /var/www/html/info.php
> >
> > *4) Now that we know the apache process is running in s4-s5:c1,c2
> > security context and the file /var/www/html/info.php has s0:c3 context ,
> > then apache process shouldn't be able to read the /var/www/html/info.php
> > file as c3 isn't read into c1,c2 apache process according to the Bell
> > Lapadula model which is the security policy in SELinux MLS , but however
> > when i run a curl on the apache process , it produces an output (Which
> > shows the php version and stuff)
> > *
> >
> > *curl http://localhost/info.php*
> >
> > !DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
> > "DTD/xhtml1-transitional.dtd">
> > <html><head>
> > <style type="text/css">
> > body {background-color: #ffffff; color: #000000;}
> > body, td, th, h1, h2 {font-family: sans-serif;}
> > pre {margin: 0px; font-family: monospace;}
> > a:link {color: #000099; text-decoration: none; background-color:
> #ffffff;}
> > a:hover {text-decoration: underline;}
> > table {border-collapse: collapse;}
> > .center {text-align: center;}
> >
> > 5) What i need to understand is am I testing this wrong ? When I run
> > curl command I run it as the same user in which switched roles to (i.e :
> > s4-s5:c1,c2) , so still c3 isn't read into c1,c2 . But I still get an
> > output for the curl .
> >
> > What I am trying to achieve is show that Apache process will not be able
> > to read the file /var/www/html/info.php according to the Bell Lapadula
> > model , have i missed any step in here ? Awaiting your kind guidance and
> > inputs . Thank you
>
> First, note that [email protected] has moved to
> [email protected]. The old list still exists but will eventually
> be shut down sometime. I have cc'd the new list above.
>
> Second, it would help if you provided information about your
> distribution, release, policy package, etc. sestatus -v output would
> also be helpful.
>
> Third, your httpd processes are running in the wrong domain (sshd_t vs
> httpd_t), which indicates something else is wrong with your
> configuration / set up. And sshd_t appears to be allowed mlsfileread in
> the Fedora -mls policy, so it is exempted from MLS constraints on file
> reading, which would explain the behavior you are seeing.
>
>
>
>
>
>
>
>
>
_______________________________________________
Selinux mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to [email protected].
